From b00b719c2d4cf371fde3931ad47a8bfa681685d0 Mon Sep 17 00:00:00 2001 From: Ian Kent Date: Fri, 16 Apr 2021 10:15:29 +0800 Subject: [PATCH] - Coverity fixes resulting from RHEL-8 bug 1912106 change. --- ...dd-ext_mount_hash_mutex-lock-helpers.patch | 104 ++++++++++++++++++ ...ength-check-in-umount_subtree_mounts.patch | 42 +++++++ ....7-add-missing-free-in-handle_mounts.patch | 42 +++++++ ...-mounts-list-in-mnts_get_expire_list.patch | 44 ++++++++ ...nt-try-umount-after-stat-ENOENT-fail.patch | 45 ++++++++ autofs-5.1.7-fix-arg-not-used-in-print.patch | 40 +++++++ ....1.7-fix-dead-code-in-mnts_add_mount.patch | 55 +++++++++ ....1.7-fix-double-free-in-parse_mapent.patch | 39 +++++++ ...1.7-fix-double-unlock-in-parse_mount.patch | 37 +++++++ ...5.1.7-fix-flag-check-in-umount_multi.patch | 38 +++++++ ...issing-lock-release-in-mount_subtree.patch | 36 ++++++ ...possible-memory-leak-in-master_parse.patch | 38 +++++++ ...ble-memory-leak-in-mnts_add_amdmount.patch | 58 ++++++++++ ...efactor-lookup_prune_one_cache-a-bit.patch | 75 +++++++++++++ ...-master_add_amd_mount_section_mounts.patch | 40 +++++++ autofs-5.1.7-remove-redundant-if-check.patch | 40 +++++++ autofs.spec | 56 +++++++++- 17 files changed, 828 insertions(+), 1 deletion(-) create mode 100644 autofs-5.1.7-add-ext_mount_hash_mutex-lock-helpers.patch create mode 100644 autofs-5.1.7-add-length-check-in-umount_subtree_mounts.patch create mode 100644 autofs-5.1.7-add-missing-free-in-handle_mounts.patch create mode 100644 autofs-5.1.7-cater-for-empty-mounts-list-in-mnts_get_expire_list.patch create mode 100644 autofs-5.1.7-dont-try-umount-after-stat-ENOENT-fail.patch create mode 100644 autofs-5.1.7-fix-arg-not-used-in-print.patch create mode 100644 autofs-5.1.7-fix-dead-code-in-mnts_add_mount.patch create mode 100644 autofs-5.1.7-fix-double-free-in-parse_mapent.patch create mode 100644 autofs-5.1.7-fix-double-unlock-in-parse_mount.patch create mode 100644 autofs-5.1.7-fix-flag-check-in-umount_multi.patch create mode 100644 autofs-5.1.7-fix-missing-lock-release-in-mount_subtree.patch create mode 100644 autofs-5.1.7-fix-possible-memory-leak-in-master_parse.patch create mode 100644 autofs-5.1.7-fix-possible-memory-leak-in-mnts_add_amdmount.patch create mode 100644 autofs-5.1.7-refactor-lookup_prune_one_cache-a-bit.patch create mode 100644 autofs-5.1.7-remove-redundant-assignment-in-master_add_amd_mount_section_mounts.patch create mode 100644 autofs-5.1.7-remove-redundant-if-check.patch diff --git a/autofs-5.1.7-add-ext_mount_hash_mutex-lock-helpers.patch b/autofs-5.1.7-add-ext_mount_hash_mutex-lock-helpers.patch new file mode 100644 index 0000000..ae2b383 --- /dev/null +++ b/autofs-5.1.7-add-ext_mount_hash_mutex-lock-helpers.patch @@ -0,0 +1,104 @@ +autofs-5.1.7 - add ext_mount_hash_mutex lock helpers + +From: Ian Kent + +Coverity: check_return: Calling "pthread_mutex_lock" without checking + return value. + +Well, I use helpers to do this in many places so can't really disagree. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + lib/mounts.c | 26 ++++++++++++++++++++------ + 2 files changed, 21 insertions(+), 6 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index b1b28888..ff44ac25 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -65,6 +65,7 @@ + - fix double free in parse_mapent(). + - refactor lookup_prune_one_cache() a bit. + - cater for empty mounts list in mnts_get_expire_list(). ++- add ext_mount_hash_mutex lock helpers. + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +diff --git a/lib/mounts.c b/lib/mounts.c +index 3996eb5e..c24d1a88 100644 +--- a/lib/mounts.c ++++ b/lib/mounts.c +@@ -788,6 +788,20 @@ char *make_mnt_name_string(char *path) + return mnt_name; + } + ++static void ext_mount_hash_mutex_lock(void) ++{ ++ int status = pthread_mutex_lock(&ext_mount_hash_mutex); ++ if (status) ++ fatal(status); ++} ++ ++static void ext_mount_hash_mutex_unlock(void) ++{ ++ int status = pthread_mutex_unlock(&ext_mount_hash_mutex); ++ if (status) ++ fatal(status); ++} ++ + static struct ext_mount *ext_mount_lookup(const char *mp) + { + uint32_t hval = hash(mp, HASH_SIZE(ext_mounts_hash)); +@@ -806,7 +820,7 @@ int ext_mount_add(const char *path, const char *umount) + struct ext_mount *em; + int ret = 0; + +- pthread_mutex_lock(&ext_mount_hash_mutex); ++ ext_mount_hash_mutex_lock(); + + em = ext_mount_lookup(path); + if (em) { +@@ -840,7 +854,7 @@ int ext_mount_add(const char *path, const char *umount) + + ret = 1; + done: +- pthread_mutex_unlock(&ext_mount_hash_mutex); ++ ext_mount_hash_mutex_unlock(); + return ret; + } + +@@ -849,7 +863,7 @@ int ext_mount_remove(const char *path) + struct ext_mount *em; + int ret = 0; + +- pthread_mutex_lock(&ext_mount_hash_mutex); ++ ext_mount_hash_mutex_lock(); + + em = ext_mount_lookup(path); + if (!em) +@@ -867,7 +881,7 @@ int ext_mount_remove(const char *path) + ret = 1; + } + done: +- pthread_mutex_unlock(&ext_mount_hash_mutex); ++ ext_mount_hash_mutex_unlock(); + return ret; + } + +@@ -876,13 +890,13 @@ int ext_mount_inuse(const char *path) + struct ext_mount *em; + int ret = 0; + +- pthread_mutex_lock(&ext_mount_hash_mutex); ++ ext_mount_hash_mutex_lock(); + em = ext_mount_lookup(path); + if (!em) + goto done; + ret = em->ref; + done: +- pthread_mutex_unlock(&ext_mount_hash_mutex); ++ ext_mount_hash_mutex_unlock(); + return ret; + } + diff --git a/autofs-5.1.7-add-length-check-in-umount_subtree_mounts.patch b/autofs-5.1.7-add-length-check-in-umount_subtree_mounts.patch new file mode 100644 index 0000000..264f83a --- /dev/null +++ b/autofs-5.1.7-add-length-check-in-umount_subtree_mounts.patch @@ -0,0 +1,42 @@ +autofs-5.1.7 - add length check in umount_subtree_mounts() + +From: Ian Kent + +Coverity: fixed_size_dest: You might overrun the 4097-character + fixed-size string "key" by copying "me->key" without + checking the length. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + daemon/automount.c | 5 +++++ + 2 files changed, 6 insertions(+) + +diff --git a/CHANGELOG b/CHANGELOG +index 224f58d6..9e385ba9 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -55,6 +55,7 @@ + - fix possible memory leak in master_parse(). + - fix possible memory leak in mnts_add_amdmount(). + - fix double unlock in parse_mount(). ++- add length check in umount_subtree_mounts(). + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +diff --git a/daemon/automount.c b/daemon/automount.c +index 48472d5f..70506d83 100644 +--- a/daemon/automount.c ++++ b/daemon/automount.c +@@ -562,6 +562,11 @@ static int umount_subtree_mounts(struct autofs_point *ap, const char *path, unsi + left++; + } + ++ if (me->len > PATH_MAX) { ++ crit(ap->logopt, "me->key too long for buffer"); ++ return 1; ++ } ++ + strcpy(key, me->key); + + cache_unlock(mc); diff --git a/autofs-5.1.7-add-missing-free-in-handle_mounts.patch b/autofs-5.1.7-add-missing-free-in-handle_mounts.patch new file mode 100644 index 0000000..288e200 --- /dev/null +++ b/autofs-5.1.7-add-missing-free-in-handle_mounts.patch @@ -0,0 +1,42 @@ +autofs-5.1.7 - add missing free in handle_mounts() + +From: Ian Kent + +Coverity: error[doubleFree]: Memory pointed to by 'root' is freed twice + +No it's not, but root isn't freed before the fatal call which crashes +automount so add a free() before the fatal() call. + +It appears Coverity doesn't recognise pthread_exit() as an exit condition. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + daemon/automount.