openssh bugs - Jun 2020 - [Bug 3189] New: channel mux_ctx memory leak

https://bugzilla.mindrot.org/show_bug.cgi?id=3189

            Bug ID: 3189
           Summary: channel mux_ctx memory leak
           Product: Portable OpenSSH
           Version: 8.3p1
          Hardware: ix86
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: sergiy.lozovsky at gmail.com

mux_ctx is allocated at mux_master_read_cb() but not freed.
This can cause ssh process memory leak when multiplexing is used.

Steps to reproduce:

- Create ControlMaster

    $ ./ssh -o ControlPath=~/.ssh/mux -o ControlMaster=yes -N -n
localhost

- Use multiplexing

    $ while true; do ./ssh -o ControlPath=~/.ssh/mux localhost true;
done

- Watch RSS of ssh process

[eiichi at build-c7 ~]$ LANG=C pidstat -r -p 62937 10 60
Linux 3.10.0-1062.9.1.el7.x86_64 (build-c7)     05/21/20       
_x86_64_        (8 CPU)

08:20:50          PID  minflt/s  majflt/s     VSZ    RSS   %MEM 
Command
08:21:00        62937      0.40      0.00  128032   2920   0.04  ssh
08:21:10        62937      0.30      0.00  128164   2920   0.04  ssh
08:21:20        62937      0.40      0.00  128164   2920   0.04  ssh
08:21:30        62937      0.50      0.00  128164   2920   0.04  ssh
08:21:40        62937      0.40      0.00  128164   2920   0.04  ssh
08:21:50        62937      0.40      0.00  128164   2920   0.04  ssh
08:22:00        62937      0.40      0.00  128164   2920   0.04  ssh
08:22:10        62937      0.40      0.00  128164   2920   0.04  ssh
08:22:20        62937      0.40      0.00  128164   2920   0.04  ssh
08:22:30        62937      0.40      0.00  128292   3068   0.04  ssh
08:22:40        62937      0.30      0.00  128292   3068   0.04  ssh
08:22:50        62937      0.40      0.00  128292   3068   0.04  ssh
08:23:00        62937      0.40      0.00  128292   3068   0.04  ssh
08:23:10        62937      0.40      0.00  128292   3068   0.04  ssh
08:23:20        62937      0.40      0.00  128292   3068   0.04  ssh
08:23:30        62937      0.30      0.00  128292   3068   0.04  ssh
08:23:40        62937      0.40      0.00  128292   3068   0.04  ssh
08:23:50        62937      0.40      0.00  128292   3068   0.04  ssh
08:24:00        62937      0.40      0.00  128420   3196   0.04  ssh
08:24:10        62937      0.40      0.00  128420   3196   0.04  ssh
08:24:20        62937      0.40      0.00  128420   3196   0.04  ssh


Fix:

diff --git a/channels.c b/channels.c
index 95a51e2..74b3cec 100644
--- a/channels.c
+++ b/channels.c
@@ -621,6 +621,8 @@ channel_free(struct ssh *ssh, Channel *c)
        c->path = NULL;
        free(c->listening_addr);
        c->listening_addr = NULL;
+       free(c->mux_ctx);
+       c->mux_ctx = NULL;
        while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
                if (cc->abandon_cb != NULL)
                        cc->abandon_cb(ssh, c, cc->ctx);

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3189

Sergiy <sergiy.lozovsky at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P5                          |P3

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3189

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|critical                    |normal
             Blocks|                            |3117
                 CC|                            |djm at mindrot.org


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3117
[Bug 3117] Tracking bug for 8.3 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3189

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
             Blocks|3117                        |3162

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Patch applied. This will be included in the OpenSSH 8.4 release, due in
a couple of months


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3117
[Bug 3117] Tracking bug for 8.3 release
https://bugzilla.mindrot.org/show_bug.cgi?id=3162
[Bug 3162] Tracking bug for 8.4 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3189

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|FIXED                       |---
             Status|RESOLVED                    |REOPENED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
I just reverted this patch as it cases the multiplex.sh regress test to
fail. Investigating.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3189

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
I have restored the free() call but only for channels of type
SSH_CHANNEL_MUX_LISTENER - doing it for other channels can clobber the
shared mux proxy mode state.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3189

eiichi.tsukata at nutanix.com <eiichi.tsukata at nutanix.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |eiichi.tsukata at nutanix.com

--- Comment #4 from eiichi.tsukata at nutanix.com <eiichi.tsukata at
nutanix.com> ---
The patch and reproducer had been originally posted at 

https://lists.mindrot.org/pipermail/openssh-unix-dev/2020-May/038501.html

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3189

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #5 from Darren Tucker <dtucker at dtucker.net> ---
Mass close of all bugs fixed in 8.4 release.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.