Bug 485448

Summary: Cannot mount NFS share (buffer overflow)
Product: [Fedora] Fedora Reporter: Lukáš Petrovický <lpetrovi>
Component: nfs-utilsAssignee: Steve Dickson <steved>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 11CC: john, kvolny, lpetrovi, steved
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-01-08 15:41:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
tshark output
none
tshark output, bzip2 compressed none

Description Lukáš Petrovický 2009-02-13 16:19:08 UTC 
-- Description of problem:

After updating to Rawhide from FC10, I started getting the following when mounting my NFS file storage:

mount.nfs: timeout set for Fri Feb 13 17:14:46 2009
mount.nfs: text-based options: 'addr=192.168.2.127'
mount.nfs: mount(2): Operation not supported
mount.nfs: trying 192.168.2.127 prog 100003 vers 3 prot UDP port 2049
*** buffer overflow detected ***: /sbin/mount.nfs terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x48)[0x20dc78]
/lib/libc.so.6[0x20bd70]
/sbin/mount.nfs[0xb5240f]
/sbin/mount.nfs[0xb5280e]
/sbin/mount.nfs[0xb52ca6]
/sbin/mount.nfs[0xb58260]
/sbin/mount.nfs[0xb586e3]
/sbin/mount.nfs[0xb588f0]
/sbin/mount.nfs[0xb4fb5f]
/sbin/mount.nfs(main+0x5d7)[0xb50667]
/lib/libc.so.6(__libc_start_main+0xe5)[0x126735]
/sbin/mount.nfs[0xb4f611]
======= Memory map: ========
00110000-0027f000 r-xp 00000000 fd:00 114819     /lib/libc-2.9.90.so
0027f000-00281000 r--p 0016e000 fd:00 114819     /lib/libc-2.9.90.so
00281000-00282000 rw-p 00170000 fd:00 114819     /lib/libc-2.9.90.so
00282000-00285000 rw-p 00282000 00:00 0 
00285000-00290000 r-xp 00000000 fd:00 115102     /lib/libnss_files-2.9.90.so
00290000-00291000 r--p 0000a000 fd:00 115102     /lib/libnss_files-2.9.90.so
00291000-00292000 rw-p 0000b000 fd:00 115102     /lib/libnss_files-2.9.90.so
0060d000-0060e000 r-xp 0060d000 00:00 0          [vdso]
00750000-0077b000 r-xp 00000000 fd:00 114702     /lib/libgcc_s-4.4.0-20090211.so.1
0077b000-0077c000 rw-p 0002a000 fd:00 114702     /lib/libgcc_s-4.4.0-20090211.so.1
00b4d000-00b63000 r-xp 00000000 fd:00 286857     /sbin/mount.nfs
00b63000-00b65000 rw-p 00015000 fd:00 286857     /sbin/mount.nfs
00b65000-00b69000 rw-p 00b65000 00:00 0 
00c26000-00c47000 rw-p 00c26000 00:00 0          [heap]
00e4d000-00e6d000 r-xp 00000000 fd:00 114707     /lib/ld-2.9.90.so
00e6d000-00e6e000 r--p 00020000 fd:00 114707     /lib/ld-2.9.90.so
00e6e000-00e6f000 rw-p 00021000 fd:00 114707     /lib/ld-2.9.90.so
b7fe7000-b7fe9000 rw-p b7fe7000 00:00 0 
b7ffd000-b7ffe000 rw-p b7ffd000 00:00 0 
bfee9000-bfefe000 rw-p bffeb000 00:00 0          [stack]

When I don't use the verbose mode, I get:
mount.nfs: an incorrect mount option was specified

I specify no mount options, use only the default ones. 192.168.2.127 is the address of the NFS server.

-- Version-Release number of selected component (if applicable):

Name       : nfs-utils
Arch       : i386
Epoch      : 1
Version    : 1.1.4
Release    : 16.fc11

-- How reproducible:

Always. Cannot mount the NFS share.

-- Steps to Reproduce:
1. Try to mount NFS share in a verbose mode.
2. See above buffer overflow.
  
-- Expected results:

I should be able to mount my NFS share as I was on FC10.
Comment 1 Steve Dickson 2009-02-13 18:22:48 UTC 
can you install the nfs-utils-debuginfo package so I can
get a better idea of what is happening...
Comment 2 Lukáš Petrovický 2009-02-13 19:52:32 UTC 
Got the following out of gdb after installing nfs-utils-debugingo. If it is not what you're looking for, please provide more instructions on how to get it.,

#0  0x008cf424 in __kernel_vsyscall ()
#1  0x00b5d4b0 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0x00b5ee78 in abort () at abort.c:88
#3  0x00b9b14d in __libc_message (do_abort=2, 
    fmt=0xc74647 "*** %s ***: %s terminated\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#4  0x00c2fc78 in __fortify_fail (msg=0xc745f1 "buffer overflow detected")
    at fortify_fail.c:32
#5  0x00c2dd70 in __chk_fail () at chk_fail.c:29
#6  0x0017140f in memcpy (__len=<value optimized out>, 
    __src=<value optimized out>, __dest=<value optimized out>)
    at /usr/include/bits/string3.h:52
#7  nfs_probe_port (sap=<value optimized out>, salen=7302446, 
    pmap=0xbfc23500, versions=0x17eb58, protos=0x17eb68) at network.c:581
#8  0x0017180e in nfs_probe_mntport (sap=0xbfc23528, salen=6, pmap=0x3447)
    at network.c:678
#9  0x00171ca6 in nfs_probe_bothports (mnt_saddr=0xbfc23528, 
    mnt_salen=7302446, mnt_pmap=0xbfc23500, nfs_saddr=0xbfc235a8, 
    nfs_salen=16, nfs_pmap=0xbfc23510) at network.c:749
#10 0x00177260 in nfs_rewrite_mount_options (str=<value optimized out>)
    at stropts.c:463
---Type <return> to continue, or q <return> to quit---
#11 0x001776e3 in nfs_retry_nfs23mount (mi=<value optimized out>)
    at stropts.c:520
#12 nfs_try_nfs23mount (mi=<value optimized out>) at stropts.c:585
#13 nfs_try_mount (mi=0xbfc236e0) at stropts.c:624
#14 0x001778f0 in nfsmount_fg (mi=<value optimized out>) at stropts.c:646
#15 nfsmount_start (mi=<value optimized out>) at stropts.c:762
#16 nfsmount_string (spec=0xbfc25689 "192.168.2.127:/mnt/IDE2/public", 
    node=0x183c008 "/mnt/icybox", type=0x17e06e "nfs", flags=0, 
    extra_opts=0xbfc23870, fake=0, child=0) at stropts.c:797
#17 0x0016eb5f in try_mount (
    spec=0xbfc25689 "192.168.2.127:/mnt/IDE2/public", 
    mount_point=0x183c008 "/mnt/icybox", flags=0, fs_type=0x17e06e "nfs", 
    extra_opts=0xbfc23870, mount_opts=0x0, fake=0, nomtab=0, bg=0)
    at mount.c:425
#18 0x0016f667 in main (argc=4, argv=0xbfc23924) at mount.c:584
Comment 3 Steve Dickson 2009-02-13 21:33:22 UTC 
No this is fine... so what exactly is the mount command?
It appears your doing an UDP only mount? Is that the case?
Comment 4 Lukáš Petrovický 2009-02-14 07:56:30 UTC 
(In reply to comment #3)
> No this is fine... so what exactly is the mount command?

The mount command is:
[root@satch triceo]# mount.nfs 192.168.2.127:/mnt/IDE2/public /mnt/icybox/ -v

(Using mount instead of mount.nfs changes nothing.)

> It appears your doing an UDP only mount? Is that the case?

Not sure, how do I know? I use no mount options, and thus (according to "man nfs") "the mount(8) command discovers which protocols  the  server  supports and  chooses  an appropriate transport for each service."

But when I explicitly specified proto=udp, the problem went away and I was able to mount the share!
Comment 5 Steve Dickson 2009-02-16 10:13:40 UTC 
> Not sure, how do I know?
'mount -v' will show which protocol is being tried... but
it appears you are doing TCP mounts since you are not
specifying any mount options....

> But when I explicitly specified proto=udp, the problem went away and I was able
> to mount the share!
How bizarre... Lets see what the server is advertising.... Please post the
output of a 'rpcinfo -p <server>'
Comment 6 Lukáš Petrovický 2009-02-16 16:44:12 UTC 
[root@satch triceo]# mount.nfs 192.168.2.127:/mnt/IDE2/public /mnt/icybox/ -v
mount.nfs: timeout set for Mon Feb 16 17:44:51 2009
mount.nfs: text-based options: 'addr=192.168.2.127'
mount.nfs: mount(2): Operation not supported
mount.nfs: trying 192.168.2.127 prog 100003 vers 3 prot UDP port 2049
*** buffer overflow detected ***: mount.nfs terminated

(The rest you already know.)

[root@satch triceo]# rpcinfo -p 192.168.2.127
   program vers proto   port  service
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100021    1   udp   1024  nlockmgr
    100021    3   udp   1024  nlockmgr
    100021    4   udp   1024  nlockmgr
    100005    1   udp    992  mountd
    100005    1   tcp    995  mountd
    100005    2   udp    992  mountd
    100005    2   tcp    995  mountd
    100005    3   udp    992  mountd
    100005    3   tcp    995  mountd
Comment 7 Steve Dickson 2009-02-16 19:28:45 UTC 
Interesting... the server only has UDP nfs services 
while having  both UDP and TCP mountd services... let 
me see I can duplicate what your seeing...

