kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #103778
[Bug 683938] Re: kernel crash on symlink chased from NFS to failing automount
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-4249
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/683938
Title:
kernel crash on symlink chased from NFS to failing automount
Status in The Linux Kernel:
Fix Released
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Lucid:
Fix Released
Status in linux source package in Maverick:
Fix Released
Status in linux source package in Natty:
Fix Released
Bug description:
SRU justification:
Impact: When trying to mount an export where server and client have no
common authentication method, the client will abort the mount by
sending an advisory unmount message to the server. A bug in the RPC
client setup causes the sunrpc code to access memory outside an
allocated array, which will sooner or later cause the kernel to crash.
Fix: Patch from upstream (about to be submitted and targeted for
stable too) changes the setup to use the actual array size instead of
a manually entered number.
Testcase:
Server exports a mount with an authentication method the client does not support, eg.:
[/etc/exports] /srv/foo *(rw,sec=krb5)
Client tries to mount this directory with no special authentication method:
while true; do mount <server>:/srv/foo /mnt; sync; sleep 1; done
---
Create an automount indirect map entry to a nfs server that will deny the mount with a permission denied error.
Create a symlink on some mounted NFS partition pointing at the name of that automount indirect map entry.
Chase the symlink with ls, etc.
Notice that the automounter tries and fails to mount the partition. (visible with automount -d -f, say)
In a few minutes, depending on system activity, the kernel will crash
with the symptoms of a memory corruption error.
To manage notifications about this bug go to:
https://bugs.launchpad.net/linux/+bug/683938/+subscriptions