openssh-3.7.1p1 segfaults

Martin Siegert siegert at sfu.ca
Wed Sep 17 12:52:30 EST 2003


Hi,

the following problem occurs on Solaris 2.6. openssh-3.7p1 and openssh-3.7.1p1
both show the same behaviour.

openssh is configure with:

CC='gcc -L/usr/LOCAL/lib -I/usr/LOCAL/include' ./configure --prefix=/usr/LOCAL --sysconfdir=/etc/ssh --sbindir=/usr/local/sbin --libexecdir=/usr/local/libexec --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/LOCAL/ssl --with-default-path='/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/LOCAL/bin'

and compiles, installs fine, even sshd starts fine.
However, connecting to it from a client fails, leading to a segfault in 
one of the childs that sshd spawns on the server.

I append output from the client session (ssh -v -v -v ...), truss output
of sshd on the server (truss -f -p 4415, where 4415 is the pid of the
"master" sshd process), and output from "gdb sshd".

I hope this helps to fix the problem.

Martin

-- 
Martin Siegert
Manager, Research Services
WestGrid Site Manager
Academic Computing Services                        phone: (604) 291-4691
Simon Fraser University                            fax:   (604) 291-4242
Burnaby, British Columbia                          email: siegert at sfu.ca
Canada  V5A 1S6

===<client output>======================================================
# ssh -v -v -v harrison
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 11168 geteuid 0 anon 1
debug1: Connecting to harrison [142.58.200.80] port 22.
debug1: temporarily_use_uid: 11168/1000 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 11168/1000 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/siegert/.ssh/identity type -1
debug3: Not a RSA1 key file /home/siegert/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: no key found
debug3: key_read: no space
... <snip>
debug3: key_read: no space
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: no key found
debug1: identity file /home/siegert/.ssh/id_rsa type 1
debug1: identity file /home/siegert/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.7.1p1
... <snip>
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: next auth method to try is keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply

at which point the client hangs.
=========================================================================

===<truss -f -p 4415; 4455 is the pid of the child the segfaults>========
... <snip>
4455:	open("/dev/udp", O_RDWR)			= 8
4455:	ioctl(8, I_FIND, "timod")			= 0
4455:	ioctl(8, I_PUSH, "timod")			= 0
4455:	sigprocmask(SIG_SETMASK, 0xEFFFDD70, 0xEFFFDD60) = 0
4455:	ioctl(8, I_STR, 0xEFFFDBE8)			= 0
4455:	sigprocmask(SIG_SETMASK, 0xEFFFDD60, 0x00000000) = 0
4455:	ioctl(8, I_FLUSH, FLUSHRW)			= 0
4455:	sigprocmask(SIG_SETMASK, 0xEFFFDD70, 0xEFFFDD60) = 0
4455:	ioctl(8, I_STR, 0xEFFFDCD8)			= 0
4455:	sigprocmask(SIG_SETMASK, 0xEFFFDD60, 0x00000000) = 0
4455:	ioctl(8, I_STR, 0xEFFFDBE0)			= 0
4455:	getpid()					= 4455 [4451]
4455:	ioctl(8, I_STR, 0xEFFFDC2C)			= 0
4455:	fstat(8, 0xEFFFDD74)				= 0
4455:	fcntl(8, F_SETFD, 0x00000001)			= 0
4455:	fstat(8, 0xEFFFDE48)				= 0
4455:	putmsg(8, 0xEFFFDD34, 0xEFFFDE74, 0)		= 0
4455:	poll(0x00094A84, 1, 15000)			= 1
4455:	getmsg(8, 0xEFFFDD30, 0x00081A48, 0xEFFFDD5C)	= 0
4455:	getpid()					= 4455 [4451]
4455:	fstat(8, 0xEFFFDD40)				= 0
4455:	putmsg(8, 0xEFFFDC2C, 0xEFFFDD6C, 0)		= 0
4455:	poll(0x00094A84, 1, 15000)			= 1
4455:	getmsg(8, 0xEFFFDC28, 0x00081A48, 0xEFFFDC54)	= 0
4455:	getpid()					= 4455 [4451]
4455:	fstat(8, 0xEFFFDD40)				= 0
4455:	putmsg(8, 0xEFFFDC2C, 0xEFFFDD6C, 0)		= 0
4455:	poll(0x00094A84, 1, 15000)			= 1
4455:	getmsg(8, 0xEFFFDC28, 0x00081A48, 0xEFFFDC54)	= 0
4455:	getpid()					= 4455 [4451]
4455:	fstat(8, 0xEFFFDD40)				= 0
4455:	putmsg(8, 0xEFFFDC2C, 0xEFFFDD6C, 0)		= 0
4455:	poll(0x00094A84, 1, 15000)			= 1
4455:	getmsg(8, 0xEFFFDC28, 0x00081A48, 0xEFFFDC54)	= 0
4455:	llseek(4, 0xFFFFFFFFFFFFFFC7, SEEK_CUR)		= 541
4455:	close(4)					= 0
4455:	    Incurred fault #6, FLTBOUNDS  %pc = 0x0003172C
4455:	      siginfo: SIGSEGV SEGV_MAPERR addr=0x00000008
4455:	    Received signal #11, SIGSEGV [default]
4455:	      siginfo: SIGSEGV SEGV_MAPERR addr=0x00000008
4455:		*** process killed ***
4451:	write(6, "\0\0\005 /", 5)			= 5
4451:	write(6, "\0\0\001", 4)				= 4
4453:	read(8, "\0\0\005", 4)				= 4
4453:	read(8, " /\0\0\001", 5)			= 5
4453:	write(8, "\0\0\001 0", 5)			= 5
4451:	read(6, "\0\0\001", 4)				= 4
4451:	read(6, " 0", 1)				= 1
4415:	poll(0xEFFFD150, 2, -1)		(sleeping...)
4451:	read(10, 0xEFFFEDE8, 4)		(sleeping...)
4453:	read(8, 0xEFFFECB8, 4)		(sleeping...)
========================================================================

