openssh unix dev - Jan 2006 - Linux 4.2p1 crash during reverse name lookup

4.0p1 and 4.2p1 are affected for me, I'm using Linux based around a FC2 
build (~2 years old).

I'm trying to login with password authentication from psftp.exe (part of 
PuTTY) but it.

Maybe this bug isn't with OpenSSH itself but a supporting library, I 
would appreciate your assistance in tracking down the problem.

I have tried getting a 'core' file out of SSH with 'ulimit -c
unlimited'
before starting sshd, but I'm unable to find where the core file is.  
The procps listing indicates SSH's working directory is / in the root 
filesystem.

The reason why I state the problem occurs reverse name lookup is a guess 
from the strace output, it looks like it is tring to load libnss_dns.so, 
I'm not sure if this is being looked at from within the normal outer 
root filesystem view or from a chroot ?


$ psftp.exe -v dlm at ns1.netbauds.net -P 24
Server version: SSH-1.99-OpenSSH_4.2
We claim version: SSH-2.0-PuTTY-Release-0.56
Using SSH protocol version 2
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange
Host key fingerprint is:
ssh-rsa 1024 3e:77:d5:a0:ab:cd:ff:fd:ff:ef:e9:ec:13:1c:03:09
Initialised AES-256 client->server encryption
Initialised AES-256 server->client encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised HMAC-SHA1 server->client MAC algorithm
Using username "dlm".
ssh_init: error during SSH connection setup
$

Strace Linux side output:

