OpenSSH 4.0p1 segfaults on keyboard-interactive login
Darren Tucker
dtucker at zip.com.au
Sat Mar 12 19:55:19 EST 2005
Andreas M. Kirchwitz wrote:
> Please don't laugh, but the mere existance of the directory
> "/var/empty/sshd/lib" is sufficient to make Fedora Core 2 happy.
> (I started with a complete copy of /lib and removed the libraries
> step by step to see which one I need. And to my surprise, I could
> safely delete everything except the "lib" directory itself.)
It's reproducable with a minimal test case, and it's definitely deep in
libc. It's been confirmed to be a known problem in glibc, but the fix
does not seem to have made it to a released rpm yet. In the mean time,
the workaround is to create /var/empty/lib.
References:
https://bugzilla.redhat.com/beta/show_bug.cgi?id=144303
http://sources.redhat.com/ml/libc-hacker/2005-02/msg00005.html
$ cat chroot-dns-test.c
#include <stdio.h>
#include <netdb.h>
int
main(void)
{
chroot("/tmp");
chdir("/");
gethostbyname("foo");
}
$ gcc -g chroot-dns-test.c
$ sudo gdb -q ./a.out
Using host libthread_db library "/lib/tls/i686/libthread_db.so.1".
(gdb) run
Starting program: /home/dtucker/a.out
Program received signal SIGSEGV, Segmentation fault.
open_path (name=0xbff34b30 "libnss_dns.so.2", namelen=16, preloaded=0,
sps=0x955ed0, realname=0xffffffff, fbp=0xbff345c4) at dl-load.c:1791
1791 sps->dirs = (void *) -1;
(gdb) bt
#0 open_path (name=0xbff34b30 "libnss_dns.so.2", namelen=16, preloaded=0,
sps=0x955ed0, realname=0xffffffff, fbp=0xbff345c4) at dl-load.c:1791
#1 0x00948630 in _dl_map_object (loader=0x9564e0,
name=0xbff34b30 "libnss_dns.so.2", preloaded=0, type=2, trace_mode=0,
mode=-1879048191, nsid=0) at dl-load.c:1961
#2 0x00a3b516 in dl_open_worker () from /lib/tls/i686/libc.so.6
#3 0x0094cbd1 in _dl_catch_error (objname=0xbff349a0, errstring=0xbff349a4,
operate=0xa3b41c <dl_open_worker>, args=0xbff349a8) at dl-error.c:161
#4 0x00a3c0a9 in _dl_open () from /lib/tls/i686/libc.so.6
#5 0x00a3d3ad in do_dlopen () from /lib/tls/i686/libc.so.6
#6 0x0094cbd1 in _dl_catch_error (objname=0xbff34aec, errstring=0xbff34af0,
operate=0xa3d398 <do_dlopen>, args=0xbff34af4) at dl-error.c:161
#7 0x00a3d461 in __libc_dlopen_mode () from /lib/tls/i686/libc.so.6
#8 0x00a1d611 in __nss_lookup_function () from /lib/tls/i686/libc.so.6
#9 0x00a1d711 in __nss_lookup () from /lib/tls/i686/libc.so.6
#10 0x00a1ed42 in __nss_hosts_lookup () from /lib/tls/i686/libc.so.6
#11 0x00a21788 in gethostbyname_r@@GLIBC_2.1.2 () from /lib/tls/i686/libc.so.6
#12 0x00a21154 in gethostbyname () from /lib/tls/i686/libc.so.6
#13 0x08048421 in main () at chroot-dns-test.c:9
> Do you have any idea what code change from OpenSSH 3.9p1 to 4.0p1
> may have triggered this strange bug in system libraries? Especially
> the workaround with "mkdir /var/empty/sshd/lib" is, hmmm, confusing.
It's probably just a DNS lookup somplace where there wasn't previously.
It could be something as simple as a debug() call.
> Hopefully, this isn't a general security risk for applications that
> do nameservice lookups within a chroot'ed environment.
I don't think it is. The description I got was that the segfault is
caused because libc attempts to write to a segment mapped readonly.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list