Bug 2908

Summary: I found that SSHD will crash when I start the application, another applications are same
Product: Portable OpenSSH Reporter: Chengyao Diao <chengyao.diao>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement    
Priority: P5    
Version: 7.7p1   
Hardware: ARM   
OS: Linux   
Attachments:
Description Flags
The assembly code for main function none

Description Chengyao Diao 2018-09-25 02:08:14 AEST 
Created attachment 3180 [details]
The assembly code for main function

Configure:
./configure --prefix=/usr --target=arm-none-linux-gnueabi --host=arm-none-linux-gnueabi --build=i686-pc-linux-gnu --prefix=/usr --with-ssl-engine --with-ssl-dir=/export/local/hdiao/openssl/install_1.02/usr --with-pam  CFLAGS='-I/export/local/hdiao/zlib/zlib_install/usr/include/ -I/export/local/hdiao/linux_pam/linux_pam_install/usr/include' LDFLAGS='-L/export/local/hdiao/zlib/zlib_install/usr/lib -L/export/local/hdiao/linux_pam/linux_pam_install/lib ' --exec-prefix=/usr --sysconfdir=/etc --localstatedir=/var --program-prefix="" --disable-gtk-doc --disable-gtk-doc-html --disable-doc --disable-docs --disable-documentation --with-xmlto=no --with-fop=no --disable-dependency-tracking --enable-ipv6 --disable-nls --disable-static --enable-shared  --disable-prelude --disable-isadir --disable-nis --disable-db --disable-regenerate-docu --libdir=/lib --disable-selinux


Startup SSHD
Quit anyway? (y or n) y
root@sitara-platform:~# gdb /usr/sbin/sshd
GNU gdb (GDB) 7.4
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "arm-unknown-linux-gnueabi".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/sshd...(no debugging symbols found)...done.
(gdb) set height 0
(gdb) b main
Breakpoint 1 at 0xbca8
(gdb) r
Starting program: /usr/sbin/sshd
warning: Unable to find libthread_db matching inferior's thread library, thread                                                                   debugging will not be available.

Breakpoint 1, 0x400b6ca8 in main ()
(gdb) bt
#0  0x400b6ca8 in main ()
(gdb) i r
r0             0x1      1
r1             0xbef6ee34       3203853876
r2             0xbef6ee3c       3203853884
r3             0x400b6ca8       1074490536
r4             0x4018331c       1075327772
r5             0x0      0
r6             0x400b1f98       1074470808
r7             0x0      0
r8             0x0      0
r9             0x0      0
r10            0x40210000       1075904512
r11            0x0      0
r12            0x405a3958       1079654744
sp             0xbef6ece8       0xbef6ece8
lr             0x40490fd4       1078530004
pc             0x400b6ca8       0x400b6ca8 <main>
cpsr           0x60000010       1610612752
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x400b6cd8 in main ()
(gdb) bt
#0  0x400b6cd8 in main ()
(gdb) q
A debugging session is active.

        Inferior 1 [process 1866] will be killed.

Quit anyway? (y or n) y
root@sitara-platform:~# gdb /usr/sbin/sshd
GNU gdb (GDB) 7.4
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "arm-unknown-linux-gnueabi".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/sshd...(no debugging symbols found)...done.
(gdb) b main
Breakpoint 1 at 0xbca8
(gdb) r
Starting program: /usr/sbin/sshd
warning: Unable to find libthread_db matching inferior's thread library, thread                                                                   debugging will not be available.

