1161474 – automount segment fault in parse_sun.so for negative parser tests

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1161474 - automount segment fault in parse_sun.so for negative parser tests

Summary: automount segment fault in parse_sun.so for negative parser tests

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	autofs
Sub Component:
Version:	7.1
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Ian Kent
QA Contact:	Yongcheng Yang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1175671
TreeView+	depends on / blocked

Reported:	2014-11-07 08:23 UTC by XuWang
Modified:	2015-11-19 13:00 UTC (History)
CC List:	1 user (show)
Fixed In Version:	autofs-5.0.7-49
Doc Type:	Bug Fix
Doc Text:	Cause: A change made for the addition of amd-format maps added a check that causes a segmentation fault in the Sun-format map parser. Consequence: Under some circumstances a segmentation fault occurs when parsing a Sun-format map entry. Fix: Analysing the intention of the incorrect check changes have been made to properly identify the condition. Result: Segmentation fault no longer occurs due to this check in the Sun-format map parser.
Clone Of:
Clones:	1175671 (view as bug list)
Environment:
Last Closed:	2015-11-19 13:00:40 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
bug environment for autofs (142.16 KB, application/x-gzip) 2014-11-07 08:23 UTC, XuWang	no flags	Details
automount core file and binary files (2.07 MB, application/x-gzip) 2014-11-07 14:58 UTC, XuWang	no flags	Details
Patch - fix incorrect check in parse_mount() (1.61 KB, patch) 2014-11-10 05:41 UTC, Ian Kent	no flags	Details \| Diff
Patch - fix incorrect check in parse_mount() (4.55 KB, patch) 2015-05-25 02:01 UTC, Ian Kent	no flags	Details \| Diff
Show Obsolete (1) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:2417	0	normal	SHIPPED_LIVE	Moderate: autofs security, bug fix and enhancement update	2015-11-19 11:23:21 UTC

Description XuWang 2014-11-07 08:23:07 UTC

Created attachment 954819 [details]
bug environment for autofs

Description of problem:

Testing autofs for RHEL7.1, including distro RHEL-7.1-20141105.n.0 and RHEL-7.1-20141028.n.0, the autofs version is autofs-5.0.7-47.el7.x86_64.

Run autofs-CoreOs-autofs-contentathon test case for both distros above, found automount segment fault in test.parser case in platform x86_64 and s390, but OK in ppc64. The test.parser case including many maps, including direct, indirect, replicate, sub map and some stal maps with syntax error, some maps the for nfs version 2 which is not supported in RHEL7. When ls(opendir) for the map with error syntax, the automount got segment fault. To verify the question, I also build the automount from srpm of autofs-5.0.7-47.el7 in the platform x86_64 with RHEL-7.1-20141105.n.0, and the new automount(with new modules) works fine. 

Further analysis, the dump stack is like below:
Reading symbols from /usr/sbin/automount...(no debugging symbols found)...done.
[New LWP 29758]
[New LWP 29729]
[New LWP 29727]
[New LWP 29732]
[New LWP 29736]
[New LWP 29735]
[New LWP 29728]
[New LWP 29740]
[New LWP 29744]
[New LWP 29738]
[New LWP 29737]
[New LWP 29741]
[New LWP 29745]
[New LWP 29739]
[New LWP 29743]
[New LWP 29742]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/sbin/automount'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f6b0d83bd9b in __strstr_sse42 () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install autofs-5.0.7-47.el7.x86_64
(gdb) info thread
  Id   Target Id         Frame
  16   Thread 0x7f6af27fc700 (LWP 29742) 0x00007f6b0d7f3a8d in poll () from /lib64/libc.so.6
  15   Thread 0x7f6af1ffb700 (LWP 29743) 0x00007f6b0d7f3a8d in poll () from /lib64/libc.so.6
  14   Thread 0x7f6af3fff700 (LWP 29739) 0x00007f6b0d7f3a8d in poll () from /lib64/libc.so.6
  13   Thread 0x7f6af0ff9700 (LWP 29745) 0x00007f6b0d7f3a8d in poll () from /lib64/libc.so.6
  12   Thread 0x7f6af2ffd700 (LWP 29741) 0x00007f6b0d7f3a8d in poll () from /lib64/libc.so.6
  11   Thread 0x7f6b0953f700 (LWP 29737) 0x00007f6b0d7f3a8d in poll () from /lib64/libc.so.6
  10   Thread 0x7f6b08d3e700 (LWP 29738) 0x00007f6b0d7f3a8d in poll () from /lib64/libc.so.6
  9    Thread 0x7f6af17fa700 (LWP 29744) 0x00007f6b0d7f3a8d in poll () from /lib64/libc.so.6
  8    Thread 0x7f6af37fe700 (LWP 29740) 0x00007f6b0d7f3a8d in poll () from /lib64/libc.so.6
  7    Thread 0x7f6b0ebd1700 (LWP 29728) 0x00007f6b0e7a3ab2 in pthread_cond_timedwait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
  6    Thread 0x7f6b0abb7700 (LWP 29735) 0x00007f6b0d7f3a8d in poll () from /lib64/libc.so.6
  5    Thread 0x7f6b09f6f700 (LWP 29736) 0x00007f6b0d7f3a8d in poll () from /lib64/libc.so.6
  4    Thread 0x7f6b0be7f700 (LWP 29732) 0x00007f6b0d7f3a8d in poll () from /lib64/libc.so.6
  3    Thread 0x7f6b0ebd2840 (LWP 29727) 0x00007f6b0e7a6ed1 in sigwait () from /lib64/libpthread.so.0
  2    Thread 0x7f6b0ebc0700 (LWP 29729) 0x00007f6b0e7a3705 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib64/libpthread.so.0
* 1    Thread 0x7f6b0853d700 (LWP 29758) 0x00007f6b0d83bd9b in __strstr_sse42 () from /lib64/libc.so.6
(gdb) bt
#0  0x00007f6b0d83bd9b in __strstr_sse42 () from /lib64/libc.so.6
#1  0x00007f6b0b003fe2 in parse_mount () from /usr/lib/autofs/parse_sun.so
#2  0x00007f6b0a18b0a9 in lookup_mount () from /usr/lib/autofs/lookup_file.so
#3  0x00007f6b0ebf7523 in ?? ()
#4  0x00007f6b0ebf7f2e in lookup_nss_mount ()
#5  0x00007f6b0ebee802 in ?? ()
#6  0x00007f6b0e79fdf3 in start_thread () from /lib64/libpthread.so.0
#7  0x00007f6b0d7fe05d in clone () from /lib64/libc.so.6
(gdb)

