Bug 986534 - mutt unconditionally segfaults when displaying a message
mutt unconditionally segfaults when displaying a message
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem
Current
i586 Linux
: P5 - None : Major (vote)
: ---
Assigned To: Dr. Werner Fink
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-25 21:00 UTC by Libor Pechacek
Modified: 2019-05-09 10:11 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
mutt debug log (109.80 KB, application/x-compressed-tar)
2016-07-08 12:24 UTC, Libor Pechacek
Details
patch to fix crash (1.86 KB, patch)
2016-07-10 02:03 UTC, Richard Russon
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Libor Pechacek 2016-06-25 21:00:00 UTC
$ gdb mutt
(gdb) run -F /dev/shm/muttrc
<select a message to display....>
Fetching message... 0K/3.9K (0%)
                                Program received signal SIGSEGV, Segmentation fault.
                                                                                    __strlen_ia32 () at ../sysdeps/i386/i586/strlen.S:94
94		movl (%eax), %ecx	/* get word (= 4 bytes) in question */
Missing separate debuginfos, use: zypper install cyrus-sasl-crammd5-debuginfo-2.1.26-12.3.i586 cyrus-sasl-debuginfo-2.1.26-12.3.i586 cyrus-sasl-digestmd5-debuginfo-2.1.26-12.3.i586 cyrus-sasl-gssapi-debuginfo-2.1.26-12.3.i586 cyrus-sasl-plain-debuginfo-2.1.26-12.3.i586 glibc-locale-debuginfo-2.23-4.1.i586 krb5-debuginfo-1.14.2-1.2.i586 libassuan0-debuginfo-2.4.2-1.2.i586 libcom_err2-debuginfo-1.42.13-3.4.i586 libdb-4_8-debuginfo-4.8.30-31.60.i586 libffi4-debuginfo-5.3.1+r234891-1.20.i586 libgcc_s1-gcc6-debuginfo-6.1.1+r236988-1.1.i586 libgdbm4-debuginfo-1.12-1.1.i586 libgio-2_0-0-debuginfo-2.48.1-1.1.i586 libglib-2_0-0-debuginfo-2.48.1-1.1.i586 libgmime-2_6-0-debuginfo-2.6.20-4.4.i586 libgmodule-2_0-0-debuginfo-2.48.1-1.1.i586 libgobject-2_0-0-debuginfo-2.48.1-1.1.i586 libgpg-error0-debuginfo-1.22-1.1.i586 libgpgme11-debuginfo-1.6.0-2.3.i586 libidn11-debuginfo-1.32-1.4.i586 libkeyutils1-debuginfo-1.5.9-5.5.i586 libncurses5-debuginfo-6.0-9.1.i586 libnotmuch4-debuginfo-0.20.2-1.4.i586 libopenssl1_0_0-debuginfo-1.0.2h-1.2.i586 libpcre1-debuginfo-8.38-1.55.i586 libsasl2-3-debuginfo-2.1.26-12.2.i586 libselinux1-debuginfo-2.3-5.81.i586 libstdc++6-gcc6-debuginfo-6.1.1+r236988-1.1.i586 libtalloc2-debuginfo-2.1.6-1.2.i586 libuuid1-debuginfo-2.28-2.1.i586 libxapian22-debuginfo-1.2.23-1.2.i586 libz1-debuginfo-1.2.8-11.58.i586
(gdb) bt
#0  __strlen_ia32 () at ../sysdeps/i386/i586/strlen.S:94
#1  0xb7a397f1 in __GI__IO_fputs (str=0x12430 <error: Cannot access memory at address 0x12430>, fp=0x802015a8) at iofputs.c:33
#2  0x800248a6 in mutt_copy_header (in=0x80201708, h=0x80303c30, out=0x802015a8, flags=786582, prefix=0x0) at copy.c:435
#3  0x80024cba in _mutt_copy_message (fpout=0x802015a8, fpin=0x80201708, hdr=0x80303c30, body=0x80303c98, flags=76, chflags=786582)
    at copy.c:653
#4  0x80025387 in mutt_copy_message (fpout=0x802015a8, src=0x801dc1b0, hdr=0x80303c30, flags=76, chflags=786582) at copy.c:770
#5  0x8001d5ab in mutt_display_message (cur=0x80303c30) at commands.c:152
#6  0x8002c500 in mutt_index_menu () at curs_main.c:1867
#7  0x8000e5f3 in main (argc=<optimized out>, argv=<optimized out>) at main.c:886
(gdb) frame 2
#2  0x800248a6 in mutt_copy_header (in=0x80201708, h=0x80303c30, out=0x802015a8, flags=786582, prefix=0x0) at copy.c:435
435	    fputs (nm_header_get_tags(h), out);
(gdb) print *((struct nm_hdrdata *) h->data)
$1 = {folder = 0x41 <error: Cannot access memory at address 0x41>, tags = 0x12430 <error: Cannot access memory at address 0x12430>, 
  tags_transformed = 0x0, tag_list = 0x19, oldpath = 0x6863694d <error: Cannot access memory at address 0x6863694d>, 
  virtual_id = 0x206c6561 <error: Cannot access memory at address 0x206c6561>, magic = 2054447437}
(gdb) shell cat /dev/shm/muttrc 
set spoolfile=imaps://imap.suse.de/INBOX
set imap_user=lpechacek
set imap_pass="ThePassword"
source /etc/skel/.muttrc
(gdb)

Rebuilding Mutt without Notmuch support makes Mutt work fine again.
Index: mutt.spec
===================================================================
--- mutt.spec   (revision 71)
+++ mutt.spec   (working copy)
@@ -205,7 +205,7 @@
        --enable-mailtool \
        --enable-compressed \
        --enable-sidebar \
-%if 0%{?is_opensuse}
+%if 0%{?is_opensuse} && 0
        --enable-notmuch  \
 %endif
        --enable-hcache \
Comment 1 Bernhard Wiedemann 2016-07-05 07:47:45 UTC
I cannot trigger this crash with mutt-1.6.1-5.1.x86_64
on Tumbleweed (running in screen or xterm)

Can you still reproduce it?
Does it need a special message to crash it?
Comment 2 Libor Pechacek 2016-07-05 09:44:50 UTC
(In reply to Bernhard Wiedemann from comment #1)
> Can you still reproduce it?

