| Summary: | Crash with "free(): double free detected" with old clients | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Mantas M. [grawity] <grawity> |
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> |
| Status: | CLOSED FIXED | ||
| Severity: | minor | CC: | djm, sam |
| Priority: | P5 | ||
| Version: | 9.1p1 | ||
| Hardware: | amd64 | ||
| OS: | Linux | ||
| See Also: | https://bugzilla.mindrot.org/show_bug.cgi?id=3512 | ||
| Bug Depends on: | |||
| Bug Blocks: | 3480 | ||
debug2: monitor_read: 8 used once, disabling now
free(): double free detected in tcache 2
Thread 2.1 "sshd" received signal SIGSYS, Bad system call.
[Switching to Thread 0x7ffff7e59780 (LWP 594648)]
__pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44
Downloading 0.00 MB source file /usr/src/debug/glibc/nptl/pthread_kill.c
44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;
(gdb) bt
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0)
at pthread_kill.c:44
#1 0x00007ffff77c96b3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2 0x00007ffff7779958 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3 0x00007ffff776353d in __GI_abort () at abort.c:79
#4 0x00007ffff77bd7ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff78dc44b "%s\n")
at ../sysdeps/posix/libc_fatal.c:155
#5 0x00007ffff77d33dc in malloc_printerr (str=str@entry=0x7ffff78df058 "free(): double free detected in tcache 2")
at malloc.c:5660
#6 0x00007ffff77d5737 in _int_free (av=0x7ffff7919ba0 <main_arena>, p=0x5555556c4040, have_lock=have_lock@entry=0)
at malloc.c:4469
#7 0x00007ffff77d7ba3 in __GI___libc_free (mem=mem@entry=0x5555556c4050) at malloc.c:3385
#8 0x00005555556023b5 in kex_assemble_names (listp=listp@entry=0x55555567bbc8 <options+1224>,
def=def@entry=0x5555556c2b40 "sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-s"...,
all=all@entry=0x5555556e01c0 "diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group"...)
at kex.c:315
#9 0x0000555555567768 in assemble_algorithms (o=o@entry=0x55555567b700 <options>) at servconf.c:233
#10 0x000055555556f22e in copy_set_server_options (dst=dst@entry=0x55555567b700 <options>,
src=src@entry=0x5555556d0d50, preauth=preauth@entry=1) at servconf.c:2658
#11 0x0000555555591859 in mm_getpwnamallow (ssh=<optimized out>, username=<optimized out>) at monitor_wrap.c:336
#12 0x0000555555578e0e in input_userauth_request (type=<optimized out>, seq=<optimized out>, ssh=0x5555556e1f00)
at auth2.c:286
#13 0x00005555555eb9b7 in ssh_dispatch_run (ssh=ssh@entry=0x5555556e1f00, mode=mode@entry=0,
done=done@entry=0x5555556e3af0) at dispatch.c:113
#14 0x00005555555ebb1d in ssh_dispatch_run_fatal (ssh=ssh@entry=0x5555556e1f00, mode=mode@entry=0,
done=done@entry=0x5555556e3af0) at dispatch.c:133
#15 0x0000555555576ce4 in do_authentication2 (ssh=ssh@entry=0x5555556e1f00) at auth2.c:177
#16 0x000055555556295f in main (ac=<optimized out>, av=<optimized out>) at sshd.c:2252
(gdb)
Thanks for the report. This has been fixed in OpenSSH 9.2, that has just been released. OpenSSH 9.3 has been released. Close resolved bugs |
I'm investigating a similar issue to #3512 on Arch with OpenSSH 9.1p1 and Glibc 2.36-6 and OpenSSL 3.0.7, though I'm not 100% sure if it's the same problem. The issue is that incoming SSH connections from a modern OpenSSH client work fine, but connections from a somewhat obsolete client (retrocomputing, don't ask) crash with "seccomp violation" for the writev() call -- and after I added it to the allow list, for the tgkill() call. However, the writev() call in question is this: [pid 592791] writev(2, [{iov_base="free(): double free detected in tcache 2", iov_len=40}, {iov_base="\n", iov_len=1}], 2) = 41 So the tgkill() probably makes sense as it comes from libc itself, rather than from OpenSSH. The client in question is PuTTY_Release_0.64, which seems to trigger "compat KEX proposal" in sshd. Version 0.65 doesn't trigger it and doesn't cause a crash.