[Bug 3522] New: Crash with "free(): double free detected" with old clients
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sun Jan 15 06:45:34 AEDT 2023
https://bugzilla.mindrot.org/show_bug.cgi?id=3522
Bug ID: 3522
Summary: Crash with "free(): double free detected" with old
clients
Product: Portable OpenSSH
Version: 9.1p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: grawity at gmail.com
I'm investigating a similar issue to #3512 on Arch with OpenSSH 9.1p1
and Glibc 2.36-6 and OpenSSL 3.0.7, though I'm not 100% sure if it's
the same problem.
The issue is that incoming SSH connections from a modern OpenSSH client
work fine, but connections from a somewhat obsolete client
(retrocomputing, don't ask) crash with "seccomp violation" for the
writev() call -- and after I added it to the allow list, for the
tgkill() call.
However, the writev() call in question is this:
[pid 592791] writev(2, [{iov_base="free(): double free detected in
tcache 2", iov_len=40}, {iov_base="\n", iov_len=1}], 2) = 41
So the tgkill() probably makes sense as it comes from libc itself,
rather than from OpenSSH.
The client in question is PuTTY_Release_0.64, which seems to trigger
"compat KEX proposal" in sshd. Version 0.65 doesn't trigger it and
doesn't cause a crash.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list