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/CHANGELOG b/CHANGELOG +index 9c3ede45..62a918a9 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -50,6 +50,7 @@ + - check for offset with no mount location. + - remove mounts_mutex. + - remove unused variable from get_exports(). ++- add missing free in handle_mounts(). + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +diff --git a/daemon/automount.c b/daemon/automount.c +index 28c4d1ee..48472d5f 100644 +--- a/daemon/automount.c ++++ b/daemon/automount.c +@@ -1922,6 +1922,8 @@ void *handle_mounts(void *arg) + status = pthread_mutex_lock(&suc->mutex); + if (status) { + logerr("failed to lock startup condition mutex!"); ++ if (root) ++ free(root); + fatal(status); + } + diff --git a/autofs-5.1.7-cater-for-empty-mounts-list-in-mnts_get_expire_list.patch b/autofs-5.1.7-cater-for-empty-mounts-list-in-mnts_get_expire_list.patch new file mode 100644 index 0000000..062ecdc --- /dev/null +++ b/autofs-5.1.7-cater-for-empty-mounts-list-in-mnts_get_expire_list.patch @@ -0,0 +1,44 @@ +autofs-5.1.7 - cater for empty mounts list in mnts_get_expire_list() + +From: Ian Kent + +Coverity: var_deref_model: Passing null pointer "tree" to + "tree_traverse_inorder", which dereferences it. + +This obviously can't happen but deal with it anyway to quiet Coverity. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + lib/mounts.c | 6 ++++-- + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index b79aebc8..b1b28888 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -64,6 +64,7 @@ + - fix missing lock release in mount_subtree(). + - fix double free in parse_mapent(). + - refactor lookup_prune_one_cache() a bit. ++- cater for empty mounts list in mnts_get_expire_list(). + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +diff --git a/lib/mounts.c b/lib/mounts.c +index 883e3743..3996eb5e 100644 +--- a/lib/mounts.c ++++ b/lib/mounts.c +@@ -1445,8 +1445,10 @@ void mnts_get_expire_list(struct list_head *mnts, struct autofs_point *ap) + } + } + +- tree_traverse_inorder(tree, tree_mnt_expire_list_work, mnts); +- tree_free(tree); ++ if (tree) { ++ tree_traverse_inorder(tree, tree_mnt_expire_list_work, mnts); ++ tree_free(tree); ++ } + done: + mnts_hash_mutex_unlock(); + } diff --git a/autofs-5.1.7-dont-try-umount-after-stat-ENOENT-fail.patch b/autofs-5.1.7-dont-try-umount-after-stat-ENOENT-fail.patch new file mode 100644 index 0000000..d71cd3e --- /dev/null +++ b/autofs-5.1.7-dont-try-umount-after-stat-ENOENT-fail.patch @@ -0,0 +1,45 @@ +autofs-5.1.7 - dont try umount after stat() ENOENT fail + +From: Ian Kent + +Coverity: Calling function "umount" that uses "me->key" after a check + function. This can cause a time-of-check, time-of-use race + condition. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + daemon/direct.c | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 7add6c55..c7bc0c39 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -57,6 +57,7 @@ + - fix double unlock in parse_mount(). + - add length check in umount_subtree_mounts(). + - fix flags check in umount_multi(). ++- dont try umount after stat() ENOENT fail. + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +diff --git a/daemon/direct.c b/daemon/direct.c +index a33f9f91..3bd714e6 100644 +--- a/daemon/direct.c ++++ b/daemon/direct.c +@@ -739,9 +739,13 @@ int mount_autofs_offset(struct autofs_point *ap, struct mapent *me) + + ret = stat(me->key, &st); + if (ret == -1) { ++ int save_errno = errno; ++ + error(ap->logopt, + "failed to stat direct mount trigger %s", me->key); +- goto out_umount; ++ if (save_errno != ENOENT) ++ goto out_umount; ++ goto out_err; + } + + ops->open(ap->logopt, &ioctlfd, st.st_dev, me->key); diff --git a/autofs-5.1.7-fix-arg-not-used-in-print.patch b/autofs-5.1.7-fix-arg-not-used-in-print.patch new file mode 100644 index 0000000..52b8a6e --- /dev/null +++ b/autofs-5.1.7-fix-arg-not-used-in-print.patch @@ -0,0 +1,40 @@ +autofs-5.1.7 - fix arg not used in error print + +From: Ian Kent + +Coverity: extra_argument: This argument was not used by the format + string: "key". + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + lib/mounts.c | 4 +--- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index f11aa1c7..1d56c96f 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -60,6 +60,7 @@ + - dont try umount after stat() ENOENT fail. + - remove redundant assignment in master_add_amd_mount_section_mounts(). + - fix dead code in mnts_add_mount(). ++- fix arg not used in error print. + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +diff --git a/lib/mounts.c b/lib/mounts.c +index 018b9c80..883e3743 100644 +--- a/lib/mounts.c ++++ b/lib/mounts.c +@@ -1519,9 +1519,7 @@ int tree_mapent_add_node(struct mapent_cache *mc, + } + + if (MAPENT_ROOT(base) != MAPENT_NODE(base)) { +- error(logopt, +- "failed to find multi-mount root of offset tree", +- key); ++ error(logopt, "key %s is not multi-mount root", root); + return 0; + } + tree = MAPENT_ROOT(base); diff --git a/autofs-5.1.7-fix-dead-code-in-mnts_add_mount.patch b/autofs-5.1.7-fix-dead-code-in-mnts_add_mount.patch new file mode 100644 index 0000000..a32bf7b --- /dev/null +++ b/autofs-5.1.7-fix-dead-code-in-mnts_add_mount.patch @@ -0,0 +1,55 @@ +autofs-5.1.7 - fix dead code in mnts_add_mount() + +From: Ian Kent + +Coverity: dead_error_line: Execution cannot reach this statement: "free(mp);". + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + lib/mounts.c | 8 ++------ + 2 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index f95b1aa6..f11aa1c7 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -59,6 +59,7 @@ + - fix flags check in umount_multi(). + - dont try umount after stat() ENOENT fail. + - remove redundant assignment in master_add_amd_mount_section_mounts(). ++- fix dead code in mnts_add_mount(). + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +diff --git a/lib/mounts.c b/lib/mounts.c +index ef69cec1..018b9c80 100644 +--- a/lib/mounts.c ++++ b/lib/mounts.c +@@ -1205,13 +1205,13 @@ struct mnt_list *mnts_add_mount(struct autofs_point *ap, + if (*name == '/') { + mp = strdup(name); + if (!mp) +- goto fail; ++ return NULL; + } else { + int len = ap->len + strlen(name) + 2; + + mp = malloc(len); + if (!mp) +- goto fail; ++ return NULL; + strcpy(mp, ap->path); + strcat(mp, "/"); + strcat(mp, name); +@@ -1228,10 +1228,6 @@ struct mnt_list *mnts_add_mount(struct autofs_point *ap, + free(mp); + + return this; +-fail: +- if (mp) +- free(mp); +- return NULL; + } + + void mnts_remove_mount(const char *mp, unsigned int flags) diff --git a/autofs-5.1.7-fix-double-free-in-parse_mapent.patch b/autofs-5.1.7-fix-double-free-in-parse_mapent.patch new file mode 100644 index 0000000..64ec0c8 --- /dev/null +++ b/autofs-5.1.7-fix-double-free-in-parse_mapent.patch @@ -0,0 +1,39 @@ +autofs-5.1.7 - fix double free in parse_mapent() + +From: Ian Kent + +Coverity: +in parse_mapent(): double_free: Calling "free" frees pointer "newopt" + which has already been freed. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + modules/parse_sun.c | 2 -- + 2 files changed, 1 insertion(+), 2 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index ff3d88eb..81461978 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -62,6 +62,7 @@ + - fix dead code in mnts_add_mount(). + - fix arg not used in error print. + - fix missing lock release in mount_subtree(). ++- fix double free in parse_mapent(). + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +diff --git a/modules/parse_sun.c b/modules/parse_sun.c +index 5d15f892..03a63290 100644 +--- a/modules/parse_sun.c ++++ b/modules/parse_sun.c +@@ -974,8 +974,6 @@ static int parse_mapent(const char *ent, char *g_options, char **options, char * + estr = strerror_r(errno, buf, MAX_ERR_BUF); + error(logopt, MODPREFIX + "concat_options: %s", estr); +- if (newopt) +- free(newopt); + free(myoptions); + return 0; + } diff --git a/autofs-5.1.7-fix-double-unlock-in-parse_mount.patch b/autofs-5.1.7-fix-double-unlock-in-parse_mount.patch new file mode 100644 index 0000000..d08b942 --- /dev/null +++ b/autofs-5.1.7-fix-double-unlock-in-parse_mount.patch @@ -0,0 +1,37 @@ +autofs-5.1.7 - fix double unlock in parse_mount() + +From: Ian Kent + +Coverity: double_unlock: "cache_unlock" unlocks "mc->rwlock" while it + is unlocked. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + modules/parse_sun.c | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 2e3b9fd7..224f58d6 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -54,6 +54,7 @@ + - remove redundant if check. + - fix possible memory leak in master_parse(). + - fix possible memory leak in mnts_add_amdmount(). ++- fix double unlock in parse_mount(). + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +diff --git a/modules/parse_sun.c b/modules/parse_sun.c +index a81d4028..05f53fc2 100644 +--- a/modules/parse_sun.c ++++ b/modules/parse_sun.c +@@ -1526,7 +1526,6 @@ dont_expand: + if (!loc) { + free(options); + free(pmapent); +- cache_unlock(mc); + warn(ap->logopt, MODPREFIX "out of memory"); + return 1; + } diff --git a/autofs-5.1.7-fix-flag-check-in-umount_multi.patch b/autofs-5.1.7-fix-flag-check-in-umount_multi.patch new file mode 100644 index 0000000..eaa784c --- /dev/null +++ b/autofs-5.1.7-fix-flag-check-in-umount_multi.patch @@ -0,0 +1,38 @@ +autofs-5.1.7 - fix flags check in umount_multi() + +From: Ian Kent + +Coverity: operator_confusion: "ap->flags | 1" is always 1/true + regardless of the values of its operand. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + daemon/automount.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 9e385ba9..7add6c55 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -56,6 +56,7 @@ + - fix possible memory leak in mnts_add_amdmount(). + - fix double unlock in parse_mount(). + - add length check in umount_subtree_mounts(). ++- fix flags check in umount_multi(). + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +diff --git a/daemon/automount.c b/daemon/automount.c +index 70506d83..23235a7d 100644 +--- a/daemon/automount.c ++++ b/daemon/automount.c +@@ -662,7 +662,7 @@ int umount_multi(struct autofs_point *ap, const char *path, int incl) + /* Check if the autofs mount has browse mode enabled. + * If so re-create the directory entry. + */ +- if (ap->flags | MOUNT_FLAG_GHOST) { ++ if (ap->flags & MOUNT_FLAG_GHOST) { + int ret; + + /* If the browse directory create fails log an diff --git a/autofs-5.1.7-fix-missing-lock-release-in-mount_subtree.patch b/autofs-5.1.7-fix-missing-lock-release-in-mount_subtree.patch new file mode 100644 index 0000000..8b1d211 --- /dev/null +++ b/autofs-5.1.7-fix-missing-lock-release-in-mount_subtree.patch @@ -0,0 +1,36 @@ +autofs-5.1.7 - fix missing lock release in mount_subtree() + +From: Ian Kent + +Covarity: missing_unlock: Returning without unlocking "mc->rwlock". + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + modules/parse_sun.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/CHANGELOG b/CHANGELOG +index 1d56c96f..ff3d88eb 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -61,6 +61,7 @@ + - remove redundant assignment in master_add_amd_mount_section_mounts(). + - fix dead code in mnts_add_mount(). + - fix arg not used in error print. ++- fix missing lock release in mount_subtree(). + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +diff --git a/modules/parse_sun.c b/modules/parse_sun.c +index 05f53fc2..5d15f892 100644 +--- a/modules/parse_sun.c ++++ b/modules/parse_sun.c +@@ -1105,6 +1105,7 @@ static int mount_subtree(struct autofs_point *ap, struct mapent_cache *mc, + len = mount_fullpath(key, PATH_MAX, ap->path, ap->len, me->key); + if (!len) { + warn(ap->logopt, "path loo long"); ++ cache_unlock(mc); + return 1; + } + key[len] = '/'; diff --git a/autofs-5.1.7-fix-possible-memory-leak-in-master_parse.patch b/autofs-5.1.7-fix-possible-memory-leak-in-master_parse.patch new file mode 100644 index 0000000..c2ea9df --- /dev/null +++ b/autofs-5.1.7-fix-possible-memory-leak-in-master_parse.patch @@ -0,0 +1,38 @@ +autofs-5.1.7 - fix possible memory leak in master_parse() + +From: Ian Kent + +Coverity: Overwriting "path" in "path = master_strdup(yyvsp[-1].strtype)" + leaks the storage that "path" points to. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + daemon/master_parse.y | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/CHANGELOG b/CHANGELOG +index 2186cbe3..b797f6dc 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -52,6 +52,7 @@ + - remove unused variable from get_exports(). + - add missing free in handle_mounts(). + - remove redundant if check. ++- fix possible memory leak in master_parse(). + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +diff --git a/daemon/master_parse.y b/daemon/master_parse.y +index 08e44b57..7480c36a 100644 +--- a/daemon/master_parse.y ++++ b/daemon/master_parse.y +@@ -155,6 +155,8 @@ file: { + line: + | PATH mapspec + { ++ if (path) ++ free(path); + path = master_strdup($1); + if (!path) { + local_free_vars(); diff --git a/autofs-5.1.7-fix-possible-memory-leak-in-mnts_add_amdmount.patch b/autofs-5.1.7-fix-possible-memory-leak-in-mnts_add_amdmount.patch new file mode 100644 index 0000000..5b7c9cc --- /dev/null +++ b/autofs-5.1.7-fix-possible-memory-leak-in-mnts_add_amdmount.patch @@ -0,0 +1,58 @@ +autofs-5.1.7 - fix possible memory leak in mnts_add_amdmount() + +From: Ian Kent + +Coverity: leaked_storage: Variable "ext_mp" going out of scope leaks + the storage it points to. + +Same applies to the other duped fields destined for the mnt_list struct. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + lib/mounts.c | 20 ++++++++++---------- + 2 files changed, 11 insertions(+), 10 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index b797f6dc..2e3b9fd7 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -53,6 +53,7 @@ + - add missing free in handle_mounts(). + - remove redundant if check. + - fix possible memory leak in master_parse(). ++- fix possible memory leak in mnts_add_amdmount(). + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +diff --git a/lib/mounts.c b/lib/mounts.c +index c8a7bf00..ef69cec1 100644 +--- a/lib/mounts.c ++++ b/lib/mounts.c +@@ -1119,16 +1119,16 @@ struct mnt_list *mnts_add_amdmount(struct autofs_point *ap, struct amd_entry *en + + mnts_hash_mutex_lock(); + this = mnts_get_mount(entry->path); +- if (this) { +- this->ext_mp = ext_mp; +- this->amd_pref = pref; +- this->amd_type = type; +- this->amd_opts = opts; +- this->amd_cache_opts = entry->cache_opts; +- this->flags |= MNTS_AMD_MOUNT; +- if (list_empty(&this->amdmount)) +- list_add_tail(&this->amdmount, &ap->amdmounts); +- } ++ if (!this) ++ goto fail; ++ this->ext_mp = ext_mp; ++ this->amd_pref = pref; ++ this->amd_type = type; ++ this->amd_opts = opts; ++ this->amd_cache_opts = entry->cache_opts; ++ this->flags |= MNTS_AMD_MOUNT; ++ if (list_empty(&this->amdmount)) ++ list_add_tail(&this->amdmount, &ap->amdmounts); + mnts_hash_mutex_unlock(); + + return this; diff --git a/autofs-5.1.7-refactor-lookup_prune_one_cache-a-bit.patch b/autofs-5.1.7-refactor-lookup_prune_one_cache-a-bit.patch new file mode 100644 index 0000000..e013a52 --- /dev/null +++ b/autofs-5.1.7-refactor-lookup_prune_one_cache-a-bit.patch @@ -0,0 +1,75 @@ +autofs-5.1.7 - refactor lookup_prune_one_cache() a bit + +From: Ian Kent + +Coverity: use: Using an unreliable value of "me" inside the second locked + section. + +Change lookup_prune_one_cache() a little, move the location the next +key is set (before releasing the lock) and add a comment explaining +why we don't care about the side effects of the read lock release/ +write lock aquire/write lock release/read lock reaquire. