[Bug 2225] New: sshd core dumps when used in high scaled environments.
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Apr 12 13:41:10 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2225
Bug ID: 2225
Summary: sshd core dumps when used in high scaled environments.
Product: Portable OpenSSH
Version: 6.2p1
Hardware: All
OS: All
Status: NEW
Severity: major
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: kavi at juniper.net
Created attachment 2424
--> https://bugzilla.mindrot.org/attachment.cgi?id=2424&action=edit
possible fix.
sshd crashes with the core dump when used in high scale environment.
The program crashes inside the function "cleanup_exit" at line
if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1)
It is always assumed here that pmonitor is always not NULL.
However pmonitor can be null, in the execution sequence below:
#0 0x0804e214 in cleanup_exit (i=255) at
../../../../../../src/crypto/openssh/sshd.c:2415
#1 0x080ae7bf in fatal (fmt=0x80b8ea6 "%s: socketpair: %s") at
../../../../../../src/crypto/openssh/fatal.c:42
#2 0x08065779 in monitor_openfds (mon=0x80eb5c0, do_logfds=1) at
../../../../../../src/crypto/openssh/monitor.c:1877
#3 0x080658ee in monitor_init () at
../../../../../../src/crypto/openssh/monitor.c:1903
#4 0x080507fd in privsep_preauth (authctxt=0x0) at
../../../../../../src/crypto/openssh/sshd.c:669
#5 0x08051f72 in main (ac=903248, av=0xc811cc00) at
../../../../../../src/crypto/openssh/sshd.c:2014
Here the pmonitor is NULL inside "privsep_preauth", which calls
"monitor_init". "monitor_init" allocates memory for mon and calls
"monitor_openfds"
However inside "monitor_openfds" the call to socketpair fails. (in our
case with errno = 23 /* Too many open files in system */).
This calls "fatal" which in-turn calls "cleanup_exit".
Since pmonitor is not initialized until now, it crashes.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list