So the segment fault is caused by parse_sun.so, and I also doing such tests:
let say the original elfs in distro is old, and the new building autofs is new, so:
automount(old) + parse_sun.so(new):works fine
automount(new) + parse_sun.so(new):works fine
automount(old) + parse_sun.so(old): segment fault
automount(new) + parse_sun.so(old): segment fault

So there maybe someing wrong with the parse_sun.so in distros, I also do some analysis, but found nothing. To strack it that, I report this as a bug with hoping somebody tell me why.

Atachment including the maps for testing, the file autoparse is the sequence for opendir, the result is the succesfully opened dirs, the bad.version and the bad.version is the info I got by "readelf -a" from the old parse_sun.so and new parse_sun.so, the file parse_sun.so is the original(bad) installed in distro. 

Version-Release number of selected component (if applicable):
distro RHEL-7.1-20141105.n.0
RHEL-7.1-20141028.n.0
autofs-5.0.7-47.el7.x86_64 in RHEL-7.1-20141105.n.0

How reproducible:

always in x86_64

Steps to Reproduce:
1.run qe test case "autofs-CoreOs-autofs-contentathon"
2.wait for timeout and see the system message
3.automount[36194]: segfault at 0 ip 00007fdd9ae53d9b sp 00007fdd9c1c73b8 error 4 in libc-2.17.so[7fdd9ad20000+1b6000]

Actual results:

automount segment fault

Expected results:

isolate syntax errors, and work on

Additional info:

Comment 2 Ian Kent 2014-11-07 09:16:01 UTC

OK, haven't seen this my self, I'll try and reproduce it.

Comment 3 Ian Kent 2014-11-07 09:20:34 UTC

(In reply to XuWang from comment #0)
> (gdb) bt
> #0  0x00007f6b0d83bd9b in __strstr_sse42 () from /lib64/libc.so.6
> #1  0x00007f6b0b003fe2 in parse_mount () from /usr/lib/autofs/parse_sun.so
> #2  0x00007f6b0a18b0a9 in lookup_mount () from /usr/lib/autofs/lookup_file.so
> #3  0x00007f6b0ebf7523 in ?? ()
> #4  0x00007f6b0ebf7f2e in lookup_nss_mount ()
> #5  0x00007f6b0ebee802 in ?? ()
> #6  0x00007f6b0e79fdf3 in start_thread () from /lib64/libpthread.so.0
> #7  0x00007f6b0d7fe05d in clone () from /lib64/libc.so.6
> (gdb)

Not really useful with no line numbers in the backtrace.
The debuginfo package was probably not installed.

snip ...

> 
> Atachment including the maps for testing, the file autoparse is the sequence
> for opendir, the result is the succesfully opened dirs, the bad.version and
> the bad.version is the info I got by "readelf -a" from the old parse_sun.so
> and new parse_sun.so, the file parse_sun.so is the original(bad) installed
> in distro. 

I'll have a look.
Did you include the output from the connectathon run?
 