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + daemon/lookup.c | 20 +++++++++++++++++++- + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 81461978..b79aebc8 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -63,6 +63,7 @@ + - fix arg not used in error print. + - fix missing lock release in mount_subtree(). + - fix double free in parse_mapent(). ++- refactor lookup_prune_one_cache() a bit. + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +diff --git a/daemon/lookup.c b/daemon/lookup.c +index 32dbc24d..3e9722e4 100644 +--- a/daemon/lookup.c ++++ b/daemon/lookup.c +@@ -1375,7 +1375,6 @@ void lookup_prune_one_cache(struct autofs_point *ap, struct mapent_cache *mc, ti + } + + key = strdup(me->key); +- me = cache_enumerate(mc, me); + /* Don't consider any entries with a wildcard */ + if (!key || strchr(key, '*')) { + if (key) +@@ -1422,6 +1421,7 @@ void lookup_prune_one_cache(struct autofs_point *ap, struct mapent_cache *mc, ti + if (valid) + cache_unlock(valid->mc); + ++ me = cache_enumerate(mc, me); + if (me) + next_key = strdup(me->key); + +@@ -1456,6 +1456,24 @@ void lookup_prune_one_cache(struct autofs_point *ap, struct mapent_cache *mc, ti + next: + cache_readlock(mc); + if (next_key) { ++ /* The lock release and reaquire above can mean ++ * a number of things could happen. ++ * ++ * First, mapents could be added between the ++ * current mapent and the mapent of next_key. ++ * Don't care about that because there's no ++ * need to prune newly added entries. ++ * ++ * Second, the next mapent data could have ++ * changed. Don't care about that either since ++ * we are looking to prune stale map entries ++ * and don't care when they become stale. ++ * ++ * Finally, the mapent of next_key could have ++ * gone away. Again don't care about this either, ++ * the loop will exit prematurely so just wait ++ * until the next prune and try again. ++ */ + me = cache_lookup_distinct(mc, next_key); + free(next_key); + } diff --git a/autofs-5.1.7-remove-redundant-assignment-in-master_add_amd_mount_section_mounts.patch b/autofs-5.1.7-remove-redundant-assignment-in-master_add_amd_mount_section_mounts.patch new file mode 100644 index 0000000..44cdc66 --- /dev/null +++ b/autofs-5.1.7-remove-redundant-assignment-in-master_add_amd_mount_section_mounts.patch @@ -0,0 +1,40 @@ +autofs-5.1.7 - remove redundant assignment in master_add_amd_mount_section_mounts() + +From: Ian Kent + +Coverity: missing_lock: Accessing "entry->current" without holding lock + "master_mapent.current_mutex". + +This is initialization not clearing current source. But the field has +already been initialized in the master_new_mapent() call. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + daemon/master.c | 1 - + 2 files changed, 1 insertion(+), 1 deletion(-) + +diff --git a/CHANGELOG b/CHANGELOG +index c7bc0c39..f95b1aa6 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -58,6 +58,7 @@ + - add length check in umount_subtree_mounts(). + - fix flags check in umount_multi(). + - dont try umount after stat() ENOENT fail. ++- remove redundant assignment in master_add_amd_mount_section_mounts(). + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +diff --git a/daemon/master.c b/daemon/master.c +index 30d7cf98..84743f80 100644 +--- a/daemon/master.c ++++ b/daemon/master.c +@@ -996,7 +996,6 @@ static void master_add_amd_mount_section_mounts(struct master *master, time_t ag + source->master_line = 0; + + entry->age = age; +- entry->current = NULL; + + master_add_mapent(master, entry); + next: diff --git a/autofs-5.1.7-remove-redundant-if-check.patch b/autofs-5.1.7-remove-redundant-if-check.patch new file mode 100644 index 0000000..86948ea --- /dev/null +++ b/autofs-5.1.7-remove-redundant-if-check.patch @@ -0,0 +1,40 @@ +autofs-5.1.7 - remove redundant if check + +From: Ian Kent + +Coverity: identical code in if condition branches. + +Signed-off-by: Ian Kent +--- + CHANGELOG | 1 + + daemon/direct.c | 5 +---- + 2 files changed, 2 insertions(+), 4 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 62a918a9..2186cbe3 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -51,6 +51,7 @@ + - remove mounts_mutex. + - remove unused variable from get_exports(). + - add missing free in handle_mounts(). ++- remove redundant if check. + + 25/01/2021 autofs-5.1.7 + - make