[Bug 3483] closefrom() calls in sshd closes the file descriptors associated with Intel QAT crypto engine

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Nov 9 20:34:45 AEDT 2022


https://bugzilla.mindrot.org/show_bug.cgi?id=3483

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
BTW this caused a test breakage in the reexec test when built against
OpenSSL 1.1.1 only. 1.1.1a and up is fine.  The specific thing that
doesn't work is the fallback path when, eg, the sshd binary has been
removed while it's still running, so it's a fairly esoteric case:

https://github.com/openssh/openssh-portable/actions/runs/3423783333/jobs/5705690743#step:11:854

I wanted to understand the reason for this, and I believe the reason is
a bug in 1.1.1's RNG fixed in this commit:

https://github.com/openssl/openssl/commit/abf58ed3191dcd3a7c6b296b1494bd7fd336e253

My theory is that OpenSSL opens descriptors to the random devices
earlier than it should, sshd closes that descriptor and ends up reusing
it for its own purposes, then blows up when seed_rng ends up trying to
seed from this reused descriptor.

I'll skip this specific test on that specific OpenSSL version.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list