> 
> Version-Release number of selected component (if applicable):
> distro RHEL-7.1-20141105.n.0
> RHEL-7.1-20141028.n.0
> autofs-5.0.7-47.el7.x86_64 in RHEL-7.1-20141105.n.0

OK.

> 
> How reproducible:
> 
> always in x86_64
> 
> Steps to Reproduce:
> 1.run qe test case "autofs-CoreOs-autofs-contentathon"
> 2.wait for timeout and see the system message
> 3.automount[36194]: segfault at 0 ip 00007fdd9ae53d9b sp 00007fdd9c1c73b8
> error 4 in libc-2.17.so[7fdd9ad20000+1b6000]

Right.

Ian

Comment 4 Ian Kent 2014-11-07 09:34:07 UTC

(In reply to XuWang from comment #0)
> 
> So there maybe someing wrong with the parse_sun.so in distros, I also do
> some analysis, but found nothing. To strack it that, I report this as a bug
> with hoping somebody tell me why.

I wonder if there was something wrong with the build
environment. Due to sssd changes I had to build with
a couple of overrides but that shouldn't show up as a
problem like this .....

Ian

Comment 5 Ian Kent 2014-11-07 09:53:12 UTC

What's this:

for test in test.*; do
    rlPhaseStartTest ${TEST}-$role-Test-$test
        run "./$test"
    rlPhaseEnd
done

I've mentioned you can't do this before.
The setup for a couple of the tests isn't present in this
test.

This doesn't relate to the bug but I thought it worth mentioning.
Ian

Comment 6 XuWang 2014-11-07 14:58:11 UTC

Created attachment 954966 [details]
automount core file and binary files

Comment 7 XuWang 2014-11-07 15:05:48 UTC

I download the autofs-debug package and reproduce it again, and the stack dumps as below:
(gdb) up
#1  0x00007f97c7b9bfe2 in parse_mount (ap=0x7f97d0ace240, name=<optimized out>, name_len=<optimized out>, mapent=<optimized out>, context=<optimized out>) at parse_sun.c:1423
1423					if (!(strstr(myoptions, "fstype=autofs") &&
(gdb) l
1418				p += l;
1419				p = skipspace(p);
1420	
1421				l = parse_mapent(p, options, &myoptions, &loc, ap->logopt);
1422				if (!l) {
1423					if (!(strstr(myoptions, "fstype=autofs") &&
1424					      strstr(myoptions, "hosts"))) {
1425						cache_delete_offset_list(mc, name);
1426						cache_multi_unlock(me);
1427						cache_unlock(mc);
(gdb) ^Z

I also read code of parse_sun.c, I think the function parse_mapent should initialize the param options firstly(such as *options = NULL), becuase if there something wrong and parse_mapend return 0 and myoptions will get uninitialized value.

I'll also upload the core file(attachment 954966 [details]) and autmount in RHEL-7.1-20141105.n.0 for your further analysis.

And thanks your sugesstion, the connectathon test cases is not finished, I am just working on it. I will discuss your advice with the former autofs qe and make it work more robust. Besides, the setup for all tests is finished by runtest.sh in the case, and the runtest.sh called setup in cthon_automount/bin/setup to finish some work.

Comment 8 Ian Kent 2014-11-08 00:48:33 UTC

(In reply to XuWang from comment #7)
> I download the autofs-debug package and reproduce it again, and the stack
> dumps as below:

OK, thanks for this information, I hope to get to this Monday.

snip ...

> 
> And thanks your sugesstion, the connectathon test cases is not finished, I
> am just working on it. I will discuss your advice with the former autofs qe
> and make it work more robust. Besides, the setup for all tests is finished
> by runtest.sh in the case, and the runtest.sh called setup in
> cthon_automount/bin/setup to finish some work.

The issue is that there are a couple of tests (the net tests) that
that need a nis server with maps setup for the the test to work but
the test doesn't set them up. There are examples of nis server setup
in a number of test in the bugzillas subdirectories if your interested.

The tests that can be run with the existing setup are those that
correspond to "./runtests -b", the so called basic tests (which
aren't really basic at all).

Ian

Comment 9 Ian Kent 2014-11-10 05:39:30 UTC

(In reply to XuWang from comment #7)
> 
> I also read code of parse_sun.c, I think the function parse_mapent should
> initialize the param options firstly(such as *options = NULL), becuase if
> there something wrong and parse_mapend return 0 and myoptions will get
> uninitialized value.

Perhaps but this is a programming error.
Have a look at the attached upstream patch I made after looking
at the code.

Ina

Comment 10 Ian Kent 2014-11-10 05:41:44 UTC

Created attachment 955677 [details]
Patch - fix incorrect check in parse_mount()

Untested as yet.

Comment 11 Ian Kent 2014-11-10 05:44:49 UTC

I'm still thinking about this though, I probably made that change
for a reason so the resolution might not be as simple as the above
patch.

