Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Opportunistic PGP encryption with keyless recipient causes core dump #3106

Closed
norristh opened this issue Oct 28, 2021 · 3 comments · Fixed by #3090
Closed

Opportunistic PGP encryption with keyless recipient causes core dump #3106

norristh opened this issue Oct 28, 2021 · 3 comments · Fixed by #3090
Labels
has:backtrace Debugging backtrace attached type:bug Bug

Comments

@norristh
Copy link

norristh commented Oct 28, 2021
edited

Expected Behaviour

With crypt_opportunistic_encrypt set, newly composed messages to recipients with available public keys will default to PGP encrypted. Messages to recipients without keys will default to no encryption,

Actual Behaviour

Email to recipients with keys works correctly.

If addressing recipients without a key, upon saving the composed message in the vim editor, neomutt core dumps. I've seen three variations of errors:

idouble free or corruption (fasttop)
zsh: IOT instruction (core dumped)  neomutt

imalloc_consolidate(): unaligned fastbin chunk detected
zsh: IOT instruction (core dumped)  neomutt

free(): double free detected in tcache 2
zsh: IOT instruction (core dumped)  neomutt

coredumpctl does show entries for neomutt. I've never examined coredumps but can try things as instructed.

Steps to Reproduce

add set crypt_opportunistic_encrypt = yes to the .muttrc config.
run neomutt
compose a new email
to: random@random.org
subject: test
body: anything
save

How often does this happen?

Always

When did it start to happen?

Within the last two weeks. I kind of think it did not happen with the 20211015 update, or I would have noticed it sooner. But it's possible I simply didn't send any emails to non-PGP users during the window between 20211015 and 20211022.

NeoMutt Version

Mutt 20211022
Copyright (C) 1996-2020 Michael R. Elkins and others.
NeoMutt comes with ABSOLUTELY NO WARRANTY; for details type 'neomutt -vv'.
NeoMutt is free software, and you are welcome to redistribute it
under certain conditions; type 'neomutt -vv' for details.

System: Linux 5.4.151-1.fc25.qubes.x86_64 (x86_64)
ncurses: ncurses 6.2.20200222 (compiled with 6.2.20200222)
libidn2: 2.3.2 (compiled with 2.3.2)
GPGME: 1.14.0
GnuTLS: 3.6.16
libnotmuch: 5.3.0
PCRE2: 10.36 2020-12-04
storage: tokyocabinet, lmdb
compression: lz4, zlib, zstd

Configure options: --sysconfdir=/etc --full-doc SENDMAIL=/usr/sbin/sendmail ISPELL=/usr/bin/hunspell --autocrypt --gnutls --gpgme --gss --disable-idn --idn2 --lmdb --lua --lz4 --notmuch --pcre2 --sasl --tokyocabinet --zlib --zstd

Compilation CFLAGS: -g -O2 -std=c99 -fno-delete-null-pointer-checks -D_ALL_SOURCE=1 -D_GNU_SOURCE=1 -D__EXTENSIONS__ -I/usr/include -DNCURSES_WIDECHAR

Default options:
  +attach_headers_color +compose_to_sender +compress +cond_date +debug 
  +encrypt_to_self +forgotten_attachments +forwref +ifdef +imap +index_color 
  +initials +limit_current_thread +multiple_fcc +nested_if +new_mail +nntp +pop 
  +progress +quasi_delete +regcomp +reply_with_xorig +sensible_browser +sidebar 
  +skip_quoted +smtp +status_color +timeout +tls_sni +trash 

Compile options:
  +autocrypt +fcntl -flock -fmemopen +futimens +getaddrinfo +gnutls +gpgme +gss 
  +hcache -homespool +idn +inotify -locales_hack +lua -mixmaster +nls +notmuch 
  -openssl +pcre2 +pgp +sasl +smime +sqlite +sun_attachment 

MAILPATH="/var/mail"
PKGDATADIR="/usr/share/neomutt"
SENDMAIL="/usr/sbin/sendmail"
SYSCONFDIR="/etc"

To learn more about NeoMutt, visit: https://neomutt.org
If you find a bug in NeoMutt, please raise an issue at:
    https://github.com/neomutt/neomutt/issues
or send an email to: <neomutt-devel@neomutt.org>

The problem still happens with a version compiled with the #3094 fix.

The problem occurs both with crypt_use_gpgme set, and with gpgme unset and using my normal gpg command calls.

I ran with mutt -d 5 but didn't see any useful info. I can share the logs if desired though.

Extra Info

  • Operating System and its version
    Fedora 33

  • Were you using multiple copies of NeoMutt at once?
    No

  • Were you using 'screen' or 'tmux'?
    No

  • Is your email local (maildir) or remote (IMAP)?
    Local
@norristh norristh added the type:bug Bug label Oct 28, 2021
@flatcap
Copy link
Member

flatcap commented Oct 28, 2021

coredumpctl does show entries for neomutt.
I've never examined coredumps but can try things as instructed.

That'd be great.
It'll give us the exact point in the code where NeoMutt crashed (and the lead up to it).