===<gdb sshd>
# gdb sshd
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.6"...
(gdb) run -d -d -d
Starting program: /usr/LOCAL/src/openssh-3.7.1p1/sshd -d -d -d
debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper
debug2: read_server_config: filename /etc/ssh/sshd_config
debug1: sshd version OpenSSH_3.7.1p1
... <snip>
Failed publickey for siegert from 142.58.1.216 port 52124 ssh2
debug1: userauth-request for user siegert service ssh-connection method keyboard-interactive
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs 
debug1: auth2_challenge: user=siegert devs=
debug1: kbdint_alloc: devices 'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices <empty>
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: mm_sshpam_init_ctx
debug3: mm_request_send entering: type 46
debug3: monitor_read: checking request 46
debug3: mm_answer_pam_init_ctx
debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX
debug3: mm_request_receive_expect entering: type 47
debug3: mm_request_receive entering
debug3: mm_request_send entering: type 47
debug3: mm_sshpam_query
debug3: mm_request_send entering: type 48
debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY
debug3: mm_request_receive_expect entering: type 49
debug3: mm_request_receive entering
debug3: mm_request_receive entering
debug3: monitor_read: checking request 48
debug3: mm_answer_pam_query
debug3: ssh_msg_recv entering
^C           [at this point the program hangs; Ctr-C is the only way out]
Program received signal SIGINT, Interrupt.
0xef438680 in _read () from /usr/lib/libc.so.1
(gdb) where
#0  0xef438680 in _read () from /usr/lib/libc.so.1
#1  0x410a4 in atomicio (f=0x74198 <read>, fd=11, _s=0xefffeda8, n=4)
    at atomicio.c:45
#2  0x45970 in ssh_msg_recv (fd=11, m=0xefffee58) at msg.c:58
#3  0x31e64 in sshpam_query (ctx=0x88850, name=0xefffef1c, info=0xefffef18, 
    num=0xefffef14, prompts=0xefffef10, echo_on=0xefffef0c) at auth-pam.c:433
#4  0x2bd84 in mm_answer_pam_query (socket=8, m=0xefffef90) at monitor.c:847
#5  0x2b494 in monitor_read (pmonitor=0x7c7c8, ent=0x75320, pent=0xeffff044)
    at monitor.c:413
#6  0x2b12c in monitor_child_preauth (pmonitor=0x7c7c8) at monitor.c:299
#7  0x1b40c in privsep_preauth () at sshd.c:595
#8  0x1ce94 in main (ac=38, av=0xffffffff) at sshd.c:1472
(gdb) quit
==========================================================================




More information about the openssh-unix-dev mailing list