openssh bugs - Jan 2023 - [Bug 3522] New: Crash with "free(): double free detected" with old clients

https://bugzilla.mindrot.org/show_bug.cgi?id=3522

            Bug ID: 3522
           Summary: Crash with "free(): double free detected" with old
                    clients
           Product: Portable OpenSSH
           Version: 9.1p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: grawity at gmail.com

I'm investigating a similar issue to #3512 on Arch with OpenSSH 9.1p1
and Glibc 2.36-6 and OpenSSL 3.0.7, though I'm not 100% sure if it's
the same problem.

The issue is that incoming SSH connections from a modern OpenSSH client
work fine, but connections from a somewhat obsolete client
(retrocomputing, don't ask) crash with "seccomp violation" for the
writev() call -- and after I added it to the allow list, for the
tgkill() call.

However, the writev() call in question is this:

[pid 592791] writev(2, [{iov_base="free(): double free detected in
tcache 2", iov_len=40}, {iov_base="\n", iov_len=1}], 2) = 41

So the tgkill() probably makes sense as it comes from libc itself,
rather than from OpenSSH.

The client in question is PuTTY_Release_0.64, which seems to trigger
"compat KEX proposal" in sshd. Version 0.65 doesn't trigger it and
doesn't cause a crash.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3522

--- Comment #1 from Mantas M. <grawity at gmail.com> ---
debug2: monitor_read: 8 used once, disabling now
free(): double free detected in tcache 2

Thread 2.1 "sshd" received signal SIGSYS, Bad system call.
[Switching to Thread 0x7ffff7e59780 (LWP 594648)]
__pthread_kill_implementation (threadid=<optimized out>,
signo=signo at entry=6, no_tid=no_tid at entry=0) at pthread_kill.c:44
Downloading 0.00 MB source file
/usr/src/debug/glibc/nptl/pthread_kill.c
44            return INTERNAL_SYSCALL_ERROR_P (ret) ?
INTERNAL_SYSCALL_ERRNO (ret) : 0;
(gdb) bt
#0  __pthread_kill_implementation (threadid=<optimized out>,
signo=signo at entry=6, no_tid=no_tid at entry=0)
    at pthread_kill.c:44
#1  0x00007ffff77c96b3 in __pthread_kill_internal (signo=6,
threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007ffff7779958 in __GI_raise (sig=sig at entry=6) at
../sysdeps/posix/raise.c:26
#3  0x00007ffff776353d in __GI_abort () at abort.c:79
#4  0x00007ffff77bd7ee in __libc_message (action=action at entry=do_abort,
fmt=fmt at entry=0x7ffff78dc44b "%s\n")
    at ../sysdeps/posix/libc_fatal.c:155
#5  0x00007ffff77d33dc in malloc_printerr (str=str at entry=0x7ffff78df058
"free(): double free detected in tcache 2")
    at malloc.c:5660
#6  0x00007ffff77d5737 in _int_free (av=0x7ffff7919ba0 <main_arena>,
p=0x5555556c4040, have_lock=have_lock at entry=0)
    at malloc.c:4469
#7  0x00007ffff77d7ba3 in __GI___libc_free
(mem=mem at entry=0x5555556c4050) at malloc.c:3385
#8  0x00005555556023b5 in kex_assemble_names
(listp=listp at entry=0x55555567bbc8 <options+1224>,
    def=def at entry=0x5555556c2b40
"sntrup761x25519-sha512 at openssh.com,curve25519-sha256,curve25519-sha256
at
libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-s"...,
    all=all at entry=0x5555556e01c0
"diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group"...)
    at kex.c:315
#9  0x0000555555567768 in assemble_algorithms (o=o at entry=0x55555567b700
<options>) at servconf.c:233
#10 0x000055555556f22e in copy_set_server_options
(dst=dst at entry=0x55555567b700 <options>,
    src=src at entry=0x5555556d0d50, preauth=preauth at entry=1) at
servconf.c:2658
#11 0x0000555555591859 in mm_getpwnamallow (ssh=<optimized out>,
username=<optimized out>) at monitor_wrap.c:336
#12 0x0000555555578e0e in input_userauth_request (type=<optimized out>,
seq=<optimized out>, ssh=0x5555556e1f00)
    at auth2.c:286
#13 0x00005555555eb9b7 in ssh_dispatch_run
(ssh=ssh at entry=0x5555556e1f00, mode=mode at entry=0,
    done=done at entry=0x5555556e3af0) at dispatch.c:113
#14 0x00005555555ebb1d in ssh_dispatch_run_fatal
(ssh=ssh at entry=0x5555556e1f00, mode=mode at entry=0,
    done=done at entry=0x5555556e3af0) at dispatch.c:133
#15 0x0000555555576ce4 in do_authentication2
(ssh=ssh at entry=0x5555556e1f00) at auth2.c:177
#16 0x000055555556295f in main (ac=<optimized out>, av=<optimized
out>)
at sshd.c:2252
(gdb)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3522

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3480
                 CC|                            |djm at mindrot.org


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3480
[Bug 3480] tracking bug for openssh-9.2
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3522

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Thanks for the report. This has been fixed in OpenSSH 9.2, that has
just been released.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3522

Sam James <sam at gentoo.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sam at gentoo.org

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3522

Sam James <sam at gentoo.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugzilla.mindrot.or
                   |                            |g/show_bug.cgi?id=3512

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3522

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
OpenSSH 9.3 has been released. Close resolved bugs

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.