Re: [PATCH] autofs: Fix crash in sun_mount()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Dear Helge,

Thank you very much for your patch.

Am 08.09.20 um 11:54 schrieb Helge Deller:
In sun_mount() the the variable np gets initialized to an alloca()

s/the the/the/

memory area:
   np = noptions = alloca();
Later on, at the end of a loop, it may get accessed like this:
   *(np - 1) = '\0';

If np hasn't been increased in between those lines, this access triggers
an out-of-bounds access which overwrites stack area and on the parisc
architecture segfaults the automount executable as desribed in the Debian


bugzilla #892953.

Debian just calls it Debian BTS.

The patch below adds the necessary check and thus fixes the crash.

Signed-off-by: Helge Deller <deller@xxxxxx>

diff -up ./modules/ ./modules/parse_sun.c
--- ./modules/	2020-09-08 09:13:03.843105425 +0000
+++ ./modules/parse_sun.c	2020-09-08 09:16:49.321534049 +0000
@@ -575,8 +575,9 @@ static int sun_mount(struct autofs_point
  		if (np > noptions + len) {
  			warn(ap->logopt, MODPREFIX "options string truncated");
  			np[len] = '\0';
-		} else
+		} else if (np > noptions) {
  			*(np - 1) = '\0';
+		}

  		options = noptions;

Reviewed-by: Paul Menzel <pmenzel@xxxxxxxxxxxxx>

Kind regards,


[Index of Archives]     [Linux Filesystem Development]     [Linux Ext4]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux