Open MASHtm opened 3 years ago
looks like I hit the crash part of #3320
@MASHtm Yeah, looks like it to me too. Does the patch in #3321 fix it for you? I plan to backport it all the way back to 2.5 once it's accepted on master, but in the meantime it'll probably cherry-pick cleanly if you use -X ignore-all-space
so that ignores the tabs/spaces conflicts between 2.5 and 3.0+
currently I'm running option 2 of my initial report and it works nicely. It's mostly the same but reuses the sasl_cb pointer of backend.c.
I'm running cyrus-imapd 2.5.15, but the code is still the same in HEAD. So I guess this bugreport is valid for all versions since 2.5.
I use DIGEST-MD5 on my mupdate server for authentication and after updating from RHEL6 (cyrus-sasl-2.1.23) to 8 (2.1.27) I have sporadic SIGSEGV while XFERing mailboxes between backends (what causes mupdate traffic). It looks like a use-after-free inside cyrus-sasl searching the logging callback function.
The core backtrace shows that cyrus-sasl digest-md5 plugin crashes while syslogging "DIGEST-MD5 client mech dispose" which was added after 2.1.23. The BT also shows that the pointer to the callback function for logging is invalid and causes the SEGV.
I did a lot of debugging and IMO this is caused by this part of mupdate-client.c/mupdate_connect():
The "xxx unclear" says it all. IMO the pointer still sits in h->conn->sasl_conn->callbacks as found in the core:
And then down the BT...
in _sasl_log() the function _sasl_getcallback() gets called which searches the callbacks which are already free()'d and finds "something" before the correct function from the global_callbacks struct is found.
Currently I see two options to fix this: 1) NULL the pointer after free... the "xxx unclear part should at least be:
2) set h->conn->sasl_cb = cbs instead of calling free_callbacks This is used by backend.c/backend_authenticate() as well and freed by backend.c/backend_disconnect()