[CentOS 7] v2.11.0 segfault in mlfi_close at opendkim.c:15363

[apircalabu]

Running opendkim-2.11.0-0.1.el7.x86_64 from EPEL repo. It crashes regularly if the service:

• Hasn't received any milter request since starting up.
• Is monitored by monit using this configuration:

  check process opendkim with pidfile /var/run/opendkim/opendkim.pid
      group mail
      start program = "/usr/bin/systemctl start opendkim"
      stop program = "/usr/bin/systemctl stop opendkim"
      if failed host 127.0.0.1 port 8891 then restart
      if 5 restarts within 5 cycles then timeout

  I tried to crash it myself with telnet and nc, but I couldn't. Software information and backtrace follows:

# rpm -qi opendkim
Name        : opendkim
Version     : 2.11.0
Release     : 0.1.el7
Architecture: x86_64
Install Date: Thu 22 Aug 2019 10:02:02 AEST
Group       : System Environment/Daemons
Size        : 603312
License     : BSD and Sendmail
Signature   : RSA/SHA256, Wed 21 Dec 2016 14:46:46 AEDT, Key ID 6a2faea2352c64e5
Source RPM  : opendkim-2.11.0-0.1.el7.src.rpm
Build Date  : Wed 21 Dec 2016 14:32:19 AEDT
Build Host  : buildvm-16.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : http://opendkim.org/
Summary     : A DomainKeys Identified Mail (DKIM) milter to sign and/or verify mail
Description :
OpenDKIM allows signing and/or verification of email through an open source
library that implements the DKIM service, plus a milter-based filter
application that can plug in to any milter-aware MTA, including sendmail,
Postfix, or any other MTA that supports the milter protocol.

# gdb /usr/sbin/opendkim /tmp/1626054969_core_opendkim_19316_sig11 
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-120.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/opendkim...Reading symbols from /usr/lib/debug/usr/sbin/opendkim.debug...done.
done.
[New LWP 22059]
[New LWP 19316]
[New LWP 19318]
[New LWP 19317]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/sbin/opendkim -f -x /etc/opendkim.conf -P /var/run/opendkim/opendkim.pid'.
Program terminated with signal 11, Segmentation fault.
#0  mlfi_close (ctx=0x189b0c0) at opendkim.c:15363
15363               dkim_getcachestats(cc->cctx_config->conf_libopendkim,
(gdb) bt full
#0  mlfi_close (ctx=0x189b0c0) at opendkim.c:15363
        c_hits = 0
        c_expired = 25800896
        c_pct = <optimized out>
        c_keys = 0
        c_queries = 0
        now = 1626054969
        cc = 0x0
#1  0x00007f06ca5b77e7 in mi_engine (ctx=ctx@entry=0x189b0c0) at engine.c:461
        len = 0
        i = <optimized out>
        sd = 5
        ret = <optimized out>
        curstate = 0
        newstate = <optimized out>
        call_abort = <optimized out>
        r = <optimized out>
        cmd = 5 '\005'
        buf = 0x0
        arg = {a_len = 0, a_buf = 0x0, a_idx = 0, a_ctx = 0x189b0c0}
        timeout = {tv_sec = 7209, tv_usec = 999997}
        f = <optimized out>
        fi_abort = 0x4098c0 <mlfi_abort>
        fi_close = <optimized out>
#2  0x00007f06ca5b9a08 in mi_handle_session (ctx=0x189b0c0) at handler.c:45
        ret = <optimized out>
#3  0x00007f06ca5b8549 in mi_thread_handle_wrapper (arg=<optimized out>) at listener.c:579
No locals.
#4  0x00007f06c8836ea5 in start_thread (arg=0x7f06c3d7b700) at pthread_create.c:307
        __res = <optimized out>
        pd = 0x7f06c3d7b700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139667032225536, -7000730246273917714, 0, 8392704, 3, 139667032225536, 6977746264112930030, 6977757974292372718}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {
              prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
#5  0x00007f06c855f9fd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
No locals.
(gdb) quit

[glts]

This code is obviously wrong:

https://github.com/trusteddomainproject/OpenDKIM/blob/rel-opendkim-2-11-0-Beta2/opendkim/opendkim.c#L15360-L15410

First the context is deleted, then the context is accessed to print out cache stats. Perhaps it is enough to swap the two logical blocks? Try patch https://patch-diff.githubusercontent.com/raw/trusteddomainproject/OpenDKIM/pull/129.patch

[apircalabu]

Thanks for the fix, I've rebuilt the EPEL source RPM with your patch, running the build now on 3 machines and the segfault's gone. All good at my end.

[egberts]

Look forward to the patch.