Noble 'autofs' 5.1.9-1ubuntu3 buffer overflow

Thanks for taking the time to report this bug and trying to make Ubuntu better.

Could you please share your config files so we can try to reproduce the bug locally?

Tried direct and indirect nfs mounts, and the test suite also does nfs and cifs mounts, no segfault:

root@server:~# automount -d3 -f
Starting automounter version 5.1.9, master map /etc/auto.master
using kernel protocol version 5.05
lookup_nss_read_master: reading master file /etc/auto.master
do_init: parse(sun): init gathered global options: (null)
lookup_read_master: lookup(file): read entry /mnt
lookup_read_master: lookup(file): read entry /-
master_do_mount: mounting /mnt
lookup_nss_read_map: reading map file /etc/auto.mnt
do_init: parse(sun): init gathered global options: (null)
mounted indirect on /mnt with timeout 300, freq 75 seconds
st_ready: st_ready(): state = 0 path /mnt
master_do_mount: mounting /-
lookup_nss_read_map: reading map file /etc/auto.direct
do_init: parse(sun): init gathered global options: (null)
mounted direct on /foo with timeout 300, freq 75 seconds
do_mount_autofs_direct: mounted trigger /foo
st_ready: st_ready(): state = 0 path /-
handle_packet: type = 5
handle_packet_missing_direct: token 43, name /foo, request pid 14188
attempting to mount entry /foo
lookup_mount: lookup(file): looking up /foo
lookup_mount: lookup(file): /foo -> localhost:/storage
parse_mount: parse(sun): expanded entry: localhost:/storage
parse_mount: parse(sun): gathered options:
parse_mount: parse(sun): dequote("localhost:/storage") -> localhost:/storage
parse_mount: parse(sun): core of entry: options=, loc=localhost:/storage
sun_mount: parse(sun): mounting root /foo, mountpoint /foo, what localhost:/storage, fstype nfs, options (null)
mount(nfs): root=/foo name=/foo what=localhost:/storage, fstype=nfs, options=(null)
mount_mount: mount(nfs): calling mkdir_path /foo
mount_mount: mount(nfs): /foo is local, attempt bind mount
mount_mount: mount(bind): calling mkdir_path /foo
mount(bind): calling mount --bind -o defaults /storage /foo
mount(bind): mounted /storage type bind on /foo
dev_ioctl_send_ready: token = 43
mounted /foo
handle_packet: type = 3
handle_packet_missing_indirect: token 44, name nfs, request pid 14191
attempting to mount entry /mnt/nfs
lookup_mount: lookup(file): looking up nfs
lookup_mount: lookup(file): nfs -> localhost:/storage
parse_mount: parse(sun): expanded entry: localhost:/storage
parse_mount: parse(sun): gathered options:
parse_mount: parse(sun): dequote("localhost:/storage") -> localhost:/storage
parse_mount: parse(sun): core of entry: options=, loc=localhost:/storage
sun_mount: parse(sun): mounting root /mnt, mountpoint nfs, what localhost:/storage, fstype nfs, options (null)
mount(nfs): root=/mnt name=nfs what=localhost:/storage, fstype=nfs, options=(null)
mount_mount: mount(nfs): calling mkdir_path /mnt/nfs
mount_mount: mount(nfs): nfs is local, attempt bind mount
mount_mount: mount(bind): calling mkdir_path /mnt/nfs
mount(bind): calling mount --bind -o defaults /storage /mnt/nfs
mount(bind): mounted /storage type bind on /mnt/nfs
dev_ioctl_send_ready: token = 44
mounted /mnt/nfs

# mount -t autofs
systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=32,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=3020)
/etc/auto.mnt on /mnt type autofs (rw,relatime,fd=6,pgrp=14168,timeout=300,minproto...

I will add the config files later. In the meantime this might be useful, a baxcktrace under 'gdb':

*** buffer overflow detected ***: terminated

Thread 5 "automount" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff3e706c0 (LWP 119683)]
__pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimised out>) at ./nptl/pthread_kill.c:44
warning: 44 ./nptl/pthread_kill.c: No such file or directory
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimised out>) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimised out>) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimised out>, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
#3 0x00007ffff7bb626e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#4 0x00007ffff7b998ff in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007ffff7b9a7b6 in __libc_message_impl (fmt=fmt@entry=0x7ffff7d3f765 "*** %s ***: terminated\n")
    at ../sysdeps/posix/libc_fatal.c:132
#6 0x00007ffff7ca7c19 in __GI___fortify_fail (msg=msg@entry=0x7ffff7d3f74c "buffer overflow detected")
    at ./debug/fortify_fail.c:24
#7 0x00007ffff7ca75d4 in __GI___chk_fail () at ./debug/chk_fail.c:28
#8 0x00007ffff7ca8db5 in ___snprintf_chk (s=<optimised out>, maxlen=<optimised out>, flag=<optimised out>,
    slen=<optimised out>, format=<optimised out>) at ./debug/snprintf_chk.c:29
#9 0x00007ffff7d93a0d in make_options_string () from /lib/x86_64-linux-gnu/libautofs.so
#10 0x0000555555561af3 in do_mount_autofs_direct ()
#11 0x00005555555691c2 in mount_autofs_direct ()
#12 0x0000555555569e7f in handle_mounts ()
#13 0x00007ffff7c0da94 in start_thread (arg=<optimised out>) at ./nptl/pthread_create.c:447
#14 0x00007ffff7c9ac3c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Thanks for this, I know better where to look now. The config files or a minimal reproducer would still help, of course.

