flathub / org.claws_mail.Claws-Mail

https://flathub.org/apps/details/org.claws_mail.Claws-Mail
4 stars 1 forks source link

Crash in claws-mail 3.17.8: munmap_chunk(): invalid pointer #18

Closed crass closed 3 years ago

crass commented 3 years ago

Here's the last few lines of when running with the -d option.

imap-thread.c:473:generic_cb
imap-thread.c:457:found imap 0x55d213953300
munmap_chunk(): invalid pointer
/app/bin/claws-mail-wrapper.sh: line 3:     5 Aborted                 (core dumped) /app/bin/claws-mail $@

The gdb backtrace is:

Thread 1 "claws-mail" received signal SIGABRT, Aborted.
0x00007ffff65757f5 in raise () from /usr/lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007ffff65757f5 in raise () at /usr/lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff655e855 in abort () at /usr/lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff65b92f7 in __libc_message ()
    at /usr/lib/x86_64-linux-gnu/libc.so.6
#3  0x00007ffff65c081c in  () at /usr/lib/x86_64-linux-gnu/libc.so.6
#4  0x00007ffff65c0aec in munmap_chunk ()
    at /usr/lib/x86_64-linux-gnu/libc.so.6
#5  0x00005555558398c8 in etpan_certificate_check ()
#6  0x0000555555834ef8 in imap_threaded_connect_ssl ()
#7  0x00005555556f2b05 in  ()
#8  0x00005555556fd032 in  ()
#9  0x00005555556fd47f in  ()
#10 0x000055555568d9b7 in account_set_missing_folder ()
#11 0x00005555556880d5 in main ()

The claws-mail 3.17.8 packaged with Ubuntu Impish does not crash. And by reverting to the previous commit 8d6138f174170d795a8e0e6263bfe6171455c6c6030b6fc215f9909fc33958c0 the crash also doesn't happen.

cobratbq commented 3 years ago

Could you check if this issue remains with version 3.18.0 which I pushed yesterday?

bayonne commented 3 years ago

How do we see version 3.18.0 ? Is there an unstable branch or something else ?

cobratbq commented 3 years ago

How do we see version 3.18.0 ? Is there an unstable branch or something else ?

Ah... you probably have, if you are up-to-date. I forgot to update the version in the flatpak package. You can check inside Claws-Mail for the software itself. To be really exact, you can check the following: flatpak info org.claws_mail.Claws-Mail and it should give you: (this information is correct until I next update, but that gives you an even later date.)

[...]

Commit: 9d39340d973ab3f0931f0fdf0fcc5998855d554a06ce3e1602d673aabc7c0f31
Parent: 8d6138f174170d795a8e0e6263bfe6171455c6c6030b6fc215f9909fc33958c0
Subject: Upgrade libetpan to 'master' to fix CVE-2020-15953 (3c94f2b2)
Date: 2021-09-23 21:55:46 +0000

As for the debug symbols. They can be installed using flatpak install flathub org.claws_mail.Claws_Mail.Debug. (The naming is inconsistent. More info in the linked issue #19.)

bayonne commented 3 years ago

With commit 9d39340d973ab3f0931f0fdf0fcc5998855d554a06ce3e1602d673aabc7c0f31, Claws-Mail crashed as soon as I tried to check imap mail, so I downgraded to its parent commit (on Ubuntu 20.04).

crass commented 3 years ago

Yes, to confirm commit 9d39340d973ab3f0931f0fdf0fcc5998855d554a06ce3e1602d673aabc7c0f31 is the one this issue refers to.

With the debugging symbols installed, here's the backtrace:

Thread 1 "claws-mail" received signal SIGABRT, Aborted.
0x00007ffff65757f5 in raise () from /usr/lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007ffff65757f5 in raise () at /usr/lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff655e855 in abort () at /usr/lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff65b92f7 in __libc_message ()
    at /usr/lib/x86_64-linux-gnu/libc.so.6
#3  0x00007ffff65c081c in  () at /usr/lib/x86_64-linux-gnu/libc.so.6
#4  0x00007ffff65c0aec in munmap_chunk ()
    at /usr/lib/x86_64-linux-gnu/libc.so.6
#5  0x00005555558398c8 in etpan_certificate_check
    (stream=<optimized out>, host=host@entry=0x55555605f0a0 "imap.gmail.com", po
rt=port@entry=993, accept_if_valid=accept_if_valid@entry=0) at etpan-ssl.c:67
#6  0x0000555555834ef8 in imap_threaded_connect_ssl
    (folder=<optimized out>, server=0x55555605f0a0 "imap.gmail.com", port=993, proxy_info=0x0) at imap-thread.c:708
#7  0x00005555556f2b05 in imap_session_new
    (account=0x555556327600, folder=0x5555560f1110) at imap.c:1221
#8  imap_session_get (folder=folder@entry=0x5555560f1110) at imap.c:1092
#9  0x00005555556fd032 in imap_scan_tree_real
    (folder=folder@entry=0x5555560f1110, subs_only=0) at imap.c:2684
#10 0x00005555556fd44e in imap_scan_tree (folder=folder@entry=0x5555560f1110)
    at imap.c:2766

