| Summary: | sshd core dumps when used in high scaled environments. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | kavitha <kavi> | ||||
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> | ||||
| Status: | CLOSED FIXED | ||||||
| Severity: | major | CC: | djm, dtucker, kavi | ||||
| Priority: | P5 | ||||||
| Version: | 6.2p1 | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Bug Depends on: | |||||||
| Bug Blocks: | 2226 | ||||||
| Attachments: |
|
||||||
Patch applied - this will be in OpenSSH-6.7. Thanks! Close all bugs left open from 6.6 and 6.7 releases. |
Created attachment 2424 [details] possible fix. sshd crashes with the core dump when used in high scale environment. The program crashes inside the function "cleanup_exit" at line if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) It is always assumed here that pmonitor is always not NULL. However pmonitor can be null, in the execution sequence below: #0 0x0804e214 in cleanup_exit (i=255) at ../../../../../../src/crypto/openssh/sshd.c:2415 #1 0x080ae7bf in fatal (fmt=0x80b8ea6 "%s: socketpair: %s") at ../../../../../../src/crypto/openssh/fatal.c:42 #2 0x08065779 in monitor_openfds (mon=0x80eb5c0, do_logfds=1) at ../../../../../../src/crypto/openssh/monitor.c:1877 #3 0x080658ee in monitor_init () at ../../../../../../src/crypto/openssh/monitor.c:1903 #4 0x080507fd in privsep_preauth (authctxt=0x0) at ../../../../../../src/crypto/openssh/sshd.c:669 #5 0x08051f72 in main (ac=903248, av=0xc811cc00) at ../../../../../../src/crypto/openssh/sshd.c:2014 Here the pmonitor is NULL inside "privsep_preauth", which calls "monitor_init". "monitor_init" allocates memory for mon and calls "monitor_openfds" However inside "monitor_openfds" the call to socketpair fails. (in our case with errno = 23 /* Too many open files in system */). This calls "fatal" which in-turn calls "cleanup_exit". Since pmonitor is not initialized until now, it crashes.