Bug 16599

Summary: Regression from MGA4: Autofs dumps core when /net is used
Product: Mageia Reporter: Dag Nygren <dag>
Component: RPM PackagesAssignee: Shlomi Fish <shlomif>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: dag, marja11
Version: 5Keywords: PATCH
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Source RPM: autofs-5.1.0-4.mga5 CVE:
Status comment:
Attachments: Patch to fix returning a reference to the Åtack

Description Dag Nygren 2015-08-18 15:11:59 CEST 
Description of problem:
automount of a NFS directory will dump core

Version-Release number of selected component (if applicable):
5.1.0-4

How reproducible:
Always

Steps to Reproduce:
1.Enable the /net entry in auto by removing the comment sign
2.try to list a NFS directory from /net/host
3.It will hang and there is a message in dmesg:

automount[917]: segfault at 0 ip           (null) sp 00007fef3bb164f8 error 14

Running automount from the command line with "automount -d -f" produces:
% automount -d -f
Starting automounter version 5.1.0, master map auto.master
using kernel protocol version 5.02
lookup_nss_read_master: reading master files auto.master
parse_init: parse(sun): init gathered global options: (null)
lookup_read_master: lookup(file): read entry /net
lookup_read_master: lookup(file): read entry +dir:/etc/auto.master.d
lookup_nss_read_master: reading master dir /etc/auto.master.d
lookup_read_master: lookup(dir): scandir: /etc/auto.master.d
lookup_read_master: lookup(file): read entry +auto.master
lookup_nss_read_master: reading master files auto.master
parse_init: parse(sun): init gathered global options: (null)
lookup_nss_read_master: reading master ldap auto.master
parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "auto.master".
parse_server_string: lookup(ldap): mapname auto.master
parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 1, sasl_mech: (null)
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: (null) credential cache: (null)
parse_init: parse(sun): init gathered global options: (null)
do_bind: lookup(ldap): auth_required: 1, sasl_mech (null)
do_bind: lookup(ldap): ldap simple bind returned 0
get_query_dn: lookup(ldap): query failed for (&(objectclass=nisMap)(nisMapName=auto.master)): No such object
get_query_dn: lookup(ldap): query failed for (&(objectclass=automountMap)(ou=auto.master)): No such object
get_query_dn: lookup(ldap): query failed for (&(objectclass=automountMap)(automountMapName=auto.master)): No such object
lookup(ldap): failed to find valid query dn
lookup(file): failed to read included master map auto.master
master_do_mount: mounting /net
automount_path_to_fifo: fifo name /run/autofs.fifo-net
lookup_nss_read_map: reading map hosts (null)
parse_init: parse(sun): init gathered global options: (null)
lookup_read_map: lookup(hosts): read hosts map
lookup_read_map: lookup(hosts): map not browsable, update existing host entries only
mounted indirect on /net with timeout 300, freq 75 seconds
st_ready: st_ready(): state = 0 path /net
handle_packet: type = 3
handle_packet_missing_indirect: token 9, name backup, request pid 916
attempting to mount entry /net/backup
lookup_mount: lookup(hosts): backup -> (null)
get_exports: lookup(hosts): fetchng export list for backup
Segmentation fault (core dumped)

Reproducible: 

Steps to Reproduce:
Comment 1 Dag Nygren 2015-08-18 15:34:35 CEST 
Ran this under gdb and got the following backtrace, hope it helps..:

#0  0x0000000000000000 in ?? ()
#1  0x00007ffff69316b5 in clnt_dg_call () from /lib64/libtirpc.so
#2  0x00007ffff47612e4 in rpc_portmap_getport () from /usr/lib64/autofs/lookup_hosts.so
#3  0x00007ffff4761cf7 in rpc_get_exports () from /usr/lib64/autofs/lookup_hosts.so
#4  0x00007ffff475c9e5 in ?? () from /usr/lib64/autofs/lookup_hosts.so
#5  0x00007ffff475d43b in lookup_mount () from /usr/lib64/autofs/lookup_hosts.so
#6  0x000055555556e101 in do_name_lookup_mount (name_len=6, name=0x7ffff7fb9f10 "backup", map=0x5555557c8740, ap=0x5555557c8630) at lookup.c:979
#7  lookup_nss_mount (ap=ap@entry=0x5555557c8630, source=source@entry=0x0, name=name@entry=0x7ffff7fb9f10 "backup", name_len=6) at lookup.c:1132
#8  0x0000555555563dbb in do_mount_indirect (arg=<optimized out>) at indirect.c:772
#9  0x00007ffff7bc85bd in start_thread () from /lib64/libpthread.so.0
#10 0x00007ffff739b5cd in clone () from /lib64/libc.so.6
Comment 2 Dag Nygren 2015-08-18 16:55:17 CEST 
Ok, debugged this and found that rpc_get_export() returns a pointer
to an exports structure that is on the stack !!!
Typical error of inexperience... And might work with some compilers and sometime....

Patching the function with an additional "static" in front of the variable makes things work. Patch enclosed to the case.
Comment 3 Dag Nygren 2015-08-18 16:56:36 CEST 
Created attachment 6937 [details]
Patch to fix returning a reference to the Åtack
Dag Nygren 2015-08-18 17:23:30 CEST

CC: (none) => dag

Comment 4 Dag Nygren 2015-08-18 18:13:05 CEST 
Having a closer look at the (messy) code in rpc_get_exports() the reason I gave for the problem is wrong, so sorry for that. But the patch does work... I just don't know why.
David Walser 2015-08-25 23:28:46 CEST

Assignee: bugsquad => shlomif

Comment 5 Marja Van Waes 2018-04-14 12:21:09 CEST 

@ Dag,

Thank you for having taken the needed time to report this issue!

Did this bug get fixed? If so, please change it's status to RESOLVED - FIXED

If it didn't, then we regret that we weren't able to fix it in Mageia 5. Mageia 5 has officially reached its End of Life on December 31st, 2017 https://blog.mageia.org/en/2017/11/07/mageia-5-eol-postponed/
It only continued to get important security updates since then, because we are waiting for a big Plasma5 update in Mageia 6, that'll fix many of the Mageia 5 => 6 upgrade issues.

If you haven't seen that this bug got fixed, then please check whether this bug still exists in Mageia 6. If it does, then please change the Version (near the top, at the left) to "6". If you know it exists in Cauldron, then change Version to Cauldron. If you see it in both Cauldron and Mageia 6, then please set version to Cauldron and add MGA6TOO on the Whiteboard.

Thanks,
Marja

CC: (none) => marja11
Keywords: (none) => PATCH

Comment 6 Dag Nygren 2018-04-14 13:16:35 CEST 
Haven't seen the problem for quite a while now so I believe that it is fixed since my report.

Resolution: (none) => FIXED
Status: NEW => RESOLVED