When I go to frame 5 I see that the call to munmap_chunk is coming from a free call:

(gdb) fr 5
#5  0x00005555558398c8 in etpan_certificate_check (stream=<optimized out>,
    host=host@entry=0x55555605f0a0 "imap.gmail.com", port=port@entry=993,
    accept_if_valid=accept_if_valid@entry=0) at etpan-ssl.c:67
67              free(cert_der);

In the relevant claws-mail source, we can see (where the last line if the offending free):

        unsigned char *cert_der = NULL;
        int len;
        gnutls_x509_crt_t cert = NULL;
        gnutls_datum_t tmp;

        if (stream == NULL)
                return FALSE;

        len = (int)mailstream_ssl_get_certificate(stream, &cert_der);

        if (cert_der == NULL || len < 0) {
                g_warning("no cert presented");
                return FALSE;
        }

        tmp.data = malloc(len);
        memcpy(tmp.data, cert_der, len);
        tmp.size = len;
        gnutls_x509_crt_init(&cert);

        free(cert_der);

This seems to say that mailstream_ssl_get_certificate is not passing a cert_der set to an address allocated by the libc allocator. But when I look at the source in libetpan, it seems to suggest the issue is in i2d_X509 in libgnutls corrupting the pointer because cert_der is being successfully malloc'd.

  len = i2d_X509(cert, NULL);
  * cert_DER = malloc(len);
  if (* cert_DER == NULL)
    return -1;

  i2d_X509(cert, cert_DER);

        X509_free(cert);

  return len;

I haven't figured out how to find/install debug symbols for the org.freedesktop.Platform runtime (org.freedesktop.Platform.Debug is not found). So I'm having a hard time figuring out exactly where cert_der is getting corrupted.

crass commented 3 years ago

Stepping though the process, I can see that cert_der is initially NULL, then is getting set (presumably by the malloc) and then is modified again. It seems based on the code that the modification must occur in i2d_X509 from libcrypto.so.1.1 which is part of the runtime. So I'm thinking that is the runtime that has a bug. A next step would be to run the previous working claws-mail commit and see if cert is different (it seems like it shouldn't be and the runtime should be the same, so why does one work and not the other?).

(gdb) b i2d_X509
Breakpoint 2 at 0x7ffff5752180
(gdb) r
Starting program: /app/bin/claws-mail --alternate-config-dir /media/cdata/crass/.claws-mail.test
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/x86_64-linux-gnu/libthread_db.so.1".
Gtk-Message: 23:00:05.108: Failed to load module "atk-bridge"
Gtk-Message: 23:00:05.191: Failed to load module "canberra-gtk-module"
[New Thread 0x7ffff4888700 (LWP 45)]
[New Thread 0x7fffeffff700 (LWP 46)]
[New Thread 0x7fffef7fe700 (LWP 47)]
[New Thread 0x7fffeeffd700 (LWP 48)]
[New Thread 0x7fffee7fc700 (LWP 49)]
[Thread 0x7fffeeffd700 (LWP 48) exited]
[Thread 0x7fffef7fe700 (LWP 47) exited]
[New Thread 0x7fffef7fe700 (LWP 50)]

Thread 1 "claws-mail" hit Breakpoint 1, etpan_certificate_check (
    stream=0x7fffe00366d0, host=host@entry=0x5555560531b0 "imap.gmail.com",
    port=port@entry=993, accept_if_valid=accept_if_valid@entry=0)
    at etpan-ssl.c:45
45      {
(gdb) c
Continuing.

