Dear Helge, Thank you very much for your patch. Am 08.09.20 um 11:54 schrieb Helge Deller:
In sun_mount() the the variable np gets initialized to an alloca()
s/the the/the/
memory area: np = noptions = alloca(); Later on, at the end of a loop, it may get accessed like this: *(np - 1) = '\0'; If np hasn't been increased in between those lines, this access triggers an out-of-bounds access which overwrites stack area and on the parisc architecture segfaults the automount executable as desribed in the Debian
described
bugzilla #892953.
Debian just calls it Debian BTS.
The patch below adds the necessary check and thus fixes the crash. Signed-off-by: Helge Deller <deller@xxxxxx> Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892953 diff -up ./modules/parse_sun.c.org ./modules/parse_sun.c --- ./modules/parse_sun.c.org 2020-09-08 09:13:03.843105425 +0000 +++ ./modules/parse_sun.c 2020-09-08 09:16:49.321534049 +0000 @@ -575,8 +575,9 @@ static int sun_mount(struct autofs_point if (np > noptions + len) { warn(ap->logopt, MODPREFIX "options string truncated"); np[len] = '\0'; - } else + } else if (np > noptions) { *(np - 1) = '\0'; + } options = noptions; }
Reviewed-by: Paul Menzel <pmenzel@xxxxxxxxxxxxx> Kind regards, Paul
