Stefan Heinrichs
2000-Feb-02 16:17 UTC
Bugreport: OpenSSH-1.2.2 Server for Linux (glibc 2.1.2)
Hi, I would like to report a bug in OpenSSH-1.2.2 (release) under Linux. Under certain conditions the sshd client process segfaults while doing the password authentification. I have observed the behaviour with glibc 2.0.7 (non-PAM), glibc 2.1.1 (PAM) and glibc 2.1.2 (PAM), when 'RhostsRSAAuthentication yes' is chosen in sshd_config. It appears to happen regardless whether PAM is used or not (but under slightly different conditions). With glibc 2.0.7/2.1.1 it happens at the first password authentication attempt, while with glibc 2.1.2 things are a bit more complicated: With PAM enabled the segfault happens at the second or third password authentication attempt regardless whether this attempt would have succeeded (i.e. when I entered the right password) or not. With PAM disabled (--without-pam) I was only able to observe it at an password authentication attempt > 1 when this attempt would have succeeded. Here is a debugger session on a glibc 2.1.2 (SuSE 6.3) system, where sshd was compiled with PAM enabled, the sshd_config file was the example file from opensshd-1.2.2.tar.gz where RhostsRSAAuthentication yes has been set: (gdb) run Starting program: /home/bernd/download/openssh-1.2.2/sshd -d -f sshd_config debug: sshd version OpenSSH-1.2.2 debug: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 127.0.0.1 port 890 debug: Client protocol version 1.5; client software version OpenSSH-1.2.2 debug: Sent 768 bit public key and 1023 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Starting up PAM with username "bernd" debug: Attempting authentication for bernd. debug: Trying rhosts with RSA host authentication for bernd Failed rhosts-rsa for bernd from 127.0.0.1 port 890 ruser bernd debug: PAM Password authentication for "bernd" failed: Authentication failure Failed password for bernd from 127.0.0.1 port 890 Program received signal SIGSEGV, Segmentation fault. 0x400b0ef2 in chunk_alloc (ar_ptr=0x40149ba0, nb=16) at malloc.c:2707 2707 malloc.c: No such file or directory. (gdb) where #0 0x400b0ef2 in chunk_alloc (ar_ptr=0x40149ba0, nb=16) at malloc.c:2707 #1 0x400b0e14 in __libc_malloc (bytes=8) at malloc.c:2651 #2 0x804ec58 in pamconv (num_msg=1, msg=0xbfffeca0, resp=0xbfffeca4, appdata_ptr=0x0) at auth-pam.c:43 #3 0x40019911 in __get_authtok () from /lib/security/pam_unix.so #4 0x40017a5d in pam_sm_authenticate () from /lib/security/pam_unix.so #5 0x4004f648 in pam_fail_delay () from /lib/libpam.so.0 #6 0x4004f9ce in _pam_dispatch () from /lib/libpam.so.0 #7 0x400512cc in pam_authenticate () from /lib/libpam.so.0 #8 0x804ef47 in auth_pam_password (pw=0xbffff24c, password=0x80826c0 "asdf") at auth-pam.c:136 #9 0x804c75d in do_authloop (pw=0xbffff24c) at sshd.c:1445 #10 0x804c329 in do_authentication () at sshd.c:1248 #11 0x804bb58 in main (ac=4, av=0xbffff8a4) at sshd.c:873 I hope this report helps finding the bug. If you would like me to perform further tests, please let me know. Best regards, Stefan and Bernd (who originally found this behavior) ------------------------------------------------------------------- Email: Stefan.Heinrichs at uni-konstanz.de Address: Fakulaet fuer Physik, Universitaet Konstanz, Universitaetsstr.10, 78457 Konstanz, Germany Phone: +49 7531 88 3814
Damien Miller
2000-Feb-03 01:17 UTC
Bugreport: OpenSSH-1.2.2 Server for Linux (glibc 2.1.2)
On Wed, 2 Feb 2000, Stefan Heinrichs wrote:> Hi, > > I would like to report a bug in OpenSSH-1.2.2 (release) under Linux. > > Under certain conditions the sshd client process segfaults while doing > the password authentification. I have observed the behaviour withThis has been fixed: Index: sshd.c ==================================================================RCS file: /var/cvs/openssh/sshd.c,v retrieving revision 1.55 retrieving revision 1.56 diff -u -r1.55 -r1.56 --- sshd.c 2000/01/26 00:07:22 1.55 +++ sshd.c 2000/02/02 14:07:08 1.56 @@ -1524,8 +1524,10 @@ return; } - if (client_user != NULL) + if (client_user != NULL) { xfree(client_user); + client_user = NULL; + } if (attempt > AUTH_FAIL_MAX) packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work)