1175671 – automount segment fault in parse_sun.so for negative parser tests

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1175671 - automount segment fault in parse_sun.so for negative parser tests

Summary: automount segment fault in parse_sun.so for negative parser tests

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	autofs
Sub Component:
Version:	6.6
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Ian Kent
QA Contact:	XuWang
Docs Contact:
URL:
Whiteboard:
Depends On:	1161474
Blocks:
TreeView+	depends on / blocked

Reported:	2014-12-18 10:30 UTC by XuWang
Modified:	2015-07-22 06:51 UTC (History)
CC List:	3 users (show)
Fixed In Version:	autofs-5.0.5-111.el6
Doc Type:	Bug Fix
Doc Text:	Cause: A change made for the addition of amd-format maps added a check that causes a segmentation fault in the Sun-format map parser. Consequence: Under some circumstances a segmentation fault occurs when parsing a Sun-format map entry. Fix: Analysing the intention of the incorrect check changes have been made to properly identify the condition. Result: Segmentation fault no longer occurs due to this check in the Sun-format map parser.
Clone Of:	1161474
Environment:
Last Closed:	2015-07-22 06:51:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1344	0	normal	SHIPPED_LIVE	Moderate: autofs security and bug fix update	2015-07-20 17:59:56 UTC

Comment 1 XuWang 2014-12-18 10:34:00 UTC

Reproduced RHEL-6.6-20140926.0, with autofs-5.0.5-109.el6. Also be reproduced on ppc64, not sure be able to reproduced on s390x.

The stack dump like below:

#0  0x00007f304ce74635 in __strstr_sse42 () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.149.el6.x86_64 libgcc-4.4.7-11.el6.x86_64 libgssglue-0.1-11.el6.x86_64 libtirpc-0.2.1-10.el6.x86_64 libxml2-2.7.6-14.el6_5.2.x86_64 zlib-1.2.3-29.el6.x86_64
(gdb) bt
#0  0x00007f304ce74635 in __strstr_sse42 () from /lib64/libc.so.6
#1  0x00007f304bad0d13 in parse_mount (ap=0x7f305056ecf0, name=0x7f304e30f950 "b1d", name_len=21, mapent=<value optimized out>, context=0x7f30040009b0) at parse_sun.c:1404
#2  0x00007f304aa68149 in lookup_mount (ap=0x7f305056ecf0, name=<value optimized out>, name_len=<value optimized out>, context=0x7f3004000930) at lookup_file.c:1241
#3  0x00007f304e36316d in lookup_name_file_source_instance (ap=0x7f305056ecf0, map=0x7f305056eeb0, name=0x7f304e30fe50 "b1d", name_len=3) at lookup.c:909
#4  0x00007f304e363456 in lookup_nss_mount (ap=0x7f305056ecf0, source=0x0, name=0x7f304e30fe50 "b1d", name_len=3) at lookup.c:1149
#5  0x00007f304e35b758 in do_mount_indirect (arg=<value optimized out>) at indirect.c:768
#6  0x00007f304df149d1 in start_thread () from /lib64/libpthread.so.0
#7  0x00007f304ce329dd in clone () from /lib64/libc.so.6

Comment 2 Ian Kent 2015-02-10 01:58:48 UTC

(In reply to XuWang from comment #1)
> Reproduced RHEL-6.6-20140926.0, with autofs-5.0.5-109.el6. Also be
> reproduced on ppc64, not sure be able to reproduced on s390x.
> 
> The stack dump like below:
> 
> #0  0x00007f304ce74635 in __strstr_sse42 () from /lib64/libc.so.6
> Missing separate debuginfos, use: debuginfo-install
> glibc-2.12-1.149.el6.x86_64 libgcc-4.4.7-11.el6.x86_64
> libgssglue-0.1-11.el6.x86_64 libtirpc-0.2.1-10.el6.x86_64
> libxml2-2.7.6-14.el6_5.2.x86_64 zlib-1.2.3-29.el6.x86_64
> (gdb) bt
> #0  0x00007f304ce74635 in __strstr_sse42 () from /lib64/libc.so.6
> #1  0x00007f304bad0d13 in parse_mount (ap=0x7f305056ecf0,
> name=0x7f304e30f950 "b1d", name_len=21, mapent=<value optimized out>,
> context=0x7f30040009b0) at parse_sun.c:1404
> #2  0x00007f304aa68149 in lookup_mount (ap=0x7f305056ecf0, name=<value
> optimized out>, name_len=<value optimized out>, context=0x7f3004000930) at
> lookup_file.c:1241
> #3  0x00007f304e36316d in lookup_name_file_source_instance
> (ap=0x7f305056ecf0, map=0x7f305056eeb0, name=0x7f304e30fe50 "b1d",
> name_len=3) at lookup.c:909
> #4  0x00007f304e363456 in lookup_nss_mount (ap=0x7f305056ecf0, source=0x0,
> name=0x7f304e30fe50 "b1d", name_len=3) at lookup.c:1149
> #5  0x00007f304e35b758 in do_mount_indirect (arg=<value optimized out>) at
> indirect.c:768
> #6  0x00007f304df149d1 in start_thread () from /lib64/libpthread.so.0
> #7  0x00007f304ce329dd in clone () from /lib64/libc.so.6

I guess you realized this is quite tricky since I haven't commented
on it yet.

Further to our discussion in bug 1161474.

The check here is meant to account for the case where the map
entry has options that make it an internal hosts map so it won't
have a mount location and parse_mapent will return 0. But that
also means myoptions will be undefined and the options we're
looking for won't be in options either since they are per map
entry options. They might be in the map entry being parsed
though. But we can't just check the map entry string either
because the options haven't been isolated so it may match
elsewhere in the string.

Mmmm .....

Ian

Comment 3 Ian Kent 2015-02-12 07:46:34 UTC

Can we run the QA test that exposed this bug again please.

Comment 4 XuWang 2015-02-12 10:27:58 UTC

(In reply to Ian Kent from comment #3)
> Can we run the QA test that exposed this bug again please.

Run connectathon with autofs-5.0.5-111.el6 on ppc64, the job link is "
https://beaker.engineering.redhat.com/jobs/880941"
seems good, no core dump for autofs.
I will try more times to issure it.

Comment 6 XuWang 2015-03-16 08:11:59 UTC

Run /CoreOS/autofs/connectathon on distro RHEL-6.7-20150304.0, with autofs-5.0.5-112, convers i386, x86_64, s390x, ppc64, no automount segmentfault.
The beaker job is 901698,　901699,　901703,　901711.

Also run regression/bugzillas/stress for on this distro, works fine.

So I change this bug status to be verified.

Comment 7 errata-xmlrpc 2015-07-22 06:51:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1344.html

Note You need to log in before you can comment on or make changes to this bug.