Found issue and reported upstream:
- Forwarded message from Helge Deller -
Date: Tue, 8 Sep 2020 11:54:02 +0200
From: Helge Deller
To: aut...@vger.kernel.org, Ian Kent
Subject: [PATCH] autofs: Fix crash in sun_mount()
Message-ID: <20200908095402.ga25...@ls3530.fritz.box>
In sun_mount() the the variable np gets initialized to an alloca()
memory area:
np = noptions = alloca();
Later on, at the end of a loop, it may get accessed like this:
*(np - 1) = '\0';
If np hasn't been increased in between those lines, this access triggers
an out-of-bounds access which overwrites stack area and on the parisc
architecture segfaults the automount executable as desribed in the Debian
bugzilla #892953.
The patch below adds the necessary check and thus fixes the crash.
Signed-off-by: Helge Deller
Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892953
diff -up ./modules/parse_sun.c.org ./modules/parse_sun.c
--- ./modules/parse_sun.c.org 2020-09-08 09:13:03.843105425 +
+++ ./modules/parse_sun.c 2020-09-08 09:16:49.321534049 +
@@ -575,8 +575,9 @@ static int sun_mount(struct autofs_point
if (np > noptions + len) {
warn(ap->logopt, MODPREFIX "options string truncated");
np[len] = '\0';
- } else
+ } else if (np > noptions) {
*(np - 1) = '\0';
+ }
options = noptions;
}
- End forwarded message -