231238 – [libcrypto] /lib/libcrypto.so.7 causes crash with sasl2/libntlm.so3

Bug 231238 - [libcrypto] /lib/libcrypto.so.7 causes crash with sasl2/libntlm.so3

Summary: [libcrypto] /lib/libcrypto.so.7 causes crash with sasl2/libntlm.so3

Status:	Open

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	11.2-RELEASE
Hardware:	amd64 Any

Importance:	--- Affects Some People
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-09-08 12:36 UTC by fireball
Modified:	2018-11-11 22:10 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Cyrus IMAPd core dump (deleted) 2018-09-08 12:36 UTC, fireball	no flags	Details
imapd.core ntlm (254.37 KB, application/octet-stream) 2018-11-11 21:14 UTC, av	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description fireball 2018-09-08 12:36:29 UTC

Created attachment 196959 [details]
Cyrus IMAPd core dump

Backtrace of imapd.core:

[New Thread 804c06400 (LWP 100222/<unknown>)]
(gdb) bt
#0  0x00000008017f60aa in EVP_DigestInit_ex () from /lib/libcrypto.so.7
#1  0x00000008017ed1e8 in HMAC_Init_ex () from /lib/libcrypto.so.7
#2  0x00000008086dac5d in V2 () from /usr/local/lib/sasl2/libntlm.so.3
#3  0x00000008086dc41d in ntlm_server_mech_step () from /usr/local/lib/sasl2/libntlm.so.3
#4  0x000000080127043e in sasl_server_step () from /usr/local/lib/libsasl2.so.3
#5  0x0000000800ac0074 in saslserver () from /usr/local/lib/libcyrus_imap.so.0
#6  0x000000000040dcd5 in shut_down ()
#7  0x000000000040cfcf in shut_down ()
#8  0x000000000042848c in cyrus_mutex_free ()

Packages involved:
cyrus-imapd25-2.5.11_2 
cyrus-sasl-2.1.26_13 

Found the issue happening only with certain ciphers:

Sep  8 07:09:20 mail imaps[50889]: inittls: Loading hard-coded DH parameters
Sep  8 07:09:20 mail imaps[50889]: starttls: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits new) no authentication
Sep  8 07:09:20 mail imaps[50889]: client id: "vendor" "Microsoft" "os" "Windows Mobile" "os-version" "10.0" "guid" "38443130353438433135343232414446454346424341393941453546314437354639343132353141"
Sep  8 07:09:24 mail master[39154]: process type:SERVICE name:imaps path:/usr/local/cyrus/bin/imapd age:3.598s pid:50889 signaled to death by signal 11 (Segmentation fault, core dumped)

Comment 1 fireball 2018-09-10 00:24:37 UTC

I just realized the core dump might contain info from the memory which is not wise to post publicly. Can anyone make the attachment private or just remove it? I'll just make it available to any dev who really needs it.

Comment 2 Oleksandr Tymoshenko freebsd_committer

2018-09-10 00:37:58 UTC

The content of attachment 196959 [details] has been deleted for the following reason:

requested by the uploader

Comment 3 fireball 2018-09-20 22:10:39 UTC

Any comment on this?

I get this now daily/nightly in my logs:

+pid 58509 (imapd), uid 60: exited on signal 10 (core dumped)
+pid 58510 (imapd), uid 60: exited on signal 10 (core dumped)
+pid 58597 (imapd), uid 60: exited on signal 11 (core dumped)
+pid 58598 (imapd), uid 60: exited on signal 11 (core dumped)
+pid 58599 (imapd), uid 60: exited on signal 10 (core dumped)
+pid 58602 (imapd), uid 60: exited on signal 10 (core dumped)
+pid 59786 (imapd), uid 60: exited on signal 11 (core dumped)
+Failed to fully fault in a core file segment at VA 0x800741000 with size 0x10000 to be written at offset 0x100000 for process imapd
+Failed to fully fault in a core file segment at VA 0x8044a9000 with size 0x2b6000 to be written at offset 0x1ea000 for process imapd
+Failed to fully fault in a core file segment at VA 0x805000000 with size 0x2cb6000 to be written at offset 0xca0000 for process imapd
+pid 59791 (imapd), uid 60: exited on signal 11 (core dumped)
+Failed to fully fault in a core file segment at VA 0x800741000 with size 0x10000 to be written at offset 0x100000 for process imapd
+Failed to fully fault in a core file segment at VA 0x8044a9000 with size 0x2b6000 to be written at offset 0x1ea000 for process imapd
+Failed to fully fault in a core file segment at VA 0x805000000 with size 0x2cb6000 to be written at offset 0xca0000 for process imapd
+pid 59792 (imapd), uid 60: exited on signal 10 (core dumped)
+Failed to fully fault in a core file segment at VA 0x800741000 with size 0x10000 to be written at offset 0x100000 for process imapd
+Failed to fully fault in a core file segment at VA 0x8044a9000 with size 0x2b6000 to be written at offset 0x1ea000 for process imapd
+Failed to fully fault in a core file segment at VA 0x805000000 with size 0x2cb6000 to be written at offset 0xca0000 for process imapd
+pid 59793 (imapd), uid 60: exited on signal 10 (core dumped)

