Bug report preview for nfsidmap

Report that will be submitted

Announcement:

The security tag will be removed before submitting the report. The majority of bugs found seems to have little security implications.
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Mayhem <mayhem@forallsecure.com>
To: Debian Bug Tracking System: <maintonly@bugs.debian.org>
Subject: nfs-common: nfsidmap crashes with exit status 139
X-Debbugs-Cc: none

Package: nfs-common
Version: 1:1.2.8-4
Severity: normal
Tag: security
User: mayhem@forallsecure.com
Usertags: mayhem

nfsidmap crashes with exit status 139. We confirmed the crash by
re-running it in a fresh debian unstable installation.

The attachment [1] contains a testcase (under ./crash) crashing the
program. It ensures that you can easily reproduce the bug. Additionally,
under ./crash_info/, we include more information about the crash such as
a core dump, the dmesg generated by the crash, and its output.

Regards,
The Mayhem Team (Alexandre Rebert, Thanassis Avgerinos, Sang Kil Cha, David Brumley, Manuel Egele)
Cylab, Carnegie Mellon University

[1] http://www.forallsecure.com/bug-reports/557e857e10afad31f118e3534f57d3cf7645d9fd/full_report


-- Package-specific info:
-- rpcinfo --
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  46579  status
    100024    1   tcp  50329  status
-- /etc/default/nfs-common --
NEED_STATD=
STATDOPTS=
NEED_IDMAPD=
NEED_GSSD=
-- /etc/idmapd.conf --
[General]
Verbosity = 0
Pipefs-Directory = /var/lib/nfs/rpc_pipefs
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
-- /etc/fstab --

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.9-1-686-pae (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages nfs-common depends on:
ii  adduser             3.113+nmu3
ii  initscripts         2.88dsf-41
ii  libc6               2.17-6
ii  libcap2             1:2.22-1.2
ii  libcomerr2          1.42.8-1
ii  libdevmapper1.02.1  2:1.02.77-3
ii  libevent-2.0-5      2.0.21-stable-1
ii  libgssglue1         0.4-2
ii  libk5crypto3        1.10.1+dfsg-5+deb7u1
ii  libkeyutils1        1.5.5-7
ii  libkrb5-3           1.10.1+dfsg-5+deb7u1
ii  libmount1           2.20.1-5.4
ii  libnfsidmap2        0.25-5
ii  libtirpc1           0.2.2-5
ii  libwrap0            7.6.q-24
ii  lsb-base            4.1+Debian12
ii  rpcbind             0.2.0-8
ii  ucf                 3.0027

Versions of packages nfs-common recommends:
ii  python  2.7.5-2

Versions of packages nfs-common suggests:
pn  open-iscsi  <none>
pn  watchdog    <none>

-- no debconf information

Download full report

Submission to the Debian BTS (July 10th, 2013)

In two weeks (the 10th of July of 2013), we will pull the latest package from debian unstable and re-run our testcase. Hopefully, you will have had time to update the package with a fix. If the crash still exists, then we will go ahead and submit a report to the Debian BTS. The main reason behind the preview is to give you time to assess the seriousness of the bug so that you can prepare an urgent security patch if necessary. If the bug is security critical and you do not have time to release a fix in the given time frame, please contact us at alexandre@cmu.edu so that we can delay the public disclosure.

Update status

We would like to keep track of statistics of the bugs, so we would really appreciate it if you took the time to update its status.

How was the bug found?

We found the bug using Mayhem, an automatic bug finding system that we've been developing in David Brumley's research lab for a couple of years now. We recently ran Mayhem on almost all ELF binaries of Debian Wheezy (~23,000 binaries) for 5 minutes each, and we found thousands of crashes on thousands of application.

Our goal here is to make bug reports as complete and accurate as possible, so that we are not wasting your time. To minimize duplicates, we are reporting only one crash per binary, and at most 5 crashes per package. This amounts to 1,182 crashes. Moreover, to ensure accuracy, we confirmed all the crashes by re-running them in a fresh unstable installation. Finally, we also filter out assertion failures for now, as they seemed less important. In short, this report is reproducible and actionable.