Bug 301499

Summary:	Buffer overflow in mail-filter/opendkim-1.2.1
Product:	Gentoo Linux	Reporter:	Tilman Giese <gentoo>
Component:	Current packages	Assignee:	Daniel Black (RETIRED) <dragonheart>
Status:	RESOLVED FIXED
Severity:	normal
Priority:	High
Version:	unspecified
Hardware:	AMD64
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	Patch that fixes a negative length for sprintf

Description Tilman Giese 2010-01-19 08:59:31 UTC

I noticed that the opendkim daemon suddenly disappeared over night. Syslog shows:

Jan 19 09:22:05 luthien ***: buffer overflow detected ***: opendkim - terminated
Jan 19 09:22:05 luthien opendkim: buffer overflow attack in function <unknown> - terminated
Jan 19 09:22:05 luthien Report: to http://bugs.gentoo.org/

I restarted opendkim but it reproducibly crashed with the very same buffer overflow at the very same mail message. The mail log file says:

Jan 19 09:27:08 luthien postfix/smtpd[6652]: connect from localhost[127.0.0.1]
Jan 19 09:27:08 luthien postfix/smtpd[6652]: A444F27FAE7: client=localhost[127.0.0.1]
Jan 19 09:27:08 luthien postfix/cleanup[6656]: A444F27FAE7: message-id=<0MGR7d-1NbUC90IKG-00DEha@mbulk.1and1.com>
Jan 19 09:27:08 luthien postfix/cleanup[6656]: warning: milter unix:/var/run/opendkim/opendkim.sock: can't read SMFIC_BODYEOB reply packet header: Success
Jan 19 09:27:08 luthien postfix/cleanup[6656]: A444F27FAE7: milter-reject: END-OF-MESSAGE from localhost[127.0.0.1]: 4.7.1 Service unavailable - try again later; from=<82828454637207827.5.221282250@bounce.unitedinternet.com> to=<**********> proto=ESMTP helo=<**********>
Jan 19 09:27:08 luthien postfix/smtpd[6652]: warning: milter unix:/var/run/opendkim/opendkim.sock: can't read SMFIC_MAIL reply packet header: Broken pipe

So I tried to compile opendkim with debugging symbols enabled but it turns out that opendkim is no longer crashing now.

I am reluctant to attach the originally offending message as it is a personal invoice but I am willing to provide it to anyone that might need it for debugging purposes.

I am sorry that there is not much more information to attach. gdb seems kind of useless debugging the overflow as the program is terminated with SIGKILL.


