[Bug 3522] New: Crash with "free(): double free detected" with old clients

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sun Jan 15 06:45:34 AEDT 2023 

https://bugzilla.mindrot.org/show_bug.cgi?id=3522

            Bug ID: 3522
           Summary: Crash with "free(): double free detected" with old
                    clients
           Product: Portable OpenSSH
           Version: 9.1p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: grawity at gmail.com

I'm investigating a similar issue to #3512 on Arch with OpenSSH 9.1p1
and Glibc 2.36-6 and OpenSSL 3.0.7, though I'm not 100% sure if it's
the same problem.

The issue is that incoming SSH connections from a modern OpenSSH client
work fine, but connections from a somewhat obsolete client
(retrocomputing, don't ask) crash with "seccomp violation" for the
writev() call -- and after I added it to the allow list, for the
tgkill() call.

However, the writev() call in question is this:

[pid 592791] writev(2, [{iov_base="free(): double free detected in
tcache 2", iov_len=40}, {iov_base="\n", iov_len=1}], 2) = 41

So the tgkill() probably makes sense as it comes from libc itself,
rather than from OpenSSH.

The client in question is PuTTY_Release_0.64, which seems to trigger
"compat KEX proposal" in sshd. Version 0.65 doesn't trigger it and
doesn't cause a crash.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list