[Bug 3639] server thread aborts during client login after receiving SSH2_MSG_KEXINIT due to ssh_sandbox_violation
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Dec 11 16:45:37 AEDT 2023
https://bugzilla.mindrot.org/show_bug.cgi?id=3639
--- Comment #24 from JM <jtm.moon.forum.user+mindrot at gmail.com> ---
> Could you try building and running this program. E.g.
>
> $ cc -o syscall syscall.c
> $ ./syscall
> $ strace -n ./syscall
Raspberry Pi 4 (RPi4), aarch64, Raspbian-Debian 11, (openssh 9.5p1
client thread aborts):
$ (set -eux; wget -q
"https://bugzilla.mindrot.org/attachment.cgi?id=3774" -O syscall.c ; cc
-o syscall syscall.c ; ./syscall ; strace -n ./syscall )
+ wget -q 'https://bugzilla.mindrot.org/attachment.cgi?id=3774' -O
syscall.c
+ cc -o syscall syscall.c
+ ./syscall
__NR_getpid = 20
+ strace -n ./syscall
[ 11] execve("./syscall", ["./syscall"], 0xffb2b5b4 /* 31 vars */)
= 0
[ 45] brk(NULL) = 0x1ae5000
[ 122] uname({sysname="Linux", nodename="pifuboo", ...}) = 0
[ 33] access("/etc/ld.so.preload", R_OK) = 0
[ 322] openat(AT_FDCWD, "/etc/ld.so.preload",
O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
[ 197] fstat64(3, {st_mode=S_IFREG|0644, st_size=54, ...}) = 0
[ 192] mmap2(NULL, 54, PROT_READ|PROT_WRITE, MAP_PRIVATE, 3, 0) =
0xf7d7f000
[ 6] close(3) = 0
[ 85] readlink("/proc/self/exe", "/tmp/syscall", 4096) = 12
[ 322] openat(AT_FDCWD,
"/usr/lib/arm-linux-gnueabihf/libarmmem-v8l.so",
O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
[ 3] read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\254\3\0\0004\0\0\0"...,
512) = 512
[ 197] fstat64(3, {st_mode=S_IFREG|0644, st_size=17708, ...}) = 0
[ 192] mmap2(NULL, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf7d7d000
[ 192] mmap2(NULL, 81964, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf7d3a000
[ 125] mprotect(0xf7d3e000, 61440, PROT_NONE) = 0
[ 192] mmap2(0xf7d4d000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0xf7d4d000
[ 6] close(3) = 0
[ 91] munmap(0xf7d7f000, 54) = 0
[ 322] openat(AT_FDCWD, "/etc/ld.so.cache",
O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
[ 197] fstat64(3, {st_mode=S_IFREG|0644, st_size=63463, ...}) = 0
[ 192] mmap2(NULL, 63463, PROT_READ, MAP_PRIVATE, 3, 0) =
0xf7d2a000
[ 6] close(3) = 0
[ 322] openat(AT_FDCWD, "/lib/arm-linux-gnueabihf/libc.so.6",
O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
[ 3] read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\0y\1\0004\0\0\0"...,
512) = 512
[ 197] fstat64(3, {st_mode=S_IFREG|0755, st_size=1315688, ...}) = 0
[ 192] mmap2(NULL, 1385020, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf7bd7000
[ 125] mprotect(0xf7d15000, 61440, PROT_NONE) = 0
[ 192] mmap2(0xf7d24000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13d000) = 0xf7d24000
[ 192] mmap2(0xf7d27000, 8764, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xf7d27000
[ 6] close(3) = 0
[983045] set_tls(0xf7d7df80) = 0
[ 125] mprotect(0xf7d24000, 8192, PROT_READ) = 0
[ 125] mprotect(0xf7d4d000, 4096, PROT_READ) = 0
[ 125] mprotect(0x20000, 4096, PROT_READ) = 0
[ 125] mprotect(0xf7d81000, 4096, PROT_READ) = 0
[ 91] munmap(0xf7d2a000, 63463) = 0
[ 197] fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0),
...}) = 0
[ 45] brk(NULL) = 0x1ae5000
[ 45] brk(0x1b06000) = 0x1b06000
[ 4] write(1, "__NR_getpid = 20\n", 17__NR_getpid = 20
) = 17
[ 20] getpid() = 21435
[ 248] exit_group(0) = ?
