[Bug 3321] New: Abnormal packet reading when SSH and tcmalloc are used together

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Jun 18 18:08:57 AEST 2021


https://bugzilla.mindrot.org/show_bug.cgi?id=3321

            Bug ID: 3321
           Summary: Abnormal packet reading when SSH and tcmalloc are used
                    together
           Product: Portable OpenSSH
           Version: 8.6p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: kircherlike at outlook.com

tcmalloc is a fast C/C++ memory allocator designed around a fast path
that avoids synchronizing with other threads for most allocations in
the gperftools.

The tcmalloc of gperftools can be found in
https://github.com/gperftools/gperftools. Using tcmalloc replaces the
malloc standard library function of glibc.

In an x86 system, when the memory of tcmalloc is insufficient, the heap
extension obtains the current call stack through libunwind. libunwind
creates a pipe to check whether the address is valid.

In the main function of ssh.c, the pipeline created by saved_av in
xcalloc by using the tcmalloc process is released abnormally by the
closefrom function.

...
#ifndef HAVE_SETPROCTITLE
        /* Prepare for later setproctitle emulation */
        /* Save argv so it isn't clobbered by setproctitle() emulation
*/
        saved_av = xcalloc(ac + 1, sizeof(*saved_av));
        for (i = 0; i < ac; i++)
                saved_av[i] = xstrdup(av[i]);
        saved_av[i] = NULL;
        compat_init_setproctitle(ac, av);
        av = saved_av;
#endif

        seed_rng();

        /*
         * Discard other fds that are hanging around. These can cause
problem
         * with backgrounded ssh processes started by ControlPersist.
         */
        closefrom(STDERR_FILENO + 1);
...

When tcmalloc attempts to read the pipe, it incorrectly reads the
contents of connection_in, resulting in an error in the MAC
verification of the packet.

Therefore, swapping the order of xcalloc and closefrom statements is
probably the best way to be compatible for tcmalloc.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list