I'm not sure what changed exactly, I've done an emerge -e world and swapped to the latest hardened kernel. Procmail is now failing to work, with the following error: Mar 2 03:14:51 beth postfix/local[1281]: AA8FD23F68: to=<me@example.com>, relay=local, delay=0.26, delays=0.18/0.01/0/0.07, dsn=4.3.0, status=deferred (Command died with signal 9: "/usr/bin/procmail". Command output: *** buffer overflow detected ***: procmail - terminated procmail: buffer overflow attack in function <unknown> - terminated Report to http://bugs.gentoo.org/ ) Reproducible: Always Steps to Reproduce: 1. Mail passed to procmail via Postfix Actual Results: Procmail crashes Expected Results: Mail delivered to the correct Maildir
Created attachment 264575 [details] emerge --info
# uname -a Linux beth 2.6.37-hardened-r4 #1 SMP Wed Mar 2 08:15:17 GMT 2011 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ AuthenticAMD GNU/Linux # gcc-config -l [1] x86_64-pc-linux-gnu-4.4.5 * [2] x86_64-pc-linux-gnu-4.4.5-hardenednopie [3] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp [4] x86_64-pc-linux-gnu-4.4.5-hardenednossp [5] x86_64-pc-linux-gnu-4.4.5-vanilla
Submit your "emerge -pv procmail" output and any kernel (dmesg) messages with that overflow error. Also check your logs for other informative messages. @hardened: guys, I cc'd you cause you may be able to help/reply something quickly (if you know the issue)
# emerge -pv procmail These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] mail-filter/procmail-3.22-r10 USE="-mbox (-selinux)" 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB No dmesg messages.
Hi, this error is caused by SSP and means that there is probably something awfully wrong going on procmail (which could be even a security problem). As first test try paxmarking the binary (with paxctl) to disable all randomization and try compiling procmail with debugging symbols as that may help you in debugging.
I use procmail on an identical system and do not hit it. The only difference is I have USE="mbox" set. First let me give you my system info, then let me suggest a test: 1. My system (briefly): blueness@yellowness ~ $ emerge -vp procmail These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild R ] mail-filter/procmail-3.22-r10 USE="mbox (-selinux)" 0 kB Total: 1 package (1 new), Size of downloads: 222 kB blueness@yellowness ~ $ uname -a Linux yellowness 2.6.37-hardened-r4 #1 SMP PREEMPT Mon Feb 28 16:36:03 EST 2011 x86_64 Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz GenuineIntel GNU/Linux blueness@yellowness ~ $ gcc-config -l [1] x86_64-pc-linux-gnu-3.4.6 [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp [5] x86_64-pc-linux-gnu-3.4.6-vanilla [6] x86_64-pc-linux-gnu-4.3.4 [7] x86_64-pc-linux-gnu-4.3.4-hardenednopie [8] x86_64-pc-linux-gnu-4.3.4-vanilla [9] x86_64-pc-linux-gnu-4.4.5 * [10] x86_64-pc-linux-gnu-4.4.5-hardenednopie [11] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp [12] x86_64-pc-linux-gnu-4.4.5-hardenednossp [13] x86_64-pc-linux-gnu-4.4.5-vanilla blueness@yellowness ~ $ emerge --info #partial listing Portage 2.1.9.25 (hardened/linux/amd64, gcc-4.4.5, glibc-2.11.2-r3, 2.6.37-hardened-r4 x86_64) ================================================================= System uname: Linux-2.6.37-hardened-r4-x86_64-Intel-R-_Core-TM-_i7_CPU_920_@_2.67GHz-with-gentoo-2.0.1 Timestamp of tree: Thu, 03 Mar 2011 03:30:01 +0000 app-shells/bash: 4.1_p9 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.6.6-r2, 3.1.3-r1 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 2.0.1-r1 sys-apps/openrc: 0.7.0 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.13, 2.65-r1 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 3.4.6-r2, 4.3.4, 4.4.5 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 2. Here's a test: cd /tmp cat << EOF > test.mbox From: Test1 Subject: blah To: blah@example.com Blah blah blah. EOF cat << EOF > test.rc MAILDIR=/tmp :0 * ^From: Test1 test1.out :0 * ^From: test2 test2.out EOF procmail -m test.rc < test.mbox # at this point you should have a file called test1.out that # looks identical to test.mbox. If you change the From line # in test.mbox to test2, then you get test2.out. # If these seg fault then please run the following and post the results: strace procmail -m test.rc < test.mbox
Created attachment 264605 [details] strace of procmail Thanks for your help. Why is procmail looking at /etc/resolv.conf? I'm guessing I've been hacked here... Any opinions?
(In reply to comment #7) > Created an attachment (id=264605) [details] > strace of procmail > > Thanks for your help. > > Why is procmail looking at /etc/resolv.conf? > > I'm guessing I've been hacked here... Any opinions? > I'm confused by some aspects of the strace when comparing to mine, like why its pulling in libnet and reading resolv.conf as you said. Sorry, I'm still not seeing what's causing the problem. The next step is to obtain a backtrace for me. See: http://www.gentoo.org/proj/en/qa/backtraces.xml Briefly, do the following: 1. CFLAGS+="-ggdb" FEATURES+="nostrip" emerge procmail 2. gdb /usr/bin/procmail 3. In the gdb env, do (gdb) set args -m test.rc < test.mbox (gdb) run should terminate abnormally at this point (gdb) bt Give me the backtrace. 4. As per my comment, I'm curious what procmail is trying to link against. Can you give me the output to nm /usr/bin/procmail ldd /usr/bin/procmail Sorry to make you do all this work --- but I just can't seem to reproduce it here.
Ok, so this is odd: When emerged with the flags you specified, it doesn't crash. bt gives simply: No Stack. I tried in the debugger with a stripped ebuild, it crashed, but also no backtrace. I'm getting random segfaults with several different programs. I'm suspecting my hardware :-( Though, maybe I've been hacked :-( How do I tell if I've been rooted? P.S. Thanks for all your help.
(In reply to comment #9) > Ok, so this is odd: > > When emerged with the flags you specified, it doesn't crash. > bt gives simply: No Stack. > > I tried in the debugger with a stripped ebuild, it crashed, but also no > backtrace. > > I'm getting random segfaults with several different programs. I'm suspecting my > hardware :-( Though, maybe I've been hacked :-( > > > How do I tell if I've been rooted? > > P.S. Thanks for all your help. > Okay I think the problem is not procmail, so I'm going to close this bug INVALID. I don't want to turn bugzilla into a help forum, so let me help you via email. There's clearly some badness going on.
