You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Michael Scheidell <mi...@secnap.com> on 2011/03/21 04:13:22 UTC

Re: Reproducing Bug 6559

On 3/20/11 8:57 PM, Karsten Bräckelmann wrote:
> There are now reports, that this bug is not strictly related to 32 bit
> architecture (though always with compiled rules).
>
> Since there have been offers for further testing: One data point is to
> collect details about systems, CPU architecture, instruction set used
> for compiling, versions (OS, kernel, compiler, re2c, Perl) and patch-
> level.
>
I had it happen on two out of 32 jailed freebsd clients.
guess what: all the same hardware, os level, software, software level.
all amd64, freebsd 7.3, perl 5.10.0, sa 3.3.1 running through 
amavisd-new 2.6.4, running compiled rules.


-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Best Intrusion Prevention Product, Networks Product Guide
    * Certified SNORT Integrator
    * Hot Company Award, World Executive Alliance
    * Best in Email Security, 2010 Network Products Guide
    * King of Spam Filters, SC Magazine

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________

Re: Reproducing Bug 6559

Posted by Michael Scheidell <mi...@secnap.com>.

On 3/23/11 5:10 PM, Karsten Bräckelmann wrote:
> Michael, I don't think I could follow you. Did you say that these
> "identical" systems do have different rules?
>
there might be some slight differences in local.cf.  thats it.

this one is very strange.
offlist if you want more details...

-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Best Intrusion Prevention Product, Networks Product Guide
    * Certified SNORT Integrator
    * Hot Company Award, World Executive Alliance
    * Best in Email Security, 2010 Network Products Guide
    * King of Spam Filters, SC Magazine

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________

Re: Reproducing Bug 6559

Posted by Karsten Bräckelmann <gu...@rudersport.de>.

On Mon, 2011-03-21 at 05:33 -0400, Michael Scheidell wrote:
> 32 systems, exactly the same cpu, step software. only minor differences 
> would be.. well, not even the exact set of rules. but can re2c randomly 
> compile something different depending on internal cpu cache?
> 
> only two of them had a problem.

Michael, I don't think I could follow you. Did you say that these
"identical" systems do have different rules?


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Reproducing Bug 6559

Posted by Michael Scheidell <mi...@secnap.com>.

On 3/20/11 11:33 PM, Karsten Bräckelmann wrote:
> [1] CPU version or rather stepping?
>
not in my instance.

freebsd jails are like ibm pseries 'lpars'.  not exactly visualization, 
but chrooted .  super chrooted.  chrooted users also,  root uid is 
chrooted as well.

32 systems, exactly the same cpu, step software. only minor differences 
would be.. well, not even the exact set of rules. but can re2c randomly 
compile something different depending on internal cpu cache?

only two of them had a problem.

-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Best Intrusion Prevention Product, Networks Product Guide
    * Certified SNORT Integrator
    * Hot Company Award, World Executive Alliance
    * Best in Email Security, 2010 Network Products Guide
    * King of Spam Filters, SC Magazine

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________

Re: Reproducing Bug 6559

Posted by Karsten Bräckelmann <gu...@rudersport.de>.

On Sun, 2011-03-20 at 23:13 -0400, Michael Scheidell wrote:
> On 3/20/11 8:57 PM, Karsten Bräckelmann wrote:
> > There are now reports, that this bug is not strictly related to 32 bit
> > architecture (though always with compiled rules).
> >
> > Since there have been offers for further testing: One data point is to
> > collect details about systems, CPU architecture, instruction set used
> > for compiling, versions (OS, kernel, compiler, re2c, Perl) and patch-
> > level.
> 
> I had it happen on two out of 32 jailed freebsd clients.
> guess what: all the same hardware, os level, software, software level.
> all amd64, freebsd 7.3, perl 5.10.0, sa 3.3.1 running through 
> amavisd-new 2.6.4, running compiled rules.

Uhm, you do realize that is NOT helpful, don't you? ;)

Seriously, thanks Michael! Supports the previous conclusion that this is
not strictly based on any system or environment -- but likely a very
obscure bug with re2c compilation, triggering in some highly specific
circumstances only [1].

Does the "use space instead of \s" theory fix it for you?


[1] CPU version or rather stepping?

-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}