[Bug 2225] New: sshd core dumps when used in high scaled environments.

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Apr 12 13:41:10 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2225

            Bug ID: 2225
           Summary: sshd core dumps when used in high scaled environments.
           Product: Portable OpenSSH
           Version: 6.2p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: kavi at juniper.net

Created attachment 2424
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2424&action=edit
possible fix.

sshd crashes with the core dump when used in high scale environment.
The program crashes inside the function "cleanup_exit" at line 

if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1)

It is always assumed here that pmonitor is always not NULL.
However pmonitor can be null, in the execution sequence below:


#0  0x0804e214 in cleanup_exit (i=255) at
../../../../../../src/crypto/openssh/sshd.c:2415
#1  0x080ae7bf in fatal (fmt=0x80b8ea6 "%s: socketpair: %s") at
../../../../../../src/crypto/openssh/fatal.c:42
#2  0x08065779 in monitor_openfds (mon=0x80eb5c0, do_logfds=1) at
../../../../../../src/crypto/openssh/monitor.c:1877
#3  0x080658ee in monitor_init () at
../../../../../../src/crypto/openssh/monitor.c:1903
#4  0x080507fd in privsep_preauth (authctxt=0x0) at
../../../../../../src/crypto/openssh/sshd.c:669
#5  0x08051f72 in main (ac=903248, av=0xc811cc00) at
../../../../../../src/crypto/openssh/sshd.c:2014


Here the pmonitor is NULL inside "privsep_preauth", which calls
"monitor_init". "monitor_init" allocates memory for mon and calls
"monitor_openfds"

However inside "monitor_openfds" the call to socketpair fails. (in our
case with errno = 23 /* Too many open files in system */).

This calls "fatal" which in-turn calls "cleanup_exit".

Since pmonitor is not initialized until now, it crashes.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list