Yes.  Also with the latest snapshot.  Steps to reproduce:

1) create muttrc for IMAPS accesss
$ cat > muttrc
set spoolfile=imaps://imap.suse.de/INBOX
set imap_user=lpechacek
set imap_pass="ThePassword"
source /etc/skel/.muttrc

2) run mutt with the above config
$ mutt -F muttrc

3) try to display any message body

> Does it need a special message to crash it?

Don't think so.  IOW I haven't found a message Mutt would display for me. ;)
Comment 3 Dr. Werner Fink 2016-07-07 10:11:32 UTC
See https://github.com/neomutt/neomutt/issues/73
Comment 4 Richard Russon 2016-07-07 11:21:05 UTC
Hi Libor,

I'm Rich/FlatCap, the NeoMutt maintainer.

Thanks for the detailed bug report, it's very helpful.

Looking through the backtrace and code, there's only one line that it could be:
when NotMuch tries to write its Tags.

Please can you run mutt with debugging enabled (level 2 should be enough)
and post the contents of ~/.muttdebug0

    mutt -d 2

In the debugging, I'm hoping to see something like

    ...
    nm: new tags: 'Inbox, !"$!£$!5$$ (garbage)
    ...
Comment 5 Libor Pechacek 2016-07-08 12:24:46 UTC
Created attachment 683528 [details]
mutt debug log

(In reply to Richard Russon from comment #4)
> Please can you run mutt with debugging enabled (level 2 should be enough)
> and post the contents of ~/.muttdebug0
> 
>     mutt -d 2

Hi Rich, nice to meet you!  I've recompiled mutt with debugging enabled and re-ran the test with my (private) e-mail account.  Find attached the log file.  HTH
Comment 6 Libor Pechacek 2016-07-08 12:44:14 UTC
Another possibly useful data point - the crash happens only with i586 version.  x86_64 one works fine.  Even installing i586 package on an x86_64 system is enough to replicate the bug.

For the record, I have tried running Mutt with Valgrind and GCC Address Sanitizer but it still crashes exactly at the same place.
Comment 7 Richard Russon 2016-07-08 13:40:48 UTC
Hmm... The log cuts out before notmuch manages to log anything!
Thanks, anyway.

> the crash happens only with i586 version.  x86_64 one works fine.

Ah, now that's interesting.  There was a strange line of code I noticed -- it might be nothing.

> installing i586 package on an x86_64 system is enough to replicate the bug.

I'll give that a try.

I'm a bit busy at the moment -- trying to create a new release -- but I'll find and fix this bug soon.
Comment 8 Richard Russon 2016-07-10 02:02:35 UTC
Hi Libor,

Found it.  Fixed it :-)

The NotMuch patch was trying to display data on someone else's messages.
The question remains: Why didn't this crash for everyone?
Some things will have to remain a mystery.

I've attached a patch which I'll include in the next release.

Rich / FlatCap
Comment 9 Richard Russon 2016-07-10 02:03:52 UTC
Created attachment 683610 [details]
patch to fix crash
Comment 10 Libor Pechacek 2016-07-18 08:10:08 UTC
(In reply to Richard Russon from comment #9)
> Created attachment 683610 [details]
> patch to fix crash

This patch fixes the crash I observed.  Thank you, Rich!
Comment 11 Dr. Werner Fink 2016-12-09 14:36:41 UTC
Fixed
Comment 13 Swamp Workflow Management 2019-01-17 17:14:02 UTC
openSUSE-SU-2019:0052-1: An update that solves 16 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1061343,1094717,1101428,1101566,1101567,1101568,1101569,1101570,1101571,1101573,1101576,1101577,1101578,1101581,1101582,1101583,1101588,1101589,1120935,980830,982129,986534
CVE References: CVE-2014-9116,CVE-2018-14349,CVE-2018-14350,CVE-2018-14351,CVE-2018-14352,CVE-2018-14353,CVE-2018-14354,CVE-2018-14355,CVE-2018-14356,CVE-2018-14357,CVE-2018-14358,CVE-2018-14359,CVE-2018-14360,CVE-2018-14361,CVE-2018-14362,CVE-2018-14363
Sources used:
openSUSE Leap 42.3 (src):    mutt-1.10.1-2.5.1
Comment 14 Swamp Workflow Management 2019-05-09 10:11:46 UTC
SUSE-SU-2019:1196-1: An update that solves 16 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1061343,1094717,1101428,1101566,1101567,1101568,1101569,1101570,1101571,1101573,1101576,1101577,1101578,1101581,1101582,1101583,1101588,1101589,980830,982129,986534
CVE References: CVE-2014-9116,CVE-2018-14349,CVE-2018-14350,CVE-2018-14351,CVE-2018-14352,CVE-2018-14353,CVE-2018-14354,CVE-2018-14355,CVE-2018-14356,CVE-2018-14357,CVE-2018-14358,CVE-2018-14359,CVE-2018-14360,CVE-2018-14361,CVE-2018-14362,CVE-2018-14363
Sources used:
SUSE Linux Enterprise Server 12-SP3 (src):    mutt-1.10.1-55.6.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    mutt-1.10.1-55.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.