Bug 986534 – mutt unconditionally segfaults when displaying a message

Bug 986534 - mutt unconditionally segfaults when displaying a message


Summary:	mutt unconditionally segfaults when displaying a message

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Basesystem
Version:	Current
Hardware:	i586 Linux

Priority:	P5 - None Severity: Major (vote)
Target Milestone:	---
Assigned To:	Dr. Werner Fink
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-06-25 21:00 UTC by Libor Pechacek
Modified:	2019-05-09 10:11 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
mutt debug log (109.80 KB, application/x-compressed-tar) 2016-07-08 12:24 UTC, Libor Pechacek	Details
patch to fix crash (1.86 KB, patch) 2016-07-10 02:03 UTC, Richard Russon	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Libor Pechacek 2016-06-25 21:00:00 UTC

$ gdb mutt
(gdb) run -F /dev/shm/muttrc
<select a message to display....>
Fetching message... 0K/3.9K (0%)
                                Program received signal SIGSEGV, Segmentation fault.
                                                                                    __strlen_ia32 () at ../sysdeps/i386/i586/strlen.S:94
94		movl (%eax), %ecx	/* get word (= 4 bytes) in question */
Missing separate debuginfos, use: zypper install cyrus-sasl-crammd5-debuginfo-2.1.26-12.3.i586 cyrus-sasl-debuginfo-2.1.26-12.3.i586 cyrus-sasl-digestmd5-debuginfo-2.1.26-12.3.i586 cyrus-sasl-gssapi-debuginfo-2.1.26-12.3.i586 cyrus-sasl-plain-debuginfo-2.1.26-12.3.i586 glibc-locale-debuginfo-2.23-4.1.i586 krb5-debuginfo-1.14.2-1.2.i586 libassuan0-debuginfo-2.4.2-1.2.i586 libcom_err2-debuginfo-1.42.13-3.4.i586 libdb-4_8-debuginfo-4.8.30-31.60.i586 libffi4-debuginfo-5.3.1+r234891-1.20.i586 libgcc_s1-gcc6-debuginfo-6.1.1+r236988-1.1.i586 libgdbm4-debuginfo-1.12-1.1.i586 libgio-2_0-0-debuginfo-2.48.1-1.1.i586 libglib-2_0-0-debuginfo-2.48.1-1.1.i586 libgmime-2_6-0-debuginfo-2.6.20-4.4.i586 libgmodule-2_0-0-debuginfo-2.48.1-1.1.i586 libgobject-2_0-0-debuginfo-2.48.1-1.1.i586 libgpg-error0-debuginfo-1.22-1.1.i586 libgpgme11-debuginfo-1.6.0-2.3.i586 libidn11-debuginfo-1.32-1.4.i586 libkeyutils1-debuginfo-1.5.9-5.5.i586 libncurses5-debuginfo-6.0-9.1.i586 libnotmuch4-debuginfo-0.20.2-1.4.i586 libopenssl1_0_0-debuginfo-1.0.2h-1.2.i586 libpcre1-debuginfo-8.38-1.55.i586 libsasl2-3-debuginfo-2.1.26-12.2.i586 libselinux1-debuginfo-2.3-5.81.i586 libstdc++6-gcc6-debuginfo-6.1.1+r236988-1.1.i586 libtalloc2-debuginfo-2.1.6-1.2.i586 libuuid1-debuginfo-2.28-2.1.i586 libxapian22-debuginfo-1.2.23-1.2.i586 libz1-debuginfo-1.2.8-11.58.i586
(gdb) bt
#0  __strlen_ia32 () at ../sysdeps/i386/i586/strlen.S:94
#1  0xb7a397f1 in __GI__IO_fputs (str=0x12430 <error: Cannot access memory at address 0x12430>, fp=0x802015a8) at iofputs.c:33
#2  0x800248a6 in mutt_copy_header (in=0x80201708, h=0x80303c30, out=0x802015a8, flags=786582, prefix=0x0) at copy.c:435
#3  0x80024cba in _mutt_copy_message (fpout=0x802015a8, fpin=0x80201708, hdr=0x80303c30, body=0x80303c98, flags=76, chflags=786582)
    at copy.c:653
#4  0x80025387 in mutt_copy_message (fpout=0x802015a8, src=0x801dc1b0, hdr=0x80303c30, flags=76, chflags=786582) at copy.c:770
#5  0x8001d5ab in mutt_display_message (cur=0x80303c30) at commands.c:152
#6  0x8002c500 in mutt_index_menu () at curs_main.c:1867
#7  0x8000e5f3 in main (argc=<optimized out>, argv=<optimized out>) at main.c:886
(gdb) frame 2
#2  0x800248a6 in mutt_copy_header (in=0x80201708, h=0x80303c30, out=0x802015a8, flags=786582, prefix=0x0) at copy.c:435
435	    fputs (nm_header_get_tags(h), out);
(gdb) print *((struct nm_hdrdata *) h->data)
$1 = {folder = 0x41 <error: Cannot access memory at address 0x41>, tags = 0x12430 <error: Cannot access memory at address 0x12430>, 
  tags_transformed = 0x0, tag_list = 0x19, oldpath = 0x6863694d <error: Cannot access memory at address 0x6863694d>, 
  virtual_id = 0x206c6561 <error: Cannot access memory at address 0x206c6561>, magic = 2054447437}
(gdb) shell cat /dev/shm/muttrc 
set spoolfile=imaps://imap.suse.de/INBOX
set imap_user=lpechacek
set imap_pass="ThePassword"
source /etc/skel/.muttrc
(gdb)

Rebuilding Mutt without Notmuch support makes Mutt work fine again.
Index: mutt.spec
===================================================================
--- mutt.spec   (revision 71)
+++ mutt.spec   (working copy)
@@ -205,7 +205,7 @@
        --enable-mailtool \
        --enable-compressed \
        --enable-sidebar \
-%if 0%{?is_opensuse}
+%if 0%{?is_opensuse} && 0
        --enable-notmuch  \
 %endif
        --enable-hcache \

Comment 1 Bernhard Wiedemann 2016-07-05 07:47:45 UTC

I cannot trigger this crash with mutt-1.6.1-5.1.x86_64
on Tumbleweed (running in screen or xterm)

Can you still reproduce it?
Does it need a special message to crash it?

Comment 2 Libor Pechacek 2016-07-05 09:44:50 UTC

(In reply to Bernhard Wiedemann from comment #1)
> Can you still reproduce it?

Yes.  Also with the latest snapshot.  Steps to reproduce:

1) create muttrc for IMAPS accesss
$ cat > muttrc
set spoolfile=imaps://imap.suse.de/INBOX
set imap_user=lpechacek
set imap_pass="ThePassword"
source /etc/skel/.muttrc

2) run mutt with the above config
$ mutt -F muttrc

3) try to display any message body

> Does it need a special message to crash it?

Don't think so.  IOW I haven't found a message Mutt would display for me. ;)

Comment 3 Dr. Werner Fink 2016-07-07 10:11:32 UTC

See https://github.com/neomutt/neomutt/issues/73

Comment 4 Richard Russon 2016-07-07 11:21:05 UTC

Hi Libor,

I'm Rich/FlatCap, the NeoMutt maintainer.

Thanks for the detailed bug report, it's very helpful.

Looking through the backtrace and code, there's only one line that it could be:
when NotMuch tries to write its Tags.

Please can you run mutt with debugging enabled (level 2 should be enough)
and post the contents of ~/.muttdebug0

    mutt -d 2

In the debugging, I'm hoping to see something like

    ...
    nm: new tags: 'Inbox, !"$!£$!5$$ (garbage)
    ...

Comment 5 Libor Pechacek 2016-07-08 12:24:46 UTC

Created attachment 683528 [details]
mutt debug log

(In reply to Richard Russon from comment #4)
> Please can you run mutt with debugging enabled (level 2 should be enough)
> and post the contents of ~/.muttdebug0
> 
>     mutt -d 2

Hi Rich, nice to meet you!  I've recompiled mutt with debugging enabled and re-ran the test with my (private) e-mail account.  Find attached the log file.  HTH

Comment 6 Libor Pechacek 2016-07-08 12:44:14 UTC

Another possibly useful data point - the crash happens only with i586 version.  x86_64 one works fine.  Even installing i586 package on an x86_64 system is enough to replicate the bug.

For the record, I have tried running Mutt with Valgrind and GCC Address Sanitizer but it still crashes exactly at the same place.

Comment 7 Richard Russon 2016-07-08 13:40:48 UTC

Hmm... The log cuts out before notmuch manages to log anything!
Thanks, anyway.

> the crash happens only with i586 version.  x86_64 one works fine.

Ah, now that's interesting.  There was a strange line of code I noticed -- it might be nothing.

> installing i586 package on an x86_64 system is enough to replicate the bug.

I'll give that a try.

I'm a bit busy at the moment -- trying to create a new release -- but I'll find and fix this bug soon.

Comment 8 Richard Russon 2016-07-10 02:02:35 UTC

Hi Libor,

Found it.  Fixed it :-)

The NotMuch patch was trying to display data on someone else's messages.
The question remains: Why didn't this crash for everyone?
Some things will have to remain a mystery.

I've attached a patch which I'll include in the next release.

Rich / FlatCap

Comment 9 Richard Russon 2016-07-10 02:03:52 UTC

Created attachment 683610 [details]
patch to fix crash

Comment 10 Libor Pechacek 2016-07-18 08:10:08 UTC

(In reply to Richard Russon from comment #9)
> Created attachment 683610 [details]
> patch to fix crash

This patch fixes the crash I observed.  Thank you, Rich!

Comment 11 Dr. Werner Fink 2016-12-09 14:36:41 UTC

Fixed

Comment 13 Swamp Workflow Management 2019-01-17 17:14:02 UTC

openSUSE-SU-2019:0052-1: An update that solves 16 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1061343,1094717,1101428,1101566,1101567,1101568,1101569,1101570,1101571,1101573,1101576,1101577,1101578,1101581,1101582,1101583,1101588,1101589,1120935,980830,982129,986534
CVE References: CVE-2014-9116,CVE-2018-14349,CVE-2018-14350,CVE-2018-14351,CVE-2018-14352,CVE-2018-14353,CVE-2018-14354,CVE-2018-14355,CVE-2018-14356,CVE-2018-14357,CVE-2018-14358,CVE-2018-14359,CVE-2018-14360,CVE-2018-14361,CVE-2018-14362,CVE-2018-14363
Sources used:
openSUSE Leap 42.3 (src):    mutt-1.10.1-2.5.1

Comment 14 Swamp Workflow Management 2019-05-09 10:11:46 UTC

SUSE-SU-2019:1196-1: An update that solves 16 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1061343,1094717,1101428,1101566,1101567,1101568,1101569,1101570,1101571,1101573,1101576,1101577,1101578,1101581,1101582,1101583,1101588,1101589,980830,982129,986534
CVE References: CVE-2014-9116,CVE-2018-14349,CVE-2018-14350,CVE-2018-14351,CVE-2018-14352,CVE-2018-14353,CVE-2018-14354,CVE-2018-14355,CVE-2018-14356,CVE-2018-14357,CVE-2018-14358,CVE-2018-14359,CVE-2018-14360,CVE-2018-14361,CVE-2018-14362,CVE-2018-14363
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    mutt-1.10.1-55.6.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    mutt-1.10.1-55.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.