Process 4331 attached - interrupt to quit
clone(Process 5967 attached
child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, 
child_tidptr=0xb7fcc0c8) = 5967
[...SNIP...]
[pid  5967] execve("/opt/openssh/sbin/sshd",
["/opt/openssh/sbin/sshd",
"-p", "24", "-R"], [/* 25 vars */]) = 0
[...SNIP...]
[pid  5967] getpeername(3, {sa_family=AF_INET6, sin6_port=htons(4040), 
inet_pton(AF_INET6, "::ffff:82.36.183.26", &sin6_addr),
sin6_flowinfo=0,
sin6_scope_id=0}, [28]) = 0
[...SNIP...]
[pid  5967] getpeername(3, {sa_family=AF_INET6, sin6_port=htons(4040), 
inet_pton(AF_INET6, "::ffff:82.36.183.26", &sin6_addr),
sin6_flowinfo=0,
sin6_scope_id=0}, [28]) = 0
[...SNIP...]
[pid  5967] getpeername(3, {sa_family=AF_INET6, sin6_port=htons(4040), 
inet_pton(AF_INET6, "::ffff:82.36.183.26", &sin6_addr),
sin6_flowinfo=0,
sin6_scope_id=0}, [28]) = 0
[...SNIP...]
[pid  5967] clone(Process 5968 attached
child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, 
child_tidptr=0xb7fcc0c8) = 5968
[...SNIP...]
[pid  4657] getpeername(3, {sa_family=AF_INET6, sin6_port=htons(4034), 
inet_pton(AF_INET6, "::ffff:www.xxx.yyy.zzz", &sin6_addr), 
sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
[pid  4657] socket(PF_UNIX, SOCK_STREAM, 0) = 6
[pid  4657] connect(6, {sa_family=AF_UNIX,
path="/var/run/nscd/socket"},
110) = -1 ENOENT (No such file or directory)
[pid  4657] close(6)                    = 0
[pid  4657] gettimeofday({1136994626, 380903}, NULL) = 0
[pid  4657] open("/etc/resolv.conf", O_RDONLY) = -1 ENOENT (No such
file
or directory)
[pid  4657] uname({sys="Linux", node="mail.netbauds.net",
...}) = 0
[pid  4657] open("/etc/host.conf", O_RDONLY) = -1 ENOENT (No such file
or directory)
[pid  4657] open("/etc/hosts", O_RDONLY) = -1 ENOENT (No such file or 
directory)
[pid  4657] open("/etc/ld.so.cache", O_RDONLY) = -1 ENOENT (No such
file
or directory)
[pid  4657] open("/lib/tls/i686/sse2/libnss_dns.so.2", O_RDONLY) = -1 
ENOENT (No such file or directory)
[pid  4657] stat64("/lib/tls/i686/sse2", 0xbfffd4fc) = -1 ENOENT (No 
such file or directory)
[pid  4657] open("/lib/tls/i686/libnss_dns.so.2", O_RDONLY) = -1
ENOENT
(No such file or directory)
[pid  4657] stat64("/lib/tls/i686", 0xbfffd4fc) = -1 ENOENT (No such 
file or directory)
[pid  4657] open("/lib/tls/sse2/libnss_dns.so.2", O_RDONLY) = -1
ENOENT
(No such file or directory)
[pid  4657] stat64("/lib/tls/sse2", 0xbfffd4fc) = -1 ENOENT (No such 
file or directory)
[pid  4657] open("/lib/tls/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No
such file or directory)
[pid  4657] stat64("/lib/tls", 0xbfffd4fc) = -1 ENOENT (No such file
or
directory)
[pid  4657] open("/lib/i686/sse2/libnss_dns.so.2", O_RDONLY) = -1
ENOENT
(No such file or directory)
[pid  4657] stat64("/lib/i686/sse2", 0xbfffd4fc) = -1 ENOENT (No such 
file or directory)
[pid  4657] open("/lib/i686/libnss_dns.so.2", O_RDONLY) = -1 ENOENT
(No
such file or directory)
[pid  4657] stat64("/lib/i686", 0xbfffd4fc) = -1 ENOENT (No such file
or
directory)
[pid  4657] open("/lib/sse2/libnss_dns.so.2", O_RDONLY) = -1 ENOENT
(No
such file or directory)
[pid  4657] stat64("/lib/sse2", 0xbfffd4fc) = -1 ENOENT (No such file
or
directory)
[pid  4657] open("/lib/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No
such
file or directory)
[pid  4657] stat64("/lib", 0xbfffd4fc)  = -1 ENOENT (No such file or 
directory)
[pid  4657] open("/usr/lib/tls/i686/sse2/libnss_dns.so.2", O_RDONLY) =
-1 ENOENT (No such file or directory)
[pid  4657] stat64("/usr/lib/tls/i686/sse2", 0xbfffd4fc) = -1 ENOENT
(No
such file or directory)
[pid  4657] open("/usr/lib/tls/i686/libnss_dns.so.2", O_RDONLY) = -1 
ENOENT (No such file or directory)
[pid  4657] stat64("/usr/lib/tls/i686", 0xbfffd4fc) = -1 ENOENT (No
such
file or directory)
[pid  4657] open("/usr/lib/tls/sse2/libnss_dns.so.2", O_RDONLY) = -1 
ENOENT (No such file or directory)
[pid  4657] stat64("/usr/lib/tls/sse2", 0xbfffd4fc) = -1 ENOENT (No
such
file or directory)
[pid  4657] open("/usr/lib/tls/libnss_dns.so.2", O_RDONLY) = -1 ENOENT
(No such file or directory)
[pid  4657] stat64("/usr/lib/tls", 0xbfffd4fc) = -1 ENOENT (No such
file
or directory)
[pid  4657] open("/usr/lib/i686/sse2/libnss_dns.so.2", O_RDONLY) = -1 
ENOENT (No such file or directory)
[pid  4657] stat64("/usr/lib/i686/sse2", 0xbfffd4fc) = -1 ENOENT (No 
such file or directory)
[pid  4657] open("/usr/lib/i686/libnss_dns.so.2", O_RDONLY) = -1
ENOENT
(No such file or directory)
[pid  4657] stat64("/usr/lib/i686", 0xbfffd4fc) = -1 ENOENT (No such 
file or directory)
[pid  4657] open("/usr/lib/sse2/libnss_dns.so.2", O_RDONLY) = -1
ENOENT
(No such file or directory)
[pid  4657] stat64("/usr/lib/sse2", 0xbfffd4fc) = -1 ENOENT (No such 
file or directory)
[pid  4657] open("/usr/lib/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No
such file or directory)
[pid  4657] stat64("/usr/lib", 0xbfffd4fc) = -1 ENOENT (No such file
or
directory)
[pid  4657] --- SIGSEGV (Segmentation fault) @ 0 (0) ---
Process 4657 detached
[pid  4654] <... read resumed> 0xbffff018, 4) = ? ERESTARTSYS (To be 
restarted)
[pid  4654] --- SIGCHLD (Child exited) @ 0 (0) ---
[pid  4654] read(6, "", 4)              = 0
[pid  4654] exit_group(255)             = ?
Process 4654 detached
<... select resumed> )                  = 1 (in [5])
--- SIGCHLD (Child exited) @ 0 (0) ---
waitpid(-1, [{WIFEXITED(s) && WEXITSTATUS(s) == 255}], WNOHANG) = 4654
waitpid(-1, 0xbfffedc0, WNOHANG)        = -1 ECHILD (No child processes)
rt_sigaction(SIGCHLD, NULL, {0x804c3f0, [], 0}, 8) = 0
sigreturn()                             = ? (mask now [])
close(5)                                = 0
select(6, [3], NULL, NULL, NULL <unfinished ...>
Process 4331 detached


