Debian Bug report logs - #549002
linux-image-2.6.26-2-xen-amd64: Kernel Oops - autofs5 nfs4 mount

version graph

Package: linux-image-2.6.26-2-xen-amd64; Maintainer for linux-image-2.6.26-2-xen-amd64 is (unknown);

Reported by: Christian Salzmann <[email protected]>

Date: Wed, 30 Sep 2009 09:39:03 UTC

Severity: important

Tags: patch, upstream

Found in version linux-2.6/2.6.26-19

Fixed in versions linux-2.6/2.6.31-1~experimental.2, linux-2.6/2.6.26-20

Done: dann frazier <[email protected]>

Bug is archived. No further changes may be made.

Full log

Message #20 received at [email protected] (full text, mbox, reply):

Received: (at 549002) by bugs.debian.org; 4 Oct 2009 13:15:39 +0000
From [email protected] Sun Oct 04 13:15:39 2009
X-Spam-Checker-Version: SpamAssassin 3.2.3-bugs.debian.org_2005_01_02
	(2007-08-08) on rietz.debian.org
X-Spam-Level: 
X-Spam-Bayes: score:0.0000 Tokens: new, 25; hammy, 93; neutral, 38; spammy, 2.
	spammytokens:0.993-1--rcx, 0.895-+--site hammytokens:0.000-+--H*c:protocol,
	0.000-+--H*c:micalg, 0.000-+--H*c:signed, 0.000-+--H*c:pgp-signature,
	0.000-+--H*c:pgp-sha1
X-Spam-Status: No, score=-6.1 required=4.0 tests=AWL,BAYES_00,IMPRONONCABLE_1,
	IMPRONONCABLE_2,MURPHY_WRONG_WORD2,PGPSIGNATURE autolearn=ham
	version=3.2.3-bugs.debian.org_2005_01_02
Return-path: <[email protected]>
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126])
	by rietz.debian.org with esmtp (Exim 4.63)
	(envelope-from <[email protected]>)
	id 1MuQw7-0003y2-70
	for [email protected]; Sun, 04 Oct 2009 13:15:39 +0000
Received: from deadeye.i.decadent.org.uk ([192.168.4.185] helo=localhost)
	by shadbolt.decadent.org.uk with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
	(Exim 4.69)
	(envelope-from <[email protected]>)
	id 1MuQw5-0003Qt-De
	for [email protected]; Sun, 04 Oct 2009 14:15:37 +0100
Received: from womble by localhost with local (Exim 4.69)
	(envelope-from <[email protected]>)
	id 1MuQw4-0000hz-N3
	for [email protected]; Sun, 04 Oct 2009 14:15:36 +0100
From: Ben Hutchings <[email protected]>
To: [email protected]
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-VKkY1NDZ041qzOfWrFk7"
Date: Sun, 04 Oct 2009 14:15:36 +0100
Message-Id: <1254662136.2395.60.camel@localhost>
Mime-Version: 1.0
X-Mailer: Evolution 2.28.0 
X-SA-Exim-Connect-IP: 192.168.4.185
X-SA-Exim-Mail-From: [email protected]
Subject: Re: linux-image-2.6.26-2-xen-amd64: Kernel Oops - autofs5 nfs4
 mount
X-SA-Exim-Version: 4.2.1 (built Wed, 25 Jun 2008 17:14:11 +0000)
X-SA-Exim-Scanned: Yes (on shadbolt.decadent.org.uk)

[Message part 1 (text/plain, inline)]
nfs_alloc_client() is copying 48 bytes of IP address string from mount
data to client structure with memcpy(), while the source string is
allocated with strdup() and is normally shorter.  In this case it has
copied 32 bytes (RCX = 4 indicating 16 bytes left to go) and then
overrun into an unmapped page (RSI = ffff8800c7be5000 which is
page-aligned).

This could happen with any NFSv4 mount and is not specific to autofs.

The fix is to use strlcpy() instead of memcpy().

Ben.

-- 
Ben Hutchings
I say we take off; nuke the site from orbit.  It's the only way to be sure.

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Sat May 10 03:12:14 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.