kernel crash on symlink chased from NFS to failing automount
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Linux |
Fix Released
|
Medium
|
|||
linux (Ubuntu) |
Fix Released
|
High
|
Stefan Bader | ||
Lucid |
Fix Released
|
High
|
Stefan Bader | ||
Maverick |
Fix Released
|
High
|
Stefan Bader | ||
Natty |
Fix Released
|
High
|
Stefan Bader |
Bug Description
SRU justification:
Impact: When trying to mount an export where server and client have no common authentication method, the client will abort the mount by sending an advisory unmount message to the server. A bug in the RPC client setup causes the sunrpc code to access memory outside an allocated array, which will sooner or later cause the kernel to crash.
Fix: Patch from upstream (about to be submitted and targeted for stable too) changes the setup to use the actual array size instead of a manually entered number.
Testcase:
Server exports a mount with an authentication method the client does not support, eg.:
[/etc/exports] /srv/foo *(rw,sec=krb5)
Client tries to mount this directory with no special authentication method:
while true; do mount <server>:/srv/foo /mnt; sync; sleep 1; done
---
Create an automount indirect map entry to a nfs server that will deny the mount with a permission denied error.
Create a symlink on some mounted NFS partition pointing at the name of that automount indirect map entry.
Chase the symlink with ls, etc.
Notice that the automounter tries and fails to mount the partition. (visible with automount -d -f, say)
In a few minutes, depending on system activity, the kernel will crash with the symptoms of a memory corruption error.
tags: | added: glucid |
security vulnerability: | yes → no |
affects: | ubuntu → linux (Ubuntu) |
Changed in linux (Ubuntu): | |
assignee: | nobody → Stefan Bader (stefan-bader-canonical) |
importance: | Undecided → High |
status: | New → Triaged |
visibility: | private → public |
tags: | added: kernel-series-unknown |
description: | updated |
Changed in linux (Ubuntu Lucid): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Maverick): | |
status: | Triaged → Fix Committed |
Changed in linux (Ubuntu Natty): | |
status: | Triaged → Fix Committed |
tags: | added: kernel-server |
tags: |
added: verification-done removed: verification-needed |
Changed in linux: | |
status: | Unknown → Confirmed |
Changed in linux: | |
status: | Confirmed → Fix Released |
Changed in linux: | |
importance: | Unknown → Medium |
This has been tested on a default lucid 64-bit install. We do not believe the bug existed in 32-bit dapper.