Comment 12 Ian Kent 2014-11-10 05:54:14 UTC

(In reply to Ian Kent from comment #9)
> (In reply to XuWang from comment #7)
> > 
> > I also read code of parse_sun.c, I think the function parse_mapent should
> > initialize the param options firstly(such as *options = NULL), becuase if
> > there something wrong and parse_mapend return 0 and myoptions will get
> > uninitialized value.
> 
> Perhaps but this is a programming error.
> Have a look at the attached upstream patch I made after looking
> at the code.

And options is initialized earlier:
options = strdup(ctxt->optstr ? ctxt->optstr : "");

Comment 13 XuWang 2014-11-11 02:19:37 UTC

(In reply to Ian Kent from comment #8)
> The issue is that there are a couple of tests (the net tests) that
> that need a nis server with ...
Yes, and that is the work I must do :)
My next week plan is to modify the connectathon to add the nis support. And of course, I will learn the way from the your test cases(bugzillas).

(In reply to Ian Kent from comment #12)
> And options is initialized earlier:
> options = strdup(ctxt->optstr ? ctxt->optstr : "");
yes, options is initialized , but myoptions is not.

//here parse_mapent can return 0 with uninitialized myoptions 
1421                         l = parse_mapent(p, options, &myoptions, &loc, ap->logopt);

//here the strstr use myoptions as input. if the myoptions is random value for an invalid address, segment fault will happen
1423                                 if (!(strstr(myoptions, "fstype=autofs") &&
1424                                       strstr(myoptions, "hosts"))) {

And your patch removed the "if (!(strstr(myoptions, "fstype=autofs")...", you must have reason to add the if setence embraced the "
1425                                         cache_delete_offset_list(mc, name);
1426                                         cache_multi_unlock(me);
1427                                         cache_unlock(mc);
1428                                         free(path);
1429                                         free(options);
1430                                         pthread_setcancelstate(cur_state, NULL);
1431                                         return 1;".

So why don't you use options(which is already initialized) instead of myoptions to judge the "fstype=autofs"?

Comment 14 Ian Kent 2014-11-12 00:45:03 UTC

(In reply to XuWang from comment #13)
> 
> (In reply to Ian Kent from comment #12)
> > And options is initialized earlier:
> > options = strdup(ctxt->optstr ? ctxt->optstr : "");
> yes, options is initialized , but myoptions is not.

Sure, but if parse_mapent() returns 0 the myoptions will be
invalid regardless of whether it was initialized.

> 
> //here parse_mapent can return 0 with uninitialized myoptions 
> 1421                         l = parse_mapent(p, options, &myoptions, &loc,
> ap->logopt);
> 
> //here the strstr use myoptions as input. if the myoptions is random value
> for an invalid address, segment fault will happen
> 1423                                 if (!(strstr(myoptions,
> "fstype=autofs") &&
> 1424                                       strstr(myoptions, "hosts"))) {
> 
> And your patch removed the "if (!(strstr(myoptions, "fstype=autofs")...",
> you must have reason to add the if setence embraced the "
> 1425                                         cache_delete_offset_list(mc,
> name);
> 1426                                         cache_multi_unlock(me);
> 1427                                         cache_unlock(mc);
> 1428                                         free(path);
> 1429                                         free(options);
> 1430                                        
> pthread_setcancelstate(cur_state, NULL);
> 1431                                         return 1;".
> 
> So why don't you use options(which is already initialized) instead of
> myoptions to judge the "fstype=autofs"?

Perhaps, I'll need to think about it a little more.

Ian

Comment 16 Ian Kent 2015-05-25 02:01:23 UTC

Created attachment 1029324 [details]
Patch - fix incorrect check in parse_mount()

Comment 18 XuWang 2015-08-27 07:25:27 UTC

run /autofs/connectathon for autofs-5.0.7-53.el7, covers x86_64, pc64, s390x, no automount core dump:
do-client-Test-test-badnames PASSED
do-client-Test-test-net      PASSED
do-client-Test-test-net1     PASSED
do-client-Test-test-parser   FAILED according to case problem
do-client-Test-test-parser-n PASSED
do-client-Test-test-proto-check PASSED
do-client-Test-test-test1    FAILED according to case problem
do-client-Test-test-test2    PASSED
do-client-Test-test-test3    FAILED according to case problem
do-client-Test-test-test4    PASSED
do-client-Test-test-test5    PASSED
do-client-Test-test-trailing-space  PASSED
do-client-Test-test-vers-check      PASSED

3 sub-test failed according the new feature that autofs allows duplicate entries.

Also run regressions, bugzillas, stress for autofs, seems good.

Now I will put this status of bug to be verified.

Comment 21 errata-xmlrpc 2015-11-19 13:00:40 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2417.html

Note You need to log in before you can comment on or make changes to this bug.