segfault in mount with CITI patch

segfault in mount with CITI patch

[Vince Busam]

I've found that mount (from util-linux 2.12 + CITI_NFS4_ALL-3 patch) will segfault with 
this (probably rare) command:

mount -o tcp,nosuid,rw,rsize=8192,wsize=8192,nfsvers=3,mountvers=2,intr,sec=krb5 
server:/volume /mntpoint

This is because nfs_call_mount() will run nfs2_mount() when mountvers=2, but since 
nfsvers=3, nfsmount() will expect certain fields to be filled out, which are not.  Causing 
a segfault here, where flavor points to an invalid address.
1061                            if (flavor[i] == data.pseudoflavor)


Is nfsvers=3,mountvers=2 even OK to do?  If not, mount should print an error instead of 
segfault.

Thanks,
Vince


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: segfault in mount with CITI patch

[Trond Myklebust]

On Wed, 2005-12-21 at 17:30 -0800, Vince Busam wrote:
> Is nfsvers=3,mountvers=2 even OK to do?  If not, mount should print an error instead of 
> segfault.

Do you mean that the kernel Oopses, or is it really just a userland
segfault. If the latter, we really don't care too much: mixing nfsvers=3
and mountvers=2 is just silly. Sure, we can put a check in util-linux,
but there is no security implication.

OTOH, an Oops will be a security problem.

Cheers,
  Trond



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: segfault in mount with CITI patch

[Vince Busam]

Trond Myklebust wrote:
> On Wed, 2005-12-21 at 17:30 -0800, Vince Busam wrote:
> 
>>Is nfsvers=3,mountvers=2 even OK to do?  If not, mount should print an error instead of 
>>segfault.
> 
> 
> Do you mean that the kernel Oopses, or is it really just a userland
> segfault. If the latter, we really don't care too much: mixing nfsvers=3
> and mountvers=2 is just silly. Sure, we can put a check in util-linux,
> but there is no security implication.


It's a harmless userland segfault that could be fixed with a simple check like this (or a 
more thorough one if somebody has more knowledge over which versions don't work together).

Vince

--- util-linux-2.12.nfsv4/mount/nfsmount.c.orig 2005-12-21 15:56:02.000000000 -0800
+++ util-linux-2.12.nfsv4/mount/nfsmount.c      2005-12-22 13:51:33.000000000 -0800
@@ -803,6 +803,10 @@ nfsmnt_check_compat(const struct pmap *n
                         mnt_pmap->pm_vers);
                 goto out_bad;
         }
+       if ((nfs_pmap->pm_vers == 3) && (mnt_pmap->pm_vers < 3)) {
+               fprintf(stderr, _("NFS version 3 not supported with mount < 3\n"));
+               goto out_bad;
+       }
         return 1;
   out_bad:
         return 0;


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs