Core dump from sshd fatal_cleanup()

Darren Tucker dtucker at zip.com.au
Fri Jan 10 22:10:01 EST 2003 

Hi All.
	While working on something I noticed core dumps from sshd.  They don't
seem to be related to what I was working on.

	It's from the process forked to run the shell.  Just after the fork,
fatal_remove_all_cleanups() is called, which looks like:

fatal_remove_all_cleanups(void)
{
        struct fatal_cleanup *cu, *next_cu;

        for (cu = fatal_cleanups; cu; cu = next_cu) {
                next_cu = cu->next;
                xfree(cu);
        }
}

	It runs through free'ing the structs, but it leaves the global
fatal_cleanups pointing to the first struct.

	If called later, fatal_cleanup() attempts to deref the whatever happens
to be at that location, falls over, goes boom.

		-Daz.

# gdb -q ./sshd /var/core/core.sshd.27549
[snip]
#0  0x00000000 in ?? ()
(gdb) bt
#0  0x00000000 in ?? ()
#1  0x0003ccb4 in fatal_cleanup () at ../log.c:254
#2  0x00038988 in fatal (fmt=0xf0c00 "") at ../fatal.c:39
#3  0x00023400 in do_tty_change_password (pw=0x10e690) at
../auth-passwd.c:300
#4  0x00029884 in do_login (s=0x101b4c, command=0x0) at ../session.c:764
#5  0x00029518 in do_exec_pty (s=0x101b4c, command=0x0) at
../session.c:617
#6  0x000296c0 in do_exec (s=0x101b4c, command=0x0) at ../session.c:710
#7  0x0002b1b0 in session_shell_req (s=0x101b4c) at ../session.c:1729
#8  0x0002b358 in session_input_channel_req (c=0x110cd8, rtype=0x10f750
"shell")
    at ../session.c:1780
#9  0x00028790 in server_input_channel_req (type=1111888, seq=13,
ctxt=0x10d018)
    at ../serverloop.c:1021
#10 0x00038930 in dispatch_run (mode=1, done=0x0, ctxt=0x10d018) at
../dispatch.c:93
#11 0x00027f5c in server_loop2 (authctxt=0xff800) at ../serverloop.c:764
#12 0x00028d18 in do_authenticated (authctxt=0x109230) at
../session.c:218
#13 0x0001d84c in main (ac=7868, av=0x6) at ../sshd.c:1536
(gdb) frame 1
#1  0x0003ccb4 in fatal_cleanup () at ../log.c:254
254                     (*cu->proc) (cu->context);
(gdb) print cu
$1 = (struct fatal_cleanup *) 0x1097e0
(gdb) print *cu 
$2 = {next = 0x10, proc = 0, context = 0x109840}
-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
-------------- next part --------------
Index: log.c
===================================================================
RCS file: /cvs/openssh/log.c,v
retrieving revision 1.26
diff -u -r1.26 log.c
--- log.c	7 Jan 2003 06:04:18 -0000	1.26
+++ log.c	10 Jan 2003 10:55:16 -0000
@@ -233,6 +233,7 @@
 		next_cu = cu->next;
 		xfree(cu);
 	}
+	fatal_cleanups = NULL;
 }
 
 /* Cleanup and exit */

More information about the openssh-unix-dev mailing list