Reproducible: Always




luthien ~ # emerge --info
Portage 2.1.6.13 (hardened/linux/amd64/10.0, gcc-4.3.4, glibc-2.10.1-r1, 2.6.24-hardened-r3 x86_64)
=================================================================
System uname: Linux-2.6.24-hardened-r3-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_5600+-with-gentoo-1.12.13
Timestamp of tree: Thu, 14 Jan 2010 10:15:02 +0000
app-shells/bash:     4.0_p35
dev-lang/python:     2.6.4
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63-r1
sys-devel/automake:  1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.27-r2
ABI="amd64"
ACCEPT_KEYWORDS="amd64"
ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol"
APACHE2_MODULES="actions alias auth_basic auth_digest authn_dbd authn_dbm authn_default authn_file authz_default authz_host authz_user autoindex dav dav_fs dav_lock dbd deflate dir env filter include log_config logio mime mime_magic negotiation proxy proxy_http rewrite setenvif ssl"
ARCH="amd64"
ASFLAGS_x86="--32"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CDEFINE_amd64="__x86_64__"
CDEFINE_x86="__i386__"
CFLAGS="-march=athlon64 -O3 -pipe -fforce-addr"
CFLAGS_x86="-m32"
CHOST="x86_64-pc-linux-gnu"
CHOST_amd64="x86_64-pc-linux-gnu"
CHOST_x86="i686-pc-linux-gnu"
CLEAN_DELAY="5"
COLLISION_IGNORE="/lib/modules"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CVS_RSH="ssh"
CXXFLAGS="-march=athlon64 -O3 -pipe -fforce-addr"
DEFAULT_ABI="amd64"
DISTDIR="/usr/portage/distfiles"
EDITOR="/bin/nano"
ELIBC="glibc"
EMERGE_DEFAULT_OPTS="--ask --verbose"
EMERGE_WARNING_DELAY="10"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
FETCHCOMMAND="/usr/bin/wget -t 5 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""
GCC_SPECS=""
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo ftp://ftp.fi.muni.cz/pub/linux/gentoo/"
HOME="/root"
INFOPATH="/usr/share/info:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.18/info:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.3.4/info"
INPUT_DEVICES="keyboard mouse evdev"
KERNEL="linux"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text"
LDFLAGS="-Wl,-O1"
LDFLAGS_x86="-m elf_i386"
LESS="-R -M --shift 5"
LESSOPEN="|lesspipe.sh %s"
LIBDIR_amd64="lib64"
LIBDIR_amd64_fbsd="lib64"
LIBDIR_ppc="lib32"
LIBDIR_ppc64="lib64"
LIBDIR_sparc32="lib32"
LIBDIR_sparc64="lib64"
LIBDIR_x86="lib32"
LIBDIR_x86_fbsd="lib32"
LOGNAME="root"
LS_COLORS="rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.pdf=00;32:*.ps=00;32:*.txt=00;32:*.patch=00;32:*.diff=00;32:*.log=00;32:*.tex=00;32:*.doc=00;32:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:"
MAIL="/var/mail/root"
MAKEOPTS="-j2"
MANPATH="/usr/local/share/man:/usr/share/man:/usr/share/binutils-data/x86_64-pc-linux-gnu/2.18/man:/usr/share/gcc-data/x86_64-pc-linux-gnu/4.3.4/man:/usr/lib64/php5/man/"
MULTILIB_ABIS="amd64 x86"
MULTILIB_STRICT_DENY="64-bit.*shared object"
MULTILIB_STRICT_DIRS="/lib32 /lib /usr/lib32 /usr/lib /usr/kde/*/lib32 /usr/kde/*/lib /usr/qt/*/lib32 /usr/qt/*/lib /usr/X11R6/lib32 /usr/X11R6/lib"
MULTILIB_STRICT_EXEMPT="(perl5|gcc|gcc-lib|binutils|eclipse-3|debug|portage)"
NETBEANS="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml"
PAGER="/usr/bin/less"
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.3.4"
PKGDIR="/usr/portage/packages"
PORTAGE_ARCHLIST="ppc x86-openbsd ppc-openbsd ppc64 x86-winnt x86-fbsd ppc-aix alpha arm x86-freebsd s390 amd64 arm-linux x86-macos x64-openbsd ia64-hpux hppa x86-netbsd amd64-linux ia64-linux x86 sparc-solaris x64-freebsd sparc64-solaris x86-linux x64-macos sparc m68k-mint ia64 mips ppc-macos x86-interix hppa-hpux amd64-fbsd x64-solaris mips-irix m68k sh x86-solaris sparc-fbsd"
PORTAGE_BINHOST_CHUNKSIZE="3000"
PORTAGE_BIN_PATH="/usr/lib64/portage/bin"
PORTAGE_COMPRESS_EXCLUDE_SUFFIXES="css gif htm[l]? jp[e]?g js pdf png"
PORTAGE_CONFIGROOT="/"
PORTAGE_DEBUG="0"
PORTAGE_DEPCACHEDIR="/var/cache/edb/dep"
PORTAGE_ELOG_CLASSES="warn error log"
PORTAGE_ELOG_MAILFROM="portage@localhost"
PORTAGE_ELOG_MAILSUBJECT="[portage] ebuild log for ${PACKAGE} on ${HOST}"
PORTAGE_ELOG_MAILURI="root"
PORTAGE_ELOG_SYSTEM="save_summary echo"
PORTAGE_FETCH_CHECKSUM_TRY_MIRRORS="5"
PORTAGE_FETCH_RESUME_MIN_SIZE="350K"
PORTAGE_GID="250"
PORTAGE_INST_GID="0"
PORTAGE_INST_UID="0"
PORTAGE_PYM_PATH="/usr/lib64/portage/pym"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_RSYNC_RETRIES="3"
PORTAGE_TMPDIR="/var/tmp"
PORTAGE_VERBOSE="1"
PORTAGE_WORKDIR_MODE="0700"
PORTDIR="/usr/portage"
PROFILE_ONLY_VARIABLES="ARCH ELIBC KERNEL USERLAND"
PWD="/root"
RESUMECOMMAND="/usr/bin/wget -c -t 5 -T 60 --passive-ftp -O "${DISTDIR}/${FILE}" "${URI}""
ROOT="/"
ROOTPATH="/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.3.4"
RPMDIR="/usr/portage/rpm"
RUBYOPT="-rauto_gem"
RUBY_TARGETS="ruby18"
SHELL="/bin/bash"
SHLVL="1"
SSH_CLIENT="91.64.87.15 63265 22"
SSH_CONNECTION="91.64.87.15 63265 78.46.79.68 22"
SSH_TTY="/dev/pts/2"
STAGE1_USE="hardened multilib nptl nptlonly pic"
SYMLINK_LIB="yes"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
TERM="xterm-color"
USE="acl amd64 berkdb bzip2 cli cracklib crypt cxx dri gdbm hardened iconv idn justify mmx modules mudflap multilib ncurses nls nptl nptlonly openmp pam pcre perl pic readline reflection session spl sse sse2 ssl sysfs tcpd urandom zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_dbd authn_dbm authn_default authn_file authz_default authz_host authz_user autoindex dav dav_fs dav_lock dbd deflate dir env filter include log_config logio mime mime_magic negotiation proxy proxy_http rewrite setenvif ssl" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via vmware voodoo"
USER="root"
USERLAND="GNU"
USE_EXPAND="ALSA_CARDS ALSA_PCM_PLUGINS APACHE2_MODULES APACHE2_MPMS CAMERAS CROSSCOMPILE_OPTS DVB_CARDS ELIBC FCDSL_CARDS FOO2ZJS_DEVICES FRITZCAPI_CARDS INPUT_DEVICES KERNEL LCD_DEVICES LINGUAS LIRC_DEVICES MISDN_CARDS NETBEANS_MODULES QEMU_SOFTMMU_TARGETS QEMU_USER_TARGETS RUBY_TARGETS SANE_BACKENDS USERLAND VIDEO_CARDS"
USE_EXPAND_HIDDEN="CROSSCOMPILE_OPTS ELIBC KERNEL USERLAND"
USE_ORDER="env:pkg:conf:defaults:pkginternal:env.d"
VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via vmware voodoo"
_="/usr/bin/emerge"

