rpms / autofs

Clone
Source Code
GIT

Blame autofs-5.0.6-fix-segmentation-fault-in-do-remount-indirect.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c8-beta f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master origin/f14/master private-autofs-segv-test-branch private-cthon-branch private-map-expiry-branch
  1.   92f44e815c58bf5b00b8321b02461df8a8c354e5
  2.   autofs-5.0.6-fix-segmentation-fault-in-do-remount-indirect.patch
Blob History Raw
Ian Kent 5ec16e 
autofs-5.0.6 - fix segmentation fault in do_remount_indirect()
Ian Kent 5ec16e
Ian Kent 5ec16e 
From: Leonardo Chiquitto <leonardo.lists@gmail.com>
Ian Kent 5ec16e
Ian Kent 5ec16e 
In some rare circumstance, it's possible that automount will crash
Ian Kent 5ec16e 
on startup while trying to reconnect to a "half-broken" NFS mount
Ian Kent 5ec16e 
point.
Ian Kent 5ec16e
Ian Kent 5ec16e 
The segmentation fault happens because we're not testing scandir()'s
Ian Kent 5ec16e 
return value in do_remount_indirect():
Ian Kent 5ec16e
Ian Kent 5ec16e 
lib/mounts.c:
Ian Kent 5ec16e 
1210       i = j = scandir(buf, &de2, 0, alphasort);
Ian Kent 5ec16e 
1211       while (i--)
Ian Kent 5ec16e 
1212         free(de2[i]);
Ian Kent 5ec16e
Ian Kent 5ec16e 
So, if scandir() returns -1, it will try to free de2[-1], de2[-2], etc.
Ian Kent 5ec16e
Ian Kent 5ec16e 
Here's the call trace, for reference:
Ian Kent 5ec16e
Ian Kent 5ec16e 
Program terminated with signal 11, Segmentation fault.
Ian Kent 5ec16e 
#0  0x00007ffff7fe2425 in do_remount_indirect (ap=0x7ffff821e070, fd=15,
Ian Kent 5ec16e 
    path=0x7ffff821e150 "/nfs/iil") at mounts.c:1212
Ian Kent 5ec16e 
1212                    free(de2[i]);
Ian Kent 5ec16e 
(gdb) print j
Ian Kent 5ec16e 
$1 = -1
Ian Kent 5ec16e 
(gdb) print de2
Ian Kent 5ec16e 
$3 = (struct dirent **) 0x0
Ian Kent 5ec16e
Ian Kent 5ec16e 
#0  0x00007ffff7fe2425 in do_remount_indirect (ap=0x7ffff821e070, fd=15,
Ian Kent 5ec16e 
    path=0x7ffff821e150 "/nfs/iil") at mounts.c:1212
Ian Kent 5ec16e 
#1  0x00007ffff7fe2a48 in remount_active_mount (ap=0x7ffff821e070, mc=0x0,
Ian Kent 5ec16e 
    path=0x7ffff821e150 "/nfs/iil", devid=20, type=<optimized out>,
Ian Kent 5ec16e 
    ioctlfd=0x7ffff6e5babc) at mounts.c:1327
Ian Kent 5ec16e 
#2  0x00007ffff7fe2ac6 in try_remount (ap=0x7ffff821e070, me=0x0, type=1)
Ian Kent 5ec16e 
    at mounts.c:1357
Ian Kent 5ec16e 
#3  0x00007ffff7fd35e0 in do_mount_autofs_indirect (root=<optimized out>,
Ian Kent 5ec16e 
    ap=<optimized out>) at indirect.c:103
Ian Kent 5ec16e 
#4  mount_autofs_indirect (ap=0x7ffff821e070, root=0x7ffff8202d50 "/nfs/iil")
Ian Kent 5ec16e 
    at indirect.c:213
Ian Kent 5ec16e 
#5  0x00007ffff7fd1473 in mount_autofs (root=<optimized out>,
Ian Kent 5ec16e 
    ap=<optimized out>) at automount.c:1005
Ian Kent 5ec16e 
#6  handle_mounts (arg=0x7fffffffdfd0) at automount.c:1526
Ian Kent 5ec16e 
#7  0x00007ffff7b8e5f0 in start_thread (arg=<optimized out>)
Ian Kent 5ec16e 
    at pthread_create.c:297
Ian Kent 5ec16e 
#8  0x00007ffff6f3187d in clone ()
Ian Kent 5ec16e 
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
Ian Kent 5ec16e 
#9  0x0000000000000000 in ?? ()
Ian Kent 5ec16e
Ian Kent 5ec16e 
Suggested fix:
Ian Kent 5ec16e
Ian Kent 5ec16e 
Check scandir() return value
Ian Kent 5ec16e
Ian Kent 5ec16e 
In some rare circumstance, it's possible that automount will crash
Ian Kent 5ec16e 
on startup while trying to reconnect to a "half-broken" NFS mount
Ian Kent 5ec16e 
point.
Ian Kent 5ec16e 
---
Ian Kent 5ec16e
Ian Kent 5ec16e 
 CHANGELOG    |    1 +
Ian Kent 5ec16e 
 lib/mounts.c |    4 ++++
Ian Kent 5ec16e 
 2 files changed, 5 insertions(+)
Ian Kent 5ec16e
Ian Kent 5ec16e
Ian Kent 5ec16e 
--- autofs-5.0.6.orig/CHANGELOG
Ian Kent 5ec16e 
+++ autofs-5.0.6/CHANGELOG
Ian Kent 5ec16e 
@@ -30,6 +30,7 @@
Ian Kent 5ec16e 
 - rework error return handling in rpc code.
Ian Kent 5ec16e 
 - catch EHOSTUNREACH and bail out early.
Ian Kent 5ec16e 
 - systemd support fixes.
Ian Kent 5ec16e 
+- check scandir() return value.
Ian Kent 5ec16e
Ian Kent 5ec16e 
 28/06/2011 autofs-5.0.6
Ian Kent 5ec16e 
 -----------------------
Ian Kent 5ec16e 
--- autofs-5.0.6.orig/lib/mounts.c
Ian Kent 5ec16e 
+++ autofs-5.0.6/lib/mounts.c
Ian Kent 5ec16e 
@@ -1355,6 +1355,10 @@ static int do_remount_indirect(struct au
Ian Kent 5ec16e 
 			int i, j;
Ian Kent 5ec16e
Ian Kent 5ec16e 
 			i = j = scandir(buf, &de2, 0, alphasort);
Ian Kent 5ec16e 
+			if (i < 0) {
Ian Kent 5ec16e 
+				free(de[n]);
Ian Kent 5ec16e 
+				continue;
Ian Kent 5ec16e 
+			}
Ian Kent 5ec16e 
 			while (i--)
Ian Kent 5ec16e 
 				free(de2[i]);
Ian Kent 5ec16e 
 			free(de2);

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation