[Bug 3286] New: sshd dumps core after authentication timeout

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Mar 23 02:18:09 AEDT 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3286

            Bug ID: 3286
           Summary: sshd dumps core after authentication timeout
           Product: Portable OpenSSH
           Version: 8.5p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: daniel.harnett at gmail.com

The sshd daemon in the latest OpenSSH release (8.5p1) running under
Arch Linux occasionally dumps core when an authentication attempt times
out.  This doesn't appear to be specific to Arch.  It seems pretty easy
to reproduce by just leaving a ssh client waiting at the password
prompt for the duration of LoginGraceTime.

Mar 17 16:26:38 localhost systemd-coredump[4024]: [��] Process 4019
(sshd) of user 65534 dumped core.

                                                  Stack trace of thread
4019:
                                                  #0 
0x00007fe3cf8f68fb __socket (libc.so.6 + 0x1008fb)
                                                  #1 
0x00007fe3cf8ef013 openlog_internal (libc.so.6 + 0xf9013)
                                                  #2 
0x00007fe3cf8ef4f7 __vsyslog_internal (libc.so.6 + 0xf94f7)
                                                  #3 
0x00007fe3cf8ef803 __syslog_chk (libc.so.6 + 0xf9803)
                                                  #4 
0x00005626488bcd4c n/a (sshd + 0x65d4c)
                                                  #5 
0x00005626488ba1ec n/a (sshd + 0x631ec)
                                                  #6 
0x000056264888ada9 n/a (sshd + 0x33da9)
                                                  #7 
0x00005626488bccc5 n/a (sshd + 0x65cc5)
                                                  #8 
0x00005626488bd0b1 n/a (sshd + 0x660b1)
                                                  #9 
0x0000562648866376 n/a (sshd + 0xf376)
                                                  #10
0x00007fe3cf832f80 __restore_rt (libc.so.6 + 0x3cf80)
                                                  #11
0x00007fe3cf8eca67 __select (libc.so.6 + 0xf6a67)
                                                  #12
0x00005626488c3745 n/a (sshd + 0x6c745)
                                                  #13
0x00005626488c96b3 n/a (sshd + 0x726b3)
                                                  #14
0x00005626488c97b9 n/a (sshd + 0x727b9)
                                                  #15
0x00005626488638ca n/a (sshd + 0xc8ca)
                                                  #16
0x00007fe3cf81db25 __libc_start_main (libc.so.6 + 0x27b25)
                                                  #17
0x000056264886609e n/a (sshd + 0xf09e)



Compiled with debugging info, gdb gives the following backtrace:

  Using host libthread_db library "/usr/lib/libthread_db.so.1".
  Core was generated by `sshd: unknown [net]'.
  Program terminated with signal SIGSYS, Bad system call.
  #0  0x00007fb7ee8e28fb in socket () from /usr/lib/libc.so.6
  (gdb) bt
  #0  0x00007fb7ee8e28fb in socket () from /usr/lib/libc.so.6
  #1  0x00007fb7ee8db013 in openlog_internal () from /usr/lib/libc.so.6
  #2  0x00007fb7ee8db4f7 in __vsyslog_internal () from
/usr/lib/libc.so.6
  #3  0x00007fb7ee8db803 in __syslog_chk () from /usr/lib/libc.so.6
  #4  0x000055d42c649d4c in syslog (__fmt=0x55d42c6922f0 "%.500s",
__pri=2) at /usr/include/bits/syslog.h:31
  #5  do_log (args=0x7ffe1d1895e0, fmt=0x7ffe1d189100 "mm_log_handler:
write: %s", suffix=0x0, force=, level=SYSLOG_LEVEL_FATAL, line=111,
      func=0x55d42c68a0a0 <__func__.27> "mm_log_handler",
file=0x55d42c689940 "monitor_wrap.c") at log.c:416
  #6  sshlogv (file=0x55d42c689940 "monitor_wrap.c",
func=0x55d42c68a0a0 <__func__.27> "mm_log_handler", line=111,
showfunc=,
      level=SYSLOG_LEVEL_FATAL, suffix=0x0, fmt=0x55d42c686cc2 "write:
%s", args=0x7ffe1d1895e0) at log.c:485
  #7  0x000055d42c6471ec in sshfatal (file=file at entry=0x55d42c689940
"monitor_wrap.c", func=func at entry=0x55d42c68a0a0 <__func__.27>
"mm_log_handler",
      line=line at entry=111, showfunc=showfunc at entry=1,
level=level at entry=SYSLOG_LEVEL_FATAL, suffix=suffix at entry=0x0,
fmt=0x55d42c686cc2 "write: %s")
      at fatal.c:43
  #8  0x000055d42c617da9 in mm_log_handler (file=0x55d42c680004
"sshd.c", func=, line=, level=SYSLOG_LEVEL_FATAL,
      msg=0x7ffe1d189bd0 "Timeout before authentication for
208.105.190.83 port 30569", ctx=0x55d42e235e40) at monitor_wrap.c:111  
  #9  0x000055d42c649cc5 in do_log (args=0x7ffe1d18a4b0,
fmt=0x7ffe1d189fd0 "Timeout before authentication for %s port %d",
suffix=0x0, force=,                                                    
                                                                       
  level=SYSLOG_LEVEL_FATAL, line=370, func=0x55d42c6818f0 <__func__.26>
"grace_alarm_handler", file=0x55d42c680004 "sshd.c") at log.c:403      
                                                                       
                                              #10 sshlogv
(file=0x55d42c680004 "sshd.c", func=0x55d42c6818f0 <__func__.26>
"grace_alarm_handler", line=370, showfunc=,
      level=level at entry=SYSLOG_LEVEL_FATAL, suffix=0x0,
fmt=0x55d42c680700 "Timeout before authentication for %s port %d",
args=0x7ffe1d18a4b0) at log.c:485                                      
                                                                      
#11 0x000055d42c64a0b1 in sshsigdie (file=file at entry=0x55d42c680004
"sshd.c", func=func at entry=0x55d42c6818f0 <__func__.26>
"grace_alarm_handler",                                                 
                                                                       
 line=line at entry=370, showfunc=showfunc at entry=0,
level=level at entry=SYSLOG_LEVEL_ERROR, suffix=suffix at entry=0x0,
      fmt=0x55d42c680700 "Timeout before authentication for %s port
%d") at log.c:454
  #12 0x000055d42c5f3376 in grace_alarm_handler (sig=) at sshd.c:370
  #13
  #14 0x00007fb7ee8d8a67 in select () from /usr/lib/libc.so.6
  #15 0x000055d42c650745 in ssh_packet_read_seqnr
(ssh=ssh at entry=0x55d42e2442e0, typep=typep at entry=0x7ffe1d18cc73 "",
seqnr_p=seqnr_p at entry=0x7ffe1d18cc74)
      at packet.c:1364
  #16 0x000055d42c6566b3 in ssh_dispatch_run
(ssh=ssh at entry=0x55d42e2442e0, mode=mode at entry=0,
done=done at entry=0x55d42e245fc0) at dispatch.c:96
  #17 0x000055d42c6567b9 in ssh_dispatch_run_fatal
(ssh=ssh at entry=0x55d42e2442e0, mode=mode at entry=0,
done=done at entry=0x55d42e245fc0) at dispatch.c:133
  #18 0x000055d42c603411 in do_authentication2
(ssh=ssh at entry=0x55d42e2442e0) at auth2.c:176
  #19 0x000055d42c5f0903 in main (ac=, av=) at sshd.c:2218


It looks like the parent process closes the logging socket before the
child process has written to syslog, and glibc then tries to re-open
the socket, which isn't allowed in the seccomp sandbox.

strace of a child process when everything works (no core dump; managed
to write to the socket before the parent closed it):

  3774  pselect6(5, [4<socket:[83561]>], NULL, NULL, NULL, NULL) = ?
ERESTARTNOHAND (To be restarted if no handler)
  3774  --- SIGALRM {si_signo=SIGALRM, si_code=SI_USER, si_pid=3773,
si_uid=0} ---
  3774  getpgid(0)                        = 3773
  3774  getpid()                          = 3774
  3774  write(8<pipe:[83581]>,
"\0\0\0h\0\0\0\6sshd.c\0\0\0\23grace_alarm_ha"..., 108) = 108
  3774  exit_group(1)                     = ?
  3774  +++ exited with 1 +++

strace of a child process when this issue is triggered (core dump; the
parent has already closed the socket):

  3799  pselect6(5, [4<socket:[83972]>], NULL, NULL, NULL, NULL) = ?
ERESTARTNOHAND (To be restarted if no handler)
  3799  --- SIGALRM {si_signo=SIGALRM, si_code=SI_USER, si_pid=3798,
si_uid=0} ---
  3799  getpgid(0)                        = 3798
  3799  getpid()                          = 3799
  3799  write(8<pipe:[83992]>,
"\0\0\0h\0\0\0\6sshd.c\0\0\0\23grace_alarm_ha"..., 108) = -1 EPIPE
(Broken pipe)
  3799  openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = -1
EACCES (Permission denied)
  3799  getpid()                          = 3799
  3799  socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = ?
  3799  +++ killed by SIGSYS (core dumped) +++

strace of a parent process:

  3773  restart_syscall(<... resuming interrupted read ...>) = ?
ERESTART_RESTARTBLOCK (Interrupted by signal)
  3773  --- SIGALRM {si_signo=SIGALRM, si_code=SI_KERNEL} ---
  3773  kill(3774, SIGALRM)               = 0
  3773  getpgid(0)                        = 3773
  3773  getpid()                          = 3773
  3773  rt_sigaction(SIGTERM, {sa_handler=SIG_IGN, sa_mask=~[RTMIN
RT_1], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f859affef80},
{sa_handler=SIG_DFL, sa_mask=~[KILL STOP RTMIN RT_1],
sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f859affef80}, 8) = 0
  3773  kill(0, SIGTERM)                  = 0
  3773  getpid()                          = 3773
  3773  socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5<socket:[83963]>
  3773  connect(5<socket:[83963]>, {sa_family=AF_UNIX,
sun_path="/dev/log"}, 110) = 0
  3773  sendto(5<socket:[83963]>, "<34>Mar 17 15:26:59 sshd[3773]:
"..., 98, MSG_NOSIGNAL, NULL, 0) = 98
  3773  close(5<socket:[83963]>)          = 0
  3773  exit_group(1)                     = ?
  3773  +++ exited with 1 +++

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list