Comment 1 Daniel Black (RETIRED) gentoo-dev

2010-01-20 05:36:52 UTC

ok I just added opendkim-1.2.2 though its changelog doesn't mention anything that could explicitly be the cause of this. If you're willing to test this one I'd be grateful.

I'm willing to take your personal email for testing. I should be able to identify a cause there. At most I'll share it with Murray S. Kucherawy, opendkim's lead developer.

Can you attach/email your configuration file too. No need for private keys however and idea how you have it configured would be great.

Cheers,

Daniel Black
OpenDKIM maintainer and upstream developer

Comment 2 Tilman Giese 2010-01-20 18:10:29 UTC

It turns out that version 1.2.2 has the same problem. If I send exactly the same message, I get the buffer overflow again. However, looking at the CFLAGS might be helpful. Mine were set to CFLAGS="-march=athlon64 -O3 -pipe -fforce-addr". If I change -O3 to -O2 the problem goes away and the message passes successfully.

My configuration is really simple:

Domain          abfallfabrik.de,ahoh.de
KeyFile         /etc/opendkim/luthien.private
Selector        luthien
Socket          local:/var/run/opendkim/opendkim.sock
UserID          milter
UMask           002
Statistics      /var/lib/opendkim/stats.db 

I will send you the personal email.

Comment 3 Tilman Giese 2010-01-20 22:31:06 UTC

Created attachment 217012 [details, diff]
Patch that fixes a negative length for sprintf

Comment 4 Tilman Giese 2010-01-20 22:31:37 UTC

Murray S. Kucherawy finally found the problem. 

"It's an sprintf() that is accidentally passed a negative length.  The target buffer actually has plenty of room, but the computed length in the loop is subtracted too quickly."

I attached the patch that is already committed and will be part of the next release.

Comment 5 Daniel Black (RETIRED) gentoo-dev

2010-01-21 02:09:31 UTC

(In reply to comment #4)
> Murray S. Kucherawy finally found the problem. 

Thank you both.

opendkim-1.2.2-r1 added with this patch. Thanks for your bug report and involvement in getting it fixed Tim. Much appreciated.