In the meantime, you can also try debuginfod[1], which is a way for gdb to automatically fetcl all the symbols for you.

TL;DR Something like this

sudo -i (because automounter needs to run as root)
export DEBUGINFOD_URLS="https://debuginfod.ubuntu.com"
gdb <path-to-automounter>
r -f

1. https://ubuntu.com/server/docs/service-debuginfod

SO I have cut down the configuration files to a minimum:

petal# cat /etc/auto.master
#DIR [TYPE[,FORMAT]:]MAP [OPTIONS]

/- file,sun:/etc/auto.mp
petal# cat /etc/auto.mp
# vim:set ft=conf sw=2 noet nowrap:

/mp/mumon/._ -fstype=btrfs,ro,rw,exec,suid,nossd,lazytime :/dev/mapper/peL0p7

petal# automount -f -d3
Starting automounter version 5.1.9, master map /etc/auto.master
using kernel protocol version 5.05
lookup_nss_read_master: reading master file /etc/auto.master
do_init: parse(sun): init gathered global options: (null)
do_spawn: >> mount: /tmp/auto96h9tO bound on /tmp/auto0m772d.
lookup_read_master: lookup(file): read entry /-
master_do_mount: mounting /-
reading file map /etc/auto.mp
do_init: parse(sun): init gathered global options: (null)
do_spawn: >> mount: /tmp/autoP0xIB3 bound on /tmp/autocrpfww.
*** buffer overflow detected ***: terminated
Aborted (core dumped)

Happens also with direct mounts (even if I mostly use indirect ones):

petal# cat /etc/auto.master
#DIR [TYPE[,FORMAT]:]MAP [OPTIONS]

/mp file,sun:/etc/auto.mp
petal# cat /etc/auto.mp
# vim:set ft=conf sw=2 noet nowrap:

mumon/._ -fstype=btrfs,ro,rw,exec,suid,nossd,lazytime :/dev/mapper/peL0p7

[Detaching after fork from child process 119968]
do_spawn: >> mount: /tmp/autoDKdoWg bound on /tmp/autovNVgG1.
[Detaching after fork from child process 119969]
lookup_read_master: lookup(file): read entry /mp
master_do_mount: mounting /mp
[New Thread 0x7ffff3e706c0 (LWP 119970)]
reading file map /etc/auto.mp
warning: could not find '.gnu_debugaltlink' file for /usr/lib/x86_64-linux-gnu/autofs/lookup_file.so
warning: could not find '.gnu_debugaltlink' file for /usr/lib/x86_64-linux-gnu/autofs/parse_sun.so
do_init: parse(sun): init gathered global options: (null)
warning: could not find '.gnu_debugaltlink' file for /usr/lib/x86_64-linux-gnu/autofs/mount_nfs.so
warning: could not find '.gnu_debugaltlink' file for /usr/lib/x86_64-linux-gnu/autofs/mount_bind.so
[Detaching after fork from child process 119971]
do_spawn: >> mount: /tmp/autoFUyZS9 bound on /tmp/autoF5y57E.
[Detaching after fork from child process 119972]
*** buffer overflow detected ***: terminated

Thread 5 "automount" received signal SIGABRT, Aborted.
[Switching to Thread 0x7ffff3e706c0 (LWP 119970)]
__pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimised out>) at ./nptl/pthread_kill.c:44
warning: 44 ./nptl/pthread_kill.c: No such file or directory

Which kernel are you running? There are some kernel version checks in the code which affect a buffer size, and that's a buffer that make_options_string() writes to.

I haven't been able to reproduce this yet, with any of your config files. I'm on noble's kernel: 6.8.0-22

And your second reproducer, with /mp in auto.master, doesn't work here:

# ls -la /mp/mumon/_.
ls: cannot access '/mp/mumon/_.': No such file or directory

handle_packet: type = 3
handle_packet_missing_indirect: token 43, name mumon, request pid 4242
attempting to mount entry /mp/mumon
lookup_mount: lookup(file): looking up mumon
key "mumon" not found in map source(s).
dev_ioctl_send_fail: token = 43
failed to mount /mp/mumon

I managed to reproduce it finally after I added "strictexpire" to /etc/auto.master

This PPA has a patched version for noble, would you mind trying it out please?

https://launchpad.net/~ahasenack/+archive/ubuntu/autofs-segfault-2061667

«In the meantime, you can also try debuginfod»

Interesting, thanks for mentioning this.

«reproduce it finally after I added "strictexpire" to /etc/auto.master»

That is really weird, I think I was not using that (or "ignore").
Your intuition that was a factor seems to have worked because:

«PPA has a patched version for noble»

Works here both on kernel 5.15.0-102 (which I had to use for a while because of other issues) and 6.8.0-22 (which I have gone back to). Thanks for looking at this.

Thanks for verifying it. This is up for review and as soon as it's approved I'll upload.

This was uploaded and is in noble-unapproved.

This bug was fixed in the package autofs - 5.1.9-1ubuntu4

---------------
autofs (5.1.9-1ubuntu4) noble; urgency=medium

  * d/p/adjust-buffer-size-for-snprintf.patch: fix buffer size when
    appending to a string (LP: #2061667)

 -- Andreas Hasenack <email address hidden> Wed, 17 Apr 2024 11:47:05 -0300