[ 248] +++ exited with 0 +++
Raspberry Pi 3 (RPi3), armv7l, Raspbian Debian 11, (openssh 9.5p1 runs
okay):
$ (set -eux; wget -q
"https://bugzilla.mindrot.org/attachment.cgi?id=3774" -O syscall.c ; cc
-o syscall syscall.c ; ./syscall ; strace -n ./syscall )
+ wget -q 'https://bugzilla.mindrot.org/attachment.cgi?id=3774' -O
syscall.c
+ cc -o syscall syscall.c
+ ./syscall
__NR_getpid = 20
+ strace -n ./syscall
[ 11] execve("./syscall", ["./syscall"], 0x7eab2584 /* 30 vars */)
= 0
[ 45] brk(NULL) = 0x1435000
[ 192] mmap2(NULL, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x76fa5000
[ 33] access("/etc/ld.so.preload", R_OK) = 0
[ 322] openat(AT_FDCWD, "/etc/ld.so.preload",
O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
[ 197] fstat64(3, {st_mode=S_IFREG|0644, st_size=54, ...}) = 0
[ 192] mmap2(NULL, 54, PROT_READ|PROT_WRITE, MAP_PRIVATE, 3, 0) =
0x76fa4000
[ 6] close(3) = 0
[ 85] readlink("/proc/self/exe", "/tmp/syscall", 4096) = 12
[ 322] openat(AT_FDCWD,
"/usr/lib/arm-linux-gnueabihf/libarmmem-v7l.so",
O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
[ 3] read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\254\3\0\0004\0\0\0"...,
512) = 512
[ 197] fstat64(3, {st_mode=S_IFREG|0644, st_size=17708, ...}) = 0
[ 192] mmap2(NULL, 81964, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x76f60000
[ 125] mprotect(0x76f64000, 61440, PROT_NONE) = 0
[ 192] mmap2(0x76f73000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x76f73000
[ 6] close(3) = 0
[ 91] munmap(0x76fa4000, 54) = 0
[ 322] openat(AT_FDCWD, "/etc/ld.so.cache",
O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
[ 197] fstat64(3, {st_mode=S_IFREG|0644, st_size=55352, ...}) = 0
[ 192] mmap2(NULL, 55352, PROT_READ, MAP_PRIVATE, 3, 0) =
0x76f97000
[ 6] close(3) = 0
[ 322] openat(AT_FDCWD, "/lib/arm-linux-gnueabihf/libc.so.6",
O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
[ 3] read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\0y\1\0004\0\0\0"...,
512) = 512
[ 197] fstat64(3, {st_mode=S_IFREG|0755, st_size=1315688, ...}) = 0
[ 192] mmap2(NULL, 1385020, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x76e0d000
[ 125] mprotect(0x76f4b000, 61440, PROT_NONE) = 0
[ 192] mmap2(0x76f5a000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x13d000) = 0x76f5a000
[ 192] mmap2(0x76f5d000, 8764, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x76f5d000
[ 6] close(3) = 0
[983045] set_tls(0x76fa6280) = 0
[ 125] mprotect(0x76f5a000, 8192, PROT_READ) = 0
[ 125] mprotect(0x76f73000, 4096, PROT_READ) = 0
[ 125] mprotect(0x20000, 4096, PROT_READ) = 0
[ 125] mprotect(0x76fa7000, 4096, PROT_READ) = 0
[ 91] munmap(0x76f97000, 55352) = 0
[ 197] fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0),
...}) = 0
[ 45] brk(NULL) = 0x1435000
[ 45] brk(0x1456000) = 0x1456000
[ 4] write(1, "__NR_getpid = 20\n", 17__NR_getpid = 20
) = 17
[ 20] getpid() = 19383
[ 248] exit_group(0) = ?
[ 248] +++ exited with 0 +++
NanoPi NEO3 Rockchip RK3288, aarch64, Debian, (openssh 9.5p1 runs
okay):
$ (set -eux; wget -q
"https://bugzilla.mindrot.org/attachment.cgi?id=3774" -O syscall.c ; cc
-o syscall syscall.c ; ./syscall ; strace -n ./syscall )
+ wget -q 'https://bugzilla.mindrot.org/attachment.cgi?id=3774' -O
syscall.c
+ cc -o syscall syscall.c
+ ./syscall
__NR_getpid = 172
+ strace -n ./syscall
[ 221] execve("./syscall", ["./syscall"], 0xffffed56ea98 /* 27 vars
*/) = 0
[ 214] brk(NULL) = 0xaaaae9498000
[ 48] faccessat(AT_FDCWD, "/etc/ld.so.preload", R_OK) = -1 ENOENT
(No such file or directory)
[ 56] openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
[ 80] fstat(3, {st_mode=S_IFREG|0644, st_size=24779, ...}) = 0
[ 222] mmap(NULL, 24779, PROT_READ, MAP_PRIVATE, 3, 0) =
0xffffa86b7000
[ 57] close(3) = 0
[ 56] openat(AT_FDCWD, "/lib/aarch64-linux-gnu/libc.so.6",
O_RDONLY|O_CLOEXEC) = 3
[ 63] read(3,
"\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\267\0\1\0\0\0`\17\2\0\0\0\0\0"...,
832) = 832
[ 80] fstat(3, {st_mode=S_IFREG|0755, st_size=1451024, ...}) = 0
[ 222] mmap(NULL, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xffffa86b5000
[ 222] mmap(NULL, 1523656, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xffffa851c000
[ 226] mprotect(0xffffa8678000, 61440, PROT_NONE) = 0
[ 222] mmap(0xffffa8687000, 24576, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15b000) = 0xffffa8687000
[ 222] mmap(0xffffa868d000, 12232, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xffffa868d000
[ 57] close(3) = 0
[ 226] mprotect(0xffffa8687000, 16384, PROT_READ) = 0
[ 226] mprotect(0xaaaaacbf0000, 4096, PROT_READ) = 0
[ 226] mprotect(0xffffa86c1000, 4096, PROT_READ) = 0
[ 215] munmap(0xffffa86b7000, 24779) = 0
[ 80] fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0),
...}) = 0
[ 214] brk(NULL) = 0xaaaae9498000
[ 214] brk(0xaaaae94b9000) = 0xaaaae94b9000
[ 64] write(1, "__NR_getpid = 172\n", 18__NR_getpid = 172
) = 18
[ 172] getpid() = 7407
[ 94] exit_group(0) = ?
[ 94] +++ exited with 0 +++
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list