For Fedora, the instructions are roughly:

  • Install gdb and the neomutt debug symbols (as root):
    dnf install gdb neomutt-debugsource neomutt-debuginfo
  • Get the coredump file:
    coredumpctl dump > coredump
  • Start the debugger:
    gdb /usr/bin/neomutt coredump
  • Get a backtrace. In gdb:
    bt

@norristh
Copy link
Author 

[local@local]~% gdb /usr/bin/neomutt coredump                                                               -- INSERT --
GNU gdb (GDB) Fedora 10.2-3.fc33
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/neomutt...
Reading symbols from /usr/lib/debug/usr/bin/neomutt-20211022-1.fc33.x86_64.debug...
[New LWP 1718]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `neomutt'.
Program terminated with signal SIGABRT, Aborted.
#0  0x00007e2b58dd29e5 in raise () from /lib64/libc.so.6
Missing separate debuginfos, use: dnf debuginfo-install bzip2-libs-1.0.8-4.fc33.x86_64 cyrus-sasl-lib-2.1.27-6.fc33.x86_64 glib2-2.66.8-1.fc33.x86_64 glibc-2.32-10.fc33.x86_64 gmime30-3.2.7-3.fc33.x86_64 gmp-6.2.0-5.fc33.x86_64 gnutls-3.6.16-1.fc33.x86_64 gpgme-1.14.0-2.fc33.x86_64 keyutils-libs-1.6.1-1.fc33.x86_64 krb5-libs-1.18.2-31.fc33.x86_64 libblkid-2.36.1-1.fc33.x86_64 libcom_err-1.45.6-4.fc33.x86_64 libffi-3.1-26.fc33.x86_64 libgcc-10.3.1-1.fc33.x86_64 libgpg-error-1.41-1.fc33.x86_64 libidn2-2.3.2-1.fc33.x86_64 libmount-2.36.1-1.fc33.x86_64 libselinux-3.1-2.fc33.x86_64 libtalloc-2.3.1-5.fc33.x86_64 libtasn1-4.16.0-3.fc33.x86_64 libunistring-0.9.10-9.fc33.x86_64 libuuid-2.36.1-1.fc33.x86_64 libxcrypt-4.4.26-2.fc33.x86_64 libzstd-1.5.0-1.fc33.x86_64 lmdb-libs-0.9.28-1.fc33.x86_64 lua-libs-5.4.3-1.fc33.x86_64 lz4-libs-1.9.1-3.fc33.x86_64 ncurses-libs-6.2-3.20200222.fc33.x86_64 nettle-3.6-3.fc33.x86_64 notmuch-0.32.1-2.fc33.x86_64 openssl-libs-1.1.1l-2.fc33.x86_64 p11-kit-0.23.22-2.fc33.x86_64 pcre2-10.36-4.fc33.x86_64 sqlite-libs-3.34.1-1.fc33.x86_64 tokyocabinet-1.4.48-16.fc33.x86_64 xapian-core-libs-1.4.17-1.fc33.x86_64 zlib-1.2.11-23.fc33.x86_64
(gdb) bt
#0  0x00007e2b58dd29e5 in raise () at /lib64/libc.so.6
#1  0x00007e2b58dbb8a4 in abort () at /lib64/libc.so.6
#2  0x00007e2b58e15007 in __libc_message () at /lib64/libc.so.6
#3  0x00007e2b58e1ccdc in  () at /lib64/libc.so.6
#4  0x00007e2b58e1e7ac in _int_free () at /lib64/libc.so.6
#5  0x0000000000502746 in mutt_mem_free (ptr=ptr@entry=0x1d47898) at mutt/memory.c:75
#6  0x00000000004f82c8 in mutt_addr_free (ptr=0x7ffcfdb4dac8) at address/address.c:448
#7  mutt_addrlist_clear (al=al@entry=0x7ffcfdb4daf0) at address/address.c:1479
#8  0x000000000049608d in crypt_get_keys
    (e=e@entry=0x1d48390, keylist=keylist@entry=0x7ffcfdb4db48, oppenc_mode=oppenc_mode@entry=true)
    at ncrypt/crypt.c:999
#9  0x00000000004960eb in crypt_opportunistic_encrypt (e=0x1d48390) at ncrypt/crypt.c:1062
#10 0x00000000004d90b1 in mutt_send_message (flags=<optimized out>, flags@entry=0, e_templ=<optimized out>, 
    e_templ@entry=0x0, tempfile=tempfile@entry=0x0, m=0x1d00ad0, el=el@entry=0x0, sub=0x1b914c0) at send/send.c:2662
#11 0x0000000000447bde in op_mail (shared=<optimized out>, priv=0x1c90d10, op=<optimized out>)
    at index/functions.c:702
#12 0x0000000000446578 in mutt_index_menu (dlg=<optimized out>, m_init=<optimized out>) at index/dlg_index.c:1343
#13 0x000000000040d6c3 in main (argc=<optimized out>, argv=0x7ffcfdb50c18, envp=<optimized out>) at main.c:1378

@flatcap
Copy link
Member

flatcap commented Oct 28, 2021

Thanks for detailed debugging!

Good news. That confirms what I'd hoped.
It's a bug that was already reported, fixed and merged (#3090).

Not only that, but there's going to be a Bug-Fix Release on Friday.

@flatcap flatcap closed this as completed Oct 28, 2021
@flatcap flatcap linked a pull request Oct 28, 2021 that will close this issue
Fix use after free of a->mailbox due to missing strdup #3090
Merged
@flatcap flatcap added the has:backtrace Debugging backtrace attached label Oct 28, 2021
@gerazov gerazov mentioned this issue Jul 10, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
has:backtrace Debugging backtrace attached type:bug Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix use after free of a->mailbox due to missing strdup diabonas/neomutt
2 participants
@flatcap @norristh