Thread 1 "claws-mail" hit Breakpoint 2, 0x00007ffff5752180 in i2d_X509 ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
(gdb) bt
#0  0x00007ffff5752180 in i2d_X509 ()
    at /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#1  0x00007ffff6745eb7 in mailstream_ssl_get_certificate ()
    at /app/lib/libetpan.so.20
#2  0x0000555555839872 in etpan_certificate_check
    (stream=<optimized out>, host=host@entry=0x5555560531b0 "imap.gmail.com", port=port@entry=993, accept_if_valid=accept_if_valid@entry=0) at etpan-ssl.c:55
#3  0x0000555555834ef8 in imap_threaded_connect_ssl
    (folder=<optimized out>, server=0x5555560531b0 "imap.gmail.com", port=993, proxy_info=0x0) at imap-thread.c:708
#4  0x00005555556f2b05 in imap_session_new
    (account=0x555556107800, folder=0x555556062310) at imap.c:1221
#5  imap_session_get (folder=folder@entry=0x555556062310) at imap.c:1092
#6  0x00005555556fd032 in imap_scan_tree_real
    (folder=folder@entry=0x555556062310, subs_only=0) at imap.c:2684
#7  0x00005555556fd44e in imap_scan_tree (folder=folder@entry=0x555556062310)
    at imap.c:2766
#8  0x00005555556fd47f in imap_create_tree (folder=0x555556062310)
    at imap.c:3071
#9  0x000055555568d9b7 in account_set_missing_folder () at account.c:562
#10 0x00005555556880d5 in main (argc=<optimized out>, argv=<optimized out>)
    at main.c:1437
(gdb) fr 2
#2  0x0000555555839872 in etpan_certificate_check (stream=<optimized out>,
    host=host@entry=0x5555560531b0 "imap.gmail.com", port=port@entry=993,
    accept_if_valid=accept_if_valid@entry=0) at etpan-ssl.c:55
55              len = (int)mailstream_ssl_get_certificate(stream, &cert_der);
(gdb) p &cert_der
$8 = (unsigned char **) 0x7fffffffd340
(gdb) fr 0
#0  0x00007ffff5752180 in i2d_X509 ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
(gdb) p *((char **)0x7fffffffd340)
$10 = 0x0
(gdb) n
Single stepping until exit from function i2d_X509,
which has no line number information.
0x00007ffff55e7b60 in ASN1_item_i2d ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
(gdb) p *((char **)0x7fffffffd340)
$11 = 0x0
(gdb) n
Single stepping until exit from function ASN1_item_i2d,
which has no line number information.
[Thread 0x7fffeffff700 (LWP 46) exited]
0x00007ffff55e7a30 in asn1_item_flags_i2d ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
(gdb) p *((char **)0x7fffffffd340)
$12 = 0x0
(gdb) n
Single stepping until exit from function asn1_item_flags_i2d,
which has no line number information.
0x00007ffff6745eb7 in mailstream_ssl_get_certificate ()
   from /app/lib/libetpan.so.20
(gdb) p *((char **)0x7fffffffd340)
$13 = 0x0
(gdb) n
Single stepping until exit from function mailstream_ssl_get_certificate,
which has no line number information.

Thread 1 "claws-mail" hit Breakpoint 2, 0x00007ffff5752180 in i2d_X509 ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
(gdb) p *((char **)0x7fffffffd340)
$14 = 0x555555c3de80 "`"
(gdb) p *((char **)0x7fffffffd340)
$15 = 0x555555c3de80 "`"
(gdb) n
Single stepping until exit from function i2d_X509,
which has no line number information.
0x00007ffff55e7b60 in ASN1_item_i2d ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
(gdb) p *((char **)0x7fffffffd340)
$16 = 0x555555c3de80 "`"
(gdb) n
Single stepping until exit from function ASN1_item_i2d,
which has no line number information.
0x00007ffff55e7a30 in asn1_item_flags_i2d ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
(gdb) p *((char **)0x7fffffffd340)
$17 = 0x555555c3de80 "`"
(gdb) n
Single stepping until exit from function asn1_item_flags_i2d,
which has no line number information.
0x00007ffff6745ed6 in mailstream_ssl_get_certificate ()
   from /app/lib/libetpan.so.20
(gdb) p *((char **)0x7fffffffd340)
$18 = 0x555555c3e200 "\260\003"
(gdb) bt
#0  0x00007ffff6745ed6 in mailstream_ssl_get_certificate ()
    at /app/lib/libetpan.so.20
#1  0x0000555555839872 in etpan_certificate_check
    (stream=<optimized out>, host=host@entry=0x5555560531b0 "imap.gmail.com", port=port@entry=993, accept_if_valid=accept_if_valid@entry=0) at etpan-ssl.c:55
#2  0x0000555555834ef8 in imap_threaded_connect_ssl
    (folder=<optimized out>, server=0x5555560531b0 "imap.gmail.com", port=993, proxy_info=0x0) at imap-thread.c:708
#3  0x00005555556f2b05 in imap_session_new
    (account=0x555556107800, folder=0x555556062310) at imap.c:1221
#4  imap_session_get (folder=folder@entry=0x555556062310) at imap.c:1092
#5  0x00005555556fd032 in imap_scan_tree_real
    (folder=folder@entry=0x555556062310, subs_only=0) at imap.c:2684
#6  0x00005555556fd44e in imap_scan_tree (folder=folder@entry=0x555556062310)
    at imap.c:2766
#7  0x00005555556fd47f in imap_create_tree (folder=0x555556062310)
    at imap.c:3071
#8  0x000055555568d9b7 in account_set_missing_folder () at account.c:562
#9  0x00005555556880d5 in main (argc=<optimized out>, argv=<optimized out>)
    at main.c:1437
crass commented 3 years ago

I've tried using the newer 21.08 runtime branch for org.freedesktop.Platform, but this also crashes. The 19.08 runtime can not be used because it lacks some needed libraries. I then tried the earliest commit for 20.08 (commit 54fc005a60be576aead95993847430df346c11daf1740efabb8fde39638da84a), but this also crashes. So I assume there are no runtime commits where claws-ail does not crash.

cobratbq commented 3 years ago

Thanks for all your investigation. #23 should fix the immediate issue. A test release is being built at the moment. Feel free to give it a run.

crass commented 3 years ago

The newest commit f622b09332832c308d75244acb20984322e3ef68530a034f61911115d66dd57d does not exhibit the issue. I can confirm I am getting debug symbols for libetpan also. Thanks for the quick response!