Bug 1445

Summary: ssh segmentation fault
Product: Portable OpenSSH Reporter: qianliguo <qianliguo2002>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED INVALID    
Severity: critical CC: djm, dtucker
Priority: P1    
Version: 4.6p1   
Hardware: ARM   
OS: Linux   

Description qianliguo 2008-02-28 13:43:36 AEDT
 
Comment 1 qianliguo 2008-02-28 13:56:17 AEDT
# strace ssh
execve("/usr/bin/ssh", ["ssh"], [/* 16 vars */]) = 0
mmap2(NULL, 20, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40005000
stat("/etc/ld.so.cache", {st_mode=S_IFREG|0644, st_size=1796, ...}) = 0
open("/etc/ld.so.cache", O_RDONLY)      = 4
mmap2(NULL, 1796, PROT_READ, MAP_SHARED, 4, 0) = 0x40006000
close(4)                                = 0
open("/lib/libcrypto.so.0.9.8", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=1136576, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
read(4, "\177ELF\1\1\1a\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0,X\3\0004"..., 4096) = 4096
mmap2(NULL, 1183744, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4000e000
mmap2(0x4000e000, 1060052, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x4000e000
mmap2(0x40119000, 74620, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x103) = 0x40119000
mmap2(0x4012c000, 10364, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4012c000
close(4)                                = 0
munmap(0x40007000, 4096)                = 0
open("/lib/libutil.so.0", O_RDONLY)     = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=4656, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
read(4, "\177ELF\1\1\1a\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0008\10\0\000"..., 4096) = 4096
mmap2(NULL, 36864, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4012f000
mmap2(0x4012f000, 3160, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x4012f000
mmap2(0x40137000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x40137000
close(4)                                = 0
munmap(0x40007000, 4096)                = 0
open("/lib/libz.so.1", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=71984, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
read(4, "\177ELF\1\1\1a\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\304\26\0"..., 4096) = 4096
mmap2(NULL, 106496, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40138000
mmap2(0x40138000, 70176, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x40138000
mmap2(0x40151000, 1260, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x11) = 0x40151000
close(4)                                = 0
munmap(0x40007000, 4096)                = 0
open("/lib/libcrypt.so.0", O_RDONLY)    = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=12892, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
read(4, "\177ELF\1\1\1a\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\234\4\0\000"..., 4096) = 4096
mmap2(NULL, 118784, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40152000
mmap2(0x40152000, 9380, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x40152000
mmap2(0x4015c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x2) = 0x4015c000
mmap2(0x4015d000, 70864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4015d000
close(4)                                = 0
munmap(0x40007000, 4096)                = 0
open("/lib/libresolv.so.0", O_RDONLY)   = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=4640, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
read(4, "\177ELF\1\1\1a\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\204\2\0\000"..., 4096) = 4096
mmap2(NULL, 36864, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4016f000
mmap2(0x4016f000, 668, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x4016f000
mmap2(0x40177000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x40177000
close(4)                                = 0
munmap(0x40007000, 4096)                = 0
open("/lib/libgcc_s.so.1", O_RDONLY)    = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=31736, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
read(4, "\177ELF\1\1\1a\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0X\25\0\000"..., 4096) = 4096
mmap2(NULL, 65536, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40178000
mmap2(0x40178000, 28800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x40178000
mmap2(0x40187000, 548, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x7) = 0x40187000
close(4)                                = 0
munmap(0x40007000, 4096)                = 0
open("/lib/libc.so.0", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=309856, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
read(4, "\177ELF\1\1\1a\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0 \251\0\000"..., 4096) = 4096
mmap2(NULL, 360448, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40188000
mmap2(0x40188000, 303940, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x40188000
mmap2(0x401da000, 5172, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x4a) = 0x401da000
mmap2(0x401dc000, 16020, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x401dc000
close(4)                                = 0
munmap(0x40007000, 4096)                = 0
open("/lib/libdl.so.0", O_RDONLY)       = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=8900, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
read(4, "\177ELF\1\1\1a\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0(\10\0\000"..., 4096) = 4096
mmap2(NULL, 40960, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x401e0000
mmap2(0x401e0000, 5868, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x401e0000
mmap2(0x401e9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x1) = 0x401e9000
close(4)                                = 0
munmap(0x40007000, 4096)                = 0
open("/lib/libgcc_s.so.1", O_RDONLY)    = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=31736, ...}) = 0
close(4)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=309856, ...}) = 0
close(4)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=309856, ...}) = 0
close(4)                                = 0
open("/lib/libgcc_s.so.1", O_RDONLY)    = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=31736, ...}) = 0
close(4)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=309856, ...}) = 0
close(4)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=309856, ...}) = 0
close(4)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=309856, ...}) = 0
close(4)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=309856, ...}) = 0
close(4)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=309856, ...}) = 0
close(4)                                = 0
munmap(0x40006000, 1796)                = 0
stat("/lib/ld-uClibc.so.0", {st_mode=S_IFREG|0755, st_size=21096, ...}) = 0
mprotect(0x40137000, 4096, PROT_READ)   = 0
mprotect(0x4015c000, 4096, PROT_READ)   = 0
mprotect(0x40177000, 4096, PROT_READ)   = 0
mprotect(0x401da000, 4096, PROT_READ)   = 0
mprotect(0x401e9000, 4096, PROT_READ)   = 0
mprotect(0x4000c000, 4096, PROT_READ)   = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B115200 opost isig icanon echo ...}) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B115200 opost isig icanon echo ...}) = 0
open("/dev/null", O_RDWR|O_LARGEFILE)   = 4
close(4)                                = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Process 343 detached
Comment 2 Darren Tucker 2008-02-28 14:04:43 AEDT
Unfortunately the strace is not very helpful.  Can you run ssh under a debugger and get a stack trace?
Comment 3 Damien Miller 2008-02-28 14:06:34 AEDT
Did you not read the notice asking not to post long debug traces?

Please provide output from running ssh under gdb. It isn't entirely clear that you have even made it into ssh code from ld.so and crt0.