[Pkg-openssl-devel] Bug#665836: Bug#665836: openssh-server: segfault error 6 in libcrypto.so.1.0.0

Michael Welsh Duggan mwd at cert.org
Mon Mar 26 21:22:36 UTC 2012 

Kurt Roeckx <kurt at roeckx.be> writes:

> On Mon, Mar 26, 2012 at 07:45:08PM +0200, Kurt Roeckx wrote:
>> On Mon, Mar 26, 2012 at 01:03:31PM -0400, Michael Welsh Duggan wrote:
>> > Kurt Roeckx <kurt at roeckx.be> writes:
>> > 
>> > > On Mon, Mar 26, 2012 at 09:20:47AM -0400, Michael Welsh Duggan wrote:
>> > >> Package: openssh-server
>> > >> Version: 1:5.9p1-4
>> > >> Severity: important
>> > >> 
>> > >> Dear Maintainer,
>> > >> 
>> > >> When connecting to my home machine while forwarding ports, I keep getting
>> > >> segfaults in sshd whenever the forwarded ports are used.  This includes
>> > >> X forwarding.  The errors that appear in my syslog look like this:
>> > >> 
>> > >> Mar 26 09:11:41 maru kernel: sshd[9320]: segfault at b8749000 ip
>> > >> b752f678 sp bfde6de0 error 6 in libcrypto.so.1.0.0[b74c6000+1a3000]
>> > >> Mar 26 09:11:52 maru kernel: sshd[10647]: segfault at b81fa008 ip
>> > >> b753b678 sp bf9d42d0 error 6 in libcrypto.so.1.0.0[b74d2000+1a3000]
>> > >> Mar 26 09:11:56 maru kernel: sshd[10680]: segfault at b8563000 ip
>> > >> b759b678 sp bfdff0a0 error 6 in libcrypto.so.1.0.0[b7532000+1a3000]
>> > >
>> > > I'm unable to reproduce this.
>> > >
>> > > I've tried using openssh-server 1:5.9p1-4 and libssl1.0.0 1.0.1-2 on the
>> > > server side, openssh-client 1:5.9p1-3 and libssl1.0.0 1.0.0h-1 on
>> > > the client side, and used ssh -X.
>> > 
>> > I am using OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 on the client side.
>> > (This client worked in previous versions.)
>> > 
>> > > I'm using an RSA key if that has anything to do with it.
>> > 
>> > I am using a DSA key.
>> > 
>> > > I didn't try anything like -L or -R, should I try those?
>> > 
>> > Did you attempt to pull use the tunneled X connection?  Nothing failed
>> > for me until I did.
>> 
>> I started a remote xterm and closed it, and then closed the ssh
>> session.
>> 
>> I've set up a tunnel using -L, and then used that tunnel.  I tried
>> to close the tunnel connection first, try to log out (and hang)
>> first, just closed the ssh connection (~.) ...
>> 
>> I'm not sure what else I can try.
>> 
>> I'm not sure what you mean with "to pull use".
>
> Can you attach gdb to the sshd, and then make it crash and
> send me a backtrace?

Unfortunately, no.  Here is the sequence of events I tested:

1) I re-installed libssl-1.0.0 version 1.0.1-1
2) I started gdb on /usr/bin/sshd as root
3) I ran sshd from gdb using -d -p 2222
4) I connected to that port from my Redhat box.
5) I started an xterm.
6) I exited the exterm with ^D.

At the instant step 6 happened, I got an ordinary shutdown of sshd from
within gdb, with the following messages:

debug1: do_cleanup
debug1: PAM: cleanup
debug1: PAM: closing session
debug1: PAM: deleting credentials
debug1: session_pty_cleanup: session 0 release /dev/pts/5
[Inferior 1 (process 21113) exited with code 0377]

In my syslog, I get the following line:

Mar 26 17:09:47 maru kernel: sshd[21123]: segfault at 800ef000 ip b7e2d678 sp bfffeec0 error 6 in libcrypto.so.1.0.0[b7dc4000+1a3000]

So, although sshd exited properly, it emitted a error *saying* segfault
in my syslog.  This may explain why I seem to have been unable to get a
core file.  I have included the full log below.  In order to reproduce
this from where I am currently (behind a firewall), I tunneled 2222
though my primary ssh to the ssh host machine.

Full log:

md5i at maru:~$ sudo gdb /usr/sbin/sshd 
GNU gdb (GDB) 7.4-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/sshd...(no debugging symbols found)...done.
warning: not using untrusted file ".gdbinit"
(gdb) run -p 2222 -d
Starting program: /usr/sbin/sshd -p 2222 -d
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
debug1: sshd version OpenSSH_5.9p1 Debian-4
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #2 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p'
debug1: rexec_argv[2]='2222'
debug1: rexec_argv[3]='-d'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
process 21113 is executing new program: /usr/sbin/sshd
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
debug1: inetd sockets after dupping: 3, 3
Connection from 127.0.0.1 port 39719
debug1: Client protocol version 2.0; client software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_5.9p1 Debian-4
debug1: permanently_set_uid: 100/65534 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: client->server aes256-cbc hmac-md5 none [preauth]
debug1: kex: server->client aes256-cbc hmac-md5 none [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user md5i service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug1: PAM: initializing for "md5i"
debug1: PAM: setting PAM_RHOST to "maru.md5i.com"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user md5i service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/md5i/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: restore_uid: 0/0
Failed publickey for md5i from 127.0.0.1 port 39719 ssh2
debug1: userauth-request for user md5i service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 1 [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-2048
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/md5i/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /home/md5i/.ssh/authorized_keys, line 1
Found matching DSA key: 34:05:aa:24:28:96:f7:60:7e:da:fa:fc:3b:86:97:dc
debug1: restore_uid: 0/0
Postponed publickey for md5i from 127.0.0.1 port 39719 ssh2 [preauth]
debug1: userauth-request for user md5i service ssh-connection method publickey [preauth]
debug1: attempt 3 failures 1 [preauth]
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-2048
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /home/md5i/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug1: matching key found: file /home/md5i/.ssh/authorized_keys, line 1
Found matching DSA key: 34:05:aa:24:28:96:f7:60:7e:da:fa:fc:3b:86:97:dc
debug1: restore_uid: 0/0
debug1: ssh_dss_verify: signature correct
debug1: do_pam_account: called
Accepted publickey for md5i from 127.0.0.1 port 39719 ssh2
debug1: monitor_read_log: child log fd closed
debug1: monitor_child_preauth: md5i has been authenticated by privileged process
debug1: PAM: establishing credentials
User child is on pid 21123
debug1: SELinux support disabled
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 1000/1000
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request x11-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req x11-req
debug1: channel 1: new [X11 inet listener]
debug1: channel 2: new [X11 inet listener]
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: session 0
debug1: SELinux support disabled
debug1: session_pty_req: session 0 alloc /dev/pts/5
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Setting controlling tty using TIOCSCTTY.
debug1: X11 connection requested.
debug1: channel 3: new [X11 connection from 127.0.0.1 port 40916]
debug1: do_cleanup
debug1: PAM: cleanup
debug1: PAM: closing session
debug1: PAM: deleting credentials
debug1: session_pty_cleanup: session 0 release /dev/pts/5
[Inferior 1 (process 21113) exited with code 0377]


-- 
Michael Welsh Duggan
(mwd at cert.org)

More information about the Pkg-openssl-devel mailing list