Bug 16599 - Regression from MGA4: Autofs dumps core when /net is used
Summary: Regression from MGA4: Autofs dumps core when /net is used
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 5
Hardware: x86_64 Linux
Priority: Normal major
Target Milestone: ---
Assignee: Shlomi Fish
QA Contact:
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2015-08-18 15:11 CEST by Dag Nygren
Modified: 2018-04-14 13:16 CEST (History)
2 users (show)

See Also:
Source RPM: autofs-5.1.0-4.mga5
CVE:
Status comment:


Attachments
Patch to fix returning a reference to the Åtack (546 bytes, patch)
2015-08-18 16:56 CEST, Dag Nygren
Details | Diff

Description Dag Nygren 2015-08-18 15:11:59 CEST
Description of problem:
automount of a NFS directory will dump core

Version-Release number of selected component (if applicable):
5.1.0-4

How reproducible:
Always

Steps to Reproduce:
1.Enable the /net entry in auto by removing the comment sign
2.try to list a NFS directory from /net/host
3.It will hang and there is a message in dmesg:

automount[917]: segfault at 0 ip           (null) sp 00007fef3bb164f8 error 14

Running automount from the command line with "automount -d -f" produces:
% automount -d -f
Starting automounter version 5.1.0, master map auto.master
using kernel protocol version 5.02
lookup_nss_read_master: reading master files auto.master
parse_init: parse(sun): init gathered global options: (null)
lookup_read_master: lookup(file): read entry /net
lookup_read_master: lookup(file): read entry +dir:/etc/auto.master.d
lookup_nss_read_master: reading master dir /etc/auto.master.d
lookup_read_master: lookup(dir): scandir: /etc/auto.master.d
lookup_read_master: lookup(file): read entry +auto.master
lookup_nss_read_master: reading master files auto.master
parse_init: parse(sun): init gathered global options: (null)
lookup_nss_read_master: reading master ldap auto.master
parse_server_string: lookup(ldap): Attempting to parse LDAP information from string "auto.master".
parse_server_string: lookup(ldap): mapname auto.master
parse_ldap_config: lookup(ldap): ldap authentication configured with the following options:
parse_ldap_config: lookup(ldap): use_tls: 0, tls_required: 0, auth_required: 1, sasl_mech: (null)
parse_ldap_config: lookup(ldap): user: (null), secret: unspecified, client principal: (null) credential cache: (null)
parse_init: parse(sun): init gathered global options: (null)
do_bind: lookup(ldap): auth_required: 1, sasl_mech (null)
do_bind: lookup(ldap): ldap simple bind returned 0
get_query_dn: lookup(ldap): query failed for (&(objectclass=nisMap)(nisMapName=auto.master)): No such object
get_query_dn: lookup(ldap): query failed for (&(objectclass=automountMap)(ou=auto.master)): No such object
get_query_dn: lookup(ldap): query failed for (&(objectclass=automountMap)(automountMapName=auto.master)): No such object
lookup(ldap): failed to find valid query dn
lookup(file): failed to read included master map auto.master
master_do_mount: mounting /net
automount_path_to_fifo: fifo name /run/autofs.fifo-net
lookup_nss_read_map: reading map hosts (null)
parse_init: parse(sun): init gathered global options: (null)
lookup_read_map: lookup(hosts): read hosts map
lookup_read_map: lookup(hosts): map not browsable, update existing host entries only
mounted indirect on /net with timeout 300, freq 75 seconds
st_ready: st_ready(): state = 0 path /net
handle_packet: type = 3
handle_packet_missing_indirect: token 9, name backup, request pid 916
attempting to mount entry /net/backup
lookup_mount: lookup(hosts): backup -> (null)
get_exports: lookup(hosts): fetchng export list for backup
Segmentation fault (core dumped)

Reproducible: 

Steps to Reproduce:
Comment 1 Dag Nygren 2015-08-18 15:34:35 CEST
Ran this under gdb and got the following backtrace, hope it helps..:

#0  0x0000000000000000 in ?? ()
#1  0x00007ffff69316b5 in clnt_dg_call () from /lib64/libtirpc.so
#2  0x00007ffff47612e4 in rpc_portmap_getport () from /usr/lib64/autofs/lookup_hosts.so
#3  0x00007ffff4761cf7 in rpc_get_exports () from /usr/lib64/autofs/lookup_hosts.so
#4  0x00007ffff475c9e5 in ?? () from /usr/lib64/autofs/lookup_hosts.so
#5  0x00007ffff475d43b in lookup_mount () from /usr/lib64/autofs/lookup_hosts.so
#6  0x000055555556e101 in do_name_lookup_mount (name_len=6, name=0x7ffff7fb9f10 "backup", map=0x5555557c8740, ap=0x5555557c8630) at lookup.c:979
#7  lookup_nss_mount (ap=ap@entry=0x5555557c8630, source=source@entry=0x0, name=name@entry=0x7ffff7fb9f10 "backup", name_len=6) at lookup.c:1132
#8  0x0000555555563dbb in do_mount_indirect (arg=<optimized out>) at indirect.c:772
#9  0x00007ffff7bc85bd in start_thread () from /lib64/libpthread.so.0
#10 0x00007ffff739b5cd in clone () from /lib64/libc.so.6
Comment 2 Dag Nygren 2015-08-18 16:55:17 CEST
Ok, debugged this and found that rpc_get_export() returns a pointer
to an exports structure that is on the stack !!!
Typical error of inexperience... And might work with some compilers and sometime....

Patching the function with an additional "static" in front of the variable makes things work. Patch enclosed to the case.
Comment 3 Dag Nygren 2015-08-18 16:56:36 CEST
Created attachment 6937 [details]
Patch to fix returning a reference to the Åtack
Dag Nygren 2015-08-18 17:23:30 CEST

CC: (none) => dag

Comment 4 Dag Nygren 2015-08-18 18:13:05 CEST
Having a closer look at the (messy) code in rpc_get_exports() the reason I gave for the problem is wrong, so sorry for that. But the patch does work... I just don't know why.
David Walser 2015-08-25 23:28:46 CEST

Assignee: bugsquad => shlomif

Comment 5 Marja Van Waes 2018-04-14 12:21:09 CEST

@ Dag,

Thank you for having taken the needed time to report this issue!

Did this bug get fixed? If so, please change it's status to RESOLVED - FIXED

If it didn't, then we regret that we weren't able to fix it in Mageia 5. Mageia 5 has officially reached its End of Life on December 31st, 2017 https://blog.mageia.org/en/2017/11/07/mageia-5-eol-postponed/
It only continued to get important security updates since then, because we are waiting for a big Plasma5 update in Mageia 6, that'll fix many of the Mageia 5 => 6 upgrade issues.

If you haven't seen that this bug got fixed, then please check whether this bug still exists in Mageia 6. If it does, then please change the Version (near the top, at the left) to "6". If you know it exists in Cauldron, then change Version to Cauldron. If you see it in both Cauldron and Mageia 6, then please set version to Cauldron and add MGA6TOO on the Whiteboard.

Thanks,
Marja

CC: (none) => marja11
Keywords: (none) => PATCH

Comment 6 Dag Nygren 2018-04-14 13:16:35 CEST
Haven't seen the problem for quite a while now so I believe that it is fixed since my report.

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.