Bug 1175671 - automount segment fault in parse_sun.so for negative parser tests
Summary: automount segment fault in parse_sun.so for negative parser tests
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: autofs
Version: 6.6
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Ian Kent
QA Contact: XuWang
URL:
Whiteboard:
Depends On: 1161474
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-12-18 10:30 UTC by XuWang
Modified: 2015-07-22 06:51 UTC (History)
3 users (show)

Fixed In Version: autofs-5.0.5-111.el6
Doc Type: Bug Fix
Doc Text:
Cause: A change made for the addition of amd-format maps added a check that causes a segmentation fault in the Sun-format map parser. Consequence: Under some circumstances a segmentation fault occurs when parsing a Sun-format map entry. Fix: Analysing the intention of the incorrect check changes have been made to properly identify the condition. Result: Segmentation fault no longer occurs due to this check in the Sun-format map parser.
Clone Of: 1161474
Environment:
Last Closed: 2015-07-22 06:51:25 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1344 normal SHIPPED_LIVE Moderate: autofs security and bug fix update 2015-07-20 17:59:56 UTC

Comment 1 XuWang 2014-12-18 10:34:00 UTC
Reproduced RHEL-6.6-20140926.0, with autofs-5.0.5-109.el6. Also be reproduced on ppc64, not sure be able to reproduced on s390x.

The stack dump like below:

#0  0x00007f304ce74635 in __strstr_sse42 () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.149.el6.x86_64 libgcc-4.4.7-11.el6.x86_64 libgssglue-0.1-11.el6.x86_64 libtirpc-0.2.1-10.el6.x86_64 libxml2-2.7.6-14.el6_5.2.x86_64 zlib-1.2.3-29.el6.x86_64
(gdb) bt
#0  0x00007f304ce74635 in __strstr_sse42 () from /lib64/libc.so.6
#1  0x00007f304bad0d13 in parse_mount (ap=0x7f305056ecf0, name=0x7f304e30f950 "b1d", name_len=21, mapent=<value optimized out>, context=0x7f30040009b0) at parse_sun.c:1404
#2  0x00007f304aa68149 in lookup_mount (ap=0x7f305056ecf0, name=<value optimized out>, name_len=<value optimized out>, context=0x7f3004000930) at lookup_file.c:1241
#3  0x00007f304e36316d in lookup_name_file_source_instance (ap=0x7f305056ecf0, map=0x7f305056eeb0, name=0x7f304e30fe50 "b1d", name_len=3) at lookup.c:909
#4  0x00007f304e363456 in lookup_nss_mount (ap=0x7f305056ecf0, source=0x0, name=0x7f304e30fe50 "b1d", name_len=3) at lookup.c:1149
#5  0x00007f304e35b758 in do_mount_indirect (arg=<value optimized out>) at indirect.c:768
#6  0x00007f304df149d1 in start_thread () from /lib64/libpthread.so.0
#7  0x00007f304ce329dd in clone () from /lib64/libc.so.6

Comment 2 Ian Kent 2015-02-10 01:58:48 UTC
(In reply to XuWang from comment #1)
> Reproduced RHEL-6.6-20140926.0, with autofs-5.0.5-109.el6. Also be
> reproduced on ppc64, not sure be able to reproduced on s390x.
> 
> The stack dump like below:
> 
> #0  0x00007f304ce74635 in __strstr_sse42 () from /lib64/libc.so.6
> Missing separate debuginfos, use: debuginfo-install
> glibc-2.12-1.149.el6.x86_64 libgcc-4.4.7-11.el6.x86_64
> libgssglue-0.1-11.el6.x86_64 libtirpc-0.2.1-10.el6.x86_64
> libxml2-2.7.6-14.el6_5.2.x86_64 zlib-1.2.3-29.el6.x86_64
> (gdb) bt
> #0  0x00007f304ce74635 in __strstr_sse42 () from /lib64/libc.so.6
> #1  0x00007f304bad0d13 in parse_mount (ap=0x7f305056ecf0,
> name=0x7f304e30f950 "b1d", name_len=21, mapent=<value optimized out>,
> context=0x7f30040009b0) at parse_sun.c:1404
> #2  0x00007f304aa68149 in lookup_mount (ap=0x7f305056ecf0, name=<value
> optimized out>, name_len=<value optimized out>, context=0x7f3004000930) at
> lookup_file.c:1241
> #3  0x00007f304e36316d in lookup_name_file_source_instance
> (ap=0x7f305056ecf0, map=0x7f305056eeb0, name=0x7f304e30fe50 "b1d",
> name_len=3) at lookup.c:909
> #4  0x00007f304e363456 in lookup_nss_mount (ap=0x7f305056ecf0, source=0x0,
> name=0x7f304e30fe50 "b1d", name_len=3) at lookup.c:1149
> #5  0x00007f304e35b758 in do_mount_indirect (arg=<value optimized out>) at
> indirect.c:768
> #6  0x00007f304df149d1 in start_thread () from /lib64/libpthread.so.0
> #7  0x00007f304ce329dd in clone () from /lib64/libc.so.6

I guess you realized this is quite tricky since I haven't commented
on it yet.

Further to our discussion in bug 1161474.

The check here is meant to account for the case where the map
entry has options that make it an internal hosts map so it won't
have a mount location and parse_mapent will return 0. But that
also means myoptions will be undefined and the options we're
looking for won't be in options either since they are per map
entry options. They might be in the map entry being parsed
though. But we can't just check the map entry string either
because the options haven't been isolated so it may match
elsewhere in the string.

Mmmm .....

Ian

Comment 3 Ian Kent 2015-02-12 07:46:34 UTC
Can we run the QA test that exposed this bug again please.

Comment 4 XuWang 2015-02-12 10:27:58 UTC
(In reply to Ian Kent from comment #3)
> Can we run the QA test that exposed this bug again please.

Run connectathon with autofs-5.0.5-111.el6 on ppc64, the job link is "
https://beaker.engineering.redhat.com/jobs/880941"
seems good, no core dump for autofs.
I will try more times to issure it.

Comment 6 XuWang 2015-03-16 08:11:59 UTC
Run /CoreOS/autofs/connectathon on distro RHEL-6.7-20150304.0, with autofs-5.0.5-112, convers i386, x86_64, s390x, ppc64, no automount segmentfault.
The beaker job is 901698, 901699, 901703, 901711.

Also run regression/bugzillas/stress for on this distro, works fine.

So I change this bug status to be verified.

Comment 7 errata-xmlrpc 2015-07-22 06:51:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1344.html


Note You need to log in before you can comment on or make changes to this bug.