Comment 4 av 2018-11-02 13:31:24 UTC

If this is a problem with Outluk authentication, then there is a workaround. You can disable NTLM and recompile Cyrus-SASL. The problem is with FreeBSD 10.4 and 11.2 and with all new versions of Cyrus-imapd 2.4, 2.5, 3.0.8 and with cyrus-sasl-2.1.26_13

Comment 5 av 2018-11-02 13:33:46 UTC

Outlook of course.

Comment 6 fireball 2018-11-02 23:43:04 UTC

Thanks av, but it sounds like a mere workaround, not a solution.

Comment 7 Conrad Meyer freebsd_committer

2018-11-03 16:21:15 UTC

Can you reproduce the issue on 11.x or 12.x/current?

Comment 8 Conrad Meyer freebsd_committer

2018-11-03 16:27:52 UTC

Note that 10.x is on OpenSSL 1.0.1u (11.x is on 1.0.2x and 12/current are on 1.1.1) and 10.4 was EOL October 31, 2018, so if this does not reproduce on a supported version, we will probably close it.

Comment 9 fireball 2018-11-03 19:35:35 UTC

Very convenient, going through the bugs after 10.4 EOL only and then expire them. I filed the issue 2 months ago.

Comment 10 av 2018-11-11 14:50:24 UTC

(In reply to Conrad Meyer from comment #7)

11.2-RELEASE-p4 FreeBSD 11.2-RELEASE-p4 #0 r339426
cyrus-imapd30-3.0.8
cyrus-sasl-2.1.26_13

mail client Outlook 2016 (Win7)

If NTLM enabled in cyrus-sasl-2.1.26_13

imaps[702]: starttls: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits reused) no authentication
mail master[564]: process type:SERVICE name:imaps path:/usr/local/cyrus/libexec/imapd age:0.477s pid:702 signaled to death by signal 11 (Segmentation fault, core dumped)

Comment 11 Conrad Meyer freebsd_committer

2018-11-11 17:01:14 UTC

(In reply to av from comment #10)
Thanks av.  Any chance you could set up a dummy configuration where the coredump would not be sensitive for you and send me the contents?  I would have some difficulty finding a Windows Outlook client :-).

Comment 12 Conrad Meyer freebsd_committer

2018-11-11 17:02:05 UTC

(In reply to Conrad Meyer from comment #11)
(Or enable verbose logging, maybe?)  I'll try to reproduce from the libntlm end on CURRENT.

Comment 13 fireball 2018-11-11 17:56:06 UTC

Btw. the original bug was reproduced using the built-in Windows 10 Mail client, there is no need to obtain Outlook.

Comment 14 Conrad Meyer freebsd_committer

2018-11-11 18:02:24 UTC

(In reply to fireball from comment #13)
I don't have Windows at all :-).

Comment 15 fireball 2018-11-11 18:44:57 UTC

(In reply to Conrad Meyer from comment #14)
https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise

You're welcome.

Comment 16 av 2018-11-11 21:14:13 UTC

Created attachment 199148 [details]
imapd.core ntlm

Comment 17 Conrad Meyer freebsd_committer

2018-11-11 22:10:17 UTC

(In reply to av from comment #16)
Thanks av.