 From the SSH server system:

$ locate libnss_dns
/lib/libnss_dns-2.3.3.so
/lib/libnss_dns.so.2
/lib/libnss_dns.so.1
/usr/lib/libnss_dns.so.1
/usr/lib/libnss_dns.so


-- 
Darryl L. Miles

On Wed, Jan 11, 2006 at 04:30:51PM +0000, Darryl L. Miles
wrote:
> 4.0p1 and 4.2p1 are affected for me, I'm using Linux based around a
> FC2 build (~2 years old).
Was OpenSSH build on/specifically for the target system?

> Maybe this bug isn't with OpenSSH itself but a supporting library,
> I would appreciate your assistance in tracking down the problem.
It doesn't seem to be in OpenSSH, no.

> [pid  4657] stat64("/usr/lib/sse2", 0xbfffd4fc) = -1 ENOENT (No
such
> file or directory)
> [pid  4657] open("/usr/lib/libnss_dns.so.2", O_RDONLY) = -1
ENOENT (No
> such file or directory)
> [pid  4657] stat64("/usr/lib", 0xbfffd4fc) = -1 ENOENT (No such
file or
> directory)
> [pid  4657] --- SIGSEGV (Segmentation fault) @ 0 (0) ---
This crash is inside the glibc resolver, upgrade glibc would be my
advice.


//Peter

Peter wrote:

 > Was OpenSSH build on/specifically for the target system?

I was building my own version into a location outside of the platforms standard
packaging (RPM/YUM) functions and the platforms packages one is disabled.



 > It doesn't seem to be in OpenSSH, no.

The problem system FedoraCore2 is using glibc 2.3.3, I have repeated the same
thing on a CentOS4.2 based system using glibc 2.3.4 and


> > [pid  4657] stat64("/usr/lib/sse2", 0xbfffd4fc) = -1 ENOENT
(No such
> > file or directory)
> > [pid  4657] open("/usr/lib/libnss_dns.so.2", O_RDONLY) = -1
ENOENT (No
> > such file or directory)
> > [pid  4657] stat64("/usr/lib", 0xbfffd4fc) = -1 ENOENT (No
such file or
> > directory)
> > [pid  4657] --- SIGSEGV (Segmentation fault) @ 0 (0) ---
>   
> This crash is inside the glibc resolver, upgrade glibc would be my
> advice.
With glibc 2.3.4 not crash but:

[pid 13660] stat64("/usr/lib/sse2", 0xbfffcb68) = -1 ENOENT (No such
file or directory)
[pid 13660] open("/usr/lib/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No
such file or directory)
[pid 13660] stat64("/usr/lib", 0xbfffcb68) = -1 ENOENT (No such file
or directory)
[pid 13660] geteuid32()                 = 74
[pid 13660] write(3,
"\314\24\323b\272\1r]r\363\300\5\337\22\366\212\340\35*\260\25\361\214]\r\200@\37p6\336(!=\0176\250\261\37\0\367\303\207uv&2\n\0\215\337\311-\214-v\312\306\321\233\360\216\374\367\306\243vX\224[\260n4b\22C{\v
\r\32\251\340o", 84) = 84
[pid 13660] select(4, [3], NULL, NULL, NULL


Thanks for the pointers.


-- 
Darryl L. Miles