bind mounts propagation slave by default. +diff --git a/daemon/direct.c b/daemon/direct.c +index 3f4f5704..a33f9f91 100644 +--- a/daemon/direct.c ++++ b/daemon/direct.c +@@ -752,10 +752,7 @@ int mount_autofs_offset(struct autofs_point *ap, struct mapent *me) + + ops->timeout(ap->logopt, ioctlfd, timeout); + cache_set_ino_index(me->mc, me->key, st.st_dev, st.st_ino); +- if (ap->logopt & LOGOPT_DEBUG) +- notify_mount_result(ap, me->key, timeout, str_offset); +- else +- notify_mount_result(ap, me->key, timeout, str_offset); ++ notify_mount_result(ap, me->key, timeout, str_offset); + ops->close(ap->logopt, ioctlfd); + + debug(ap->logopt, "mounted trigger %s", me->key); diff --git a/autofs.spec b/autofs.spec index 507da7a..8d8ee48 100644 --- a/autofs.spec +++ b/autofs.spec @@ -12,7 +12,7 @@ Summary: A tool for automatically mounting and unmounting filesystems Name: autofs Version: 5.1.7 -Release: 11%{?dist} +Release: 12%{?dist} Epoch: 1 License: GPLv2+ Source: https://www.kernel.org/pub/linux/daemons/autofs/v5/autofs-%{version}.tar.gz @@ -68,6 +68,22 @@ Patch48: autofs-5.1.7-move-amd-mounts-removal-into-lib_mounts_c.patch Patch49: autofs-5.1.7-check-for-offset-with-no-mount-location.patch Patch50: autofs-5.1.7-remove-mounts_mutex.patch Patch51: autofs-5.1.7-remove-unused-variable-from-get_exports.patch +Patch52: autofs-5.1.7-add-missing-free-in-handle_mounts.patch +Patch53: autofs-5.1.7-remove-redundant-if-check.patch +Patch54: autofs-5.1.7-fix-possible-memory-leak-in-master_parse.patch +Patch55: autofs-5.1.7-fix-possible-memory-leak-in-mnts_add_amdmount.patch +Patch56: autofs-5.1.7-fix-double-unlock-in-parse_mount.patch +Patch57: autofs-5.1.7-add-length-check-in-umount_subtree_mounts.patch +Patch58: autofs-5.1.7-fix-flag-check-in-umount_multi.patch +Patch59: autofs-5.1.7-dont-try-umount-after-stat-ENOENT-fail.patch +Patch60: autofs-5.1.7-remove-redundant-assignment-in-master_add_amd_mount_section_mounts.patch +Patch61: autofs-5.1.7-fix-dead-code-in-mnts_add_mount.patch +Patch62: autofs-5.1.7-fix-arg-not-used-in-print.patch +Patch63: autofs-5.1.7-fix-missing-lock-release-in-mount_subtree.patch +Patch64: autofs-5.1.7-fix-double-free-in-parse_mapent.patch +Patch65: autofs-5.1.7-refactor-lookup_prune_one_cache-a-bit.patch +Patch66: autofs-5.1.7-cater-for-empty-mounts-list-in-mnts_get_expire_list.patch +Patch67: autofs-5.1.7-add-ext_mount_hash_mutex-lock-helpers.patch %if %{with_systemd} BuildRequires: systemd-units @@ -183,6 +199,22 @@ echo %{version}-%{release} > .version %patch49 -p1 %patch50 -p1 %patch51 -p1 +%patch52 -p1 +%patch53 -p1 +%patch54 -p1 +%patch55 -p1 +%patch56 -p1 +%patch57 -p1 +%patch58 -p1 +%patch59 -p1 +%patch60 -p1 +%patch61 -p1 +%patch62 -p1 +%patch63 -p1 +%patch64 -p1 +%patch65 -p1 +%patch66 -p1 +%patch67 -p1 %build LDFLAGS=-Wl,-z,now @@ -291,6 +323,28 @@ fi %dir /etc/auto.master.d %changelog +* Tue Apr 13 2021 Ian Kent - 1:5.1.7-11 + - bz1948956 - Using -hosts option does not resolve host from /etc/hosts + and mount failes + - Coverity fixes (arising from RHEL-8 bug 1912106) + - add missing free in handle_mounts(). + - remove redundant if check. + - fix possible memory leak in master_parse(). + - fix possible memory leak in mnts_add_amdmount(). + - fix double unlock in parse_mount(). + - add length check in umount_subtree_mounts(). + - fix flags check in umount_multi(). + - dont try umount after stat() ENOENT fail. + - remove redundant assignment in master_add_amd_mount_section_mounts(). + - fix dead code in mnts_add_mount(). + - fix arg not used in error print. + - fix missing lock release in mount_subtree(). + - fix double free in parse_mapent(). + - refactor lookup_prune_one_cache() a bit. + - cater for empty mounts list in mnts_get_expire_list(). + - add ext_mount_hash_mutex lock helpers. +- Resolves: rhbz#1948956 + * Thu Apr 15 2021 Mohan Boddu - 1:5.1.7-11 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937