Not that it matters... What server are you using?
Comment 8 Lukáš Petrovický 2009-02-16 19:44:44 UTC 
Never been able to find out... it's the one inside this:
http://www.raidsonic.de/en/pages/products/external_cases.php?we_objectID=4530
Comment 9 Steve Dickson 2009-02-16 21:57:09 UTC 
Just to get the complete picture... would you mind posting a 
bzip2 binary network trace of the failure... something similar to:

    tshark -w /tmp/mount.pcap host <server> 

(note if tshark is not found you can either 'yum install wireshark'
 or use 'tcpdump -s0 -w /tmp/mountd.pcap host <server>' )
Then:
   bzip2 /tmp/mount.pcap 

I'm just curious as to what the server is sending back when the
TCP mount is turned down...
Comment 10 Lukáš Petrovický 2009-02-17 17:05:18 UTC 
Created attachment 332252 [details]
tshark output

Here you are. 

It seems some UPnP got mixed into it, didn't even know I was running a UPnP client. :-)
Comment 11 Steve Dickson 2009-02-17 21:11:59 UTC 
fixed in nfs-utils-1.1.4-17.fc11
Comment 12 Bug Zapper 2009-06-09 11:21:22 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 13 John Beranek 2009-09-04 09:47:07 UTC 
Hmm, seeing a similar problem (but without the buffer overflow) trying to mount a Red Hat 7.3 NFS share on Fedora 11.

Linux mymachine.example.com 2.6.29.6-217.2.8.fc11.i586 #1 SMP Sat Aug 15 00:44:39 EDT 2009 i686 i686 i386 GNU/Linux

# rpm -q nfs-utils
nfs-utils-1.2.0-4.fc11.i586

# mount.nfs X.X.X.X:/export/home /mnt/tmp -v
mount.nfs: timeout set for Fri Sep  4 05:41:40 2009
mount.nfs: text-based options: 'addr=X.X.X.X'
mount.nfs: mount(2): Operation not supported
mount.nfs: an incorrect mount option was specified

# rpcinfo -p X.X.X.X
   program vers proto   port  service
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  32768  status
    100024    1   tcp  32768  status
    100004    2   udp    981  ypserv
    100004    1   udp    981  ypserv
    100004    2   tcp    984  ypserv
    100004    1   tcp    984  ypserv
    100007    2   udp   1003  ypbind
    100007    1   udp   1003  ypbind
    100007    2   tcp   1006  ypbind
    100007    1   tcp   1006  ypbind
    391002    2   tcp  32769  sgi_fam
    100011    1   udp    751  rquotad
    100011    2   udp    751  rquotad
    100011    1   tcp    754  rquotad
    100011    2   tcp    754  rquotad
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100021    1   udp  32771  nlockmgr
    100021    3   udp  32771  nlockmgr
    100021    4   udp  32771  nlockmgr
    100005    1   udp  32772  mountd
    100005    1   tcp  32770  mountd
    100005    2   udp  32772  mountd
    100005    2   tcp  32770  mountd
    100005    3   udp  32772  mountd
    100005    3   tcp  32770  mountd
    300019    1   tcp    790  amd
    300019    1   udp    791  amd

# mount.nfs X.X.X.X:/export/home /mnt/tmp -v -o proto=udp
mount.nfs: timeout set for Fri Sep  4 05:46:29 2009
mount.nfs: text-based options: 'proto=udp,addr=X.X.X.X'
X.X.X.X:/export/home on /mnt/tmp type nfs (proto=udp)
Comment 14 John Beranek 2009-09-04 09:48:58 UTC 
Created attachment 359780 [details]
tshark output, bzip2 compressed

tshark output - so much for my IP address obfuscation in previous comment...
Comment 15 Karel Volný 2010-01-08 14:59:19 UTC 
(In reply to comment #13)
> Hmm, seeing a similar problem (but without the buffer overflow) trying to mount
> a Red Hat 7.3 NFS share on Fedora 11.

John, please, could you test if the problem is still present using fully updated Fedora 12, and if it is, try to describe a full setup how to reproduce the error?
Comment 16 John Beranek 2010-01-08 15:14:25 UTC 
(In reply to comment #15)
> (In reply to comment #13)
> > Hmm, seeing a similar problem (but without the buffer overflow) trying to mount
> > a Red Hat 7.3 NFS share on Fedora 11.
> 
> John, please, could you test if the problem is still present using fully
> updated Fedora 12, and if it is, try to describe a full setup how to reproduce
> the error?  

Works on an up-to-date Fedora 12 box of mine, indeed - excellent.
Comment 17 Karel Volný 2010-01-08 15:41:53 UTC 
(In reply to comment #16)
> (In reply to comment #15)
> > (In reply to comment #13)
> > > Hmm, seeing a similar problem (but without the buffer overflow) trying to mount
> > > a Red Hat 7.3 NFS share on Fedora 11.
> > 
> > John, please, could you test if the problem is still present using fully
> > updated Fedora 12, and if it is, try to describe a full setup how to reproduce
> > the error?  
> 
> Works on an up-to-date Fedora 12 box of mine, indeed - excellent.  

great thanks!

so I'm closing this based on inclusion of the fix mentioned in comment #11 and the user testing feedback