Breakpoint 1, 0x400eaca8 in main ()
(gdb) set heigt 0
No symbol "heigt" in current context.
(gdb) set height 0
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x400eacd8 in main ()
(gdb) i r
r0             0xbecb0c50       3200978000
r1             0xbecb0e34       3200978484
r2             0x105c68 1072232
r3             0x654    1620
r4             0x401b731c       1075540764
r5             0x0      0
r6             0x400e5f98       1074683800
r7             0x0      0
r8             0x0      0
r9             0x0      0
r10            0x40220000       1075970048
r11            0xbecb0ce4       3200978148
r12            0x405ae958       1079699800
sp             0xbecb0ba0       0xbecb0ba0
lr             0x4049bfd4       1078575060
pc             0x400eacd8       0x400eacd8 <main+48>
cpsr           0x60000010       1610612752
(gdb) x /i $pc
=> 0x400eacd8 <main+48>:        ldr     r3, [r0, r3]
(gdb) disassemble main
Dump of assembler code for function main:
   0x400eaca8 <+0>:     push    {r4, r11, lr}
   0x400eacac <+4>:     add     r11, sp, #8
   0x400eacb0 <+8>:     sub     sp, sp, #316    ; 0x13c
   0x400eacb4 <+12>:    ldr     r2, [pc, #3896] ; 0x400ebbf4 <main+3916>
   0x400eacb8 <+16>:    str     r2, [r11, #-304]        ; 0x130
   0x400eacbc <+20>:    ldr     r3, [r11, #-304]        ; 0x130
   0x400eacc0 <+24>:    add     r3, pc, r3
   0x400eacc4 <+28>:    str     r3, [r11, #-304]        ; 0x130
   0x400eacc8 <+32>:    str     r0, [r11, #-248]        ; 0xf8
   0x400eaccc <+36>:    str     r1, [r11, #-252]        ; 0xfc
   0x400eacd0 <+40>:    ldr     r3, [pc, #3872] ; 0x400ebbf8 <main+3920>
   0x400eacd4 <+44>:    ldr     r0, [r11, #-300]        ; 0x12c
=> 0x400eacd8 <+48>:    ldr     r3, [r0, r3]
   0x400eacdc <+52>:    ldr     r3, [r3]
   0x400eace0 <+56>:    str     r3, [r11, #-16]
   0x400eace4 <+60>:    mov     r3, #0
   0x400eace8 <+64>:    str     r3, [r11, #-28]
   0x400eacec <+68>:    mov     r3, #1



I also found something weird. There are some invalid instructions when I disassembled main function.



   0x400ebcb8 <+4112>:  ldrdeq  r1, [r0], -r4
   0x400ebcbc <+4116>:                  ; <UNDEFINED> instruction: 0x000011b0
   0x400ebcc0 <+4120>:                  ; <UNDEFINED> instruction: 0xfffc799c
   0x400ebcc4 <+4124>:                  ; <UNDEFINED> instruction: 0xfffc79b8
   0x400ebcc8 <+4128>:                  ; <UNDEFINED> instruction: 0xfffc79c0
   0x400ebccc <+4132>:                  ; <UNDEFINED> instruction: 0xfffc79c8
Comment 1 Chengyao Diao 2018-09-25 06:59:24 AEST 
I found the root cause. I tested it in different version from 5.9~7.8.
I found that this issue only happens after version 6.5. I checked the release notes. Found the following notes. After adding options 
"--with-pie --without-hardening --without-stackprotect", it works well. So it is not the issue


Portable OpenSSH:

 * Please note that this is the last version of Portable OpenSSH that
   will support versions of OpenSSL prior to 0.9.6. Support (i.e.
   SSH_OLD_EVP) will be removed following the 6.5p1 release.

 * Portable OpenSSH will attempt compile and link as a Position
   Independent Executable on Linux, OS X and OpenBSD on recent gcc-
   like compilers. Other platforms and older/other compilers may
   request this using the --with-pie configure flag.

 * A number of other toolchain-related hardening options are used
   automatically if available, including -ftrapv to abort on signed
   integer overflow and options to write-protect dynamic linking
   information.  The use of these options may be disabled using the
   --without-hardening configure flag.

 * If the toolchain supports it, one of the -fstack-protector-strong,
   -fstack-protector-all or -fstack-protector compilation flag are
   used to add guards to mitigate attacks based on stack overflows.
   The use of these options may be disabled using the
   --without-stackprotect configure option.
Comment 2 Damien Miller 2021-04-23 15:00:23 AEST 
closing resolved bugs as of 8.6p1 release