Bug 1445 - ssh segmentation fault
Summary: ssh segmentation fault
Status: CLOSED INVALID
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 4.6p1
Hardware: ARM Linux
: P1 critical
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-02-28 13:43 AEDT by qianliguo
Modified: 2008-03-10 12:26 AEDT (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description qianliguo 2008-02-28 13:43:36 AEDT
Comment 1 qianliguo 2008-02-28 13:56:17 AEDT 
# strace ssh
execve("/usr/bin/ssh", ["ssh"], [/* 16 vars */]) = 0
mmap2(NULL, 20, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40005000
stat("/etc/ld.so.cache", {st_mode=S_IFREG|0644, st_size=1796, ...}) = 0
open("/etc/ld.so.cache", O_RDONLY)      = 4
mmap2(NULL, 1796, PROT_READ, MAP_SHARED, 4, 0) = 0x40006000
close(4)                                = 0
open("/lib/libcrypto.so.0.9.8", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=1136576, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
read(4, "\177ELF\1\1\1a\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0,X\3\0004"..., 4096) = 4096
mmap2(NULL, 1183744, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4000e000
mmap2(0x4000e000, 1060052, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x4000e000
mmap2(0x40119000, 74620, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x103) = 0x40119000
mmap2(0x4012c000, 10364, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4012c000
close(4)                                = 0
munmap(0x40007000, 4096)                = 0
open("/lib/libutil.so.0", O_RDONLY)     = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=4656, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
read(4, "\177ELF\1\1\1a\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0008\10\0\000"..., 4096) = 4096
mmap2(NULL, 36864, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4012f000
mmap2(0x4012f000, 3160, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x4012f000
mmap2(0x40137000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x40137000
close(4)                                = 0
munmap(0x40007000, 4096)                = 0
open("/lib/libz.so.1", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=71984, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
read(4, "\177ELF\1\1\1a\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\304\26\0"..., 4096) = 4096
mmap2(NULL, 106496, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40138000
mmap2(0x40138000, 70176, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x40138000
mmap2(0x40151000, 1260, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x11) = 0x40151000
close(4)                                = 0
munmap(0x40007000, 4096)                = 0
open("/lib/libcrypt.so.0", O_RDONLY)    = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=12892, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
read(4, "\177ELF\1\1\1a\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\234\4\0\000"..., 4096) = 4096
mmap2(NULL, 118784, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40152000
mmap2(0x40152000, 9380, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x40152000
mmap2(0x4015c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x2) = 0x4015c000
mmap2(0x4015d000, 70864, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4015d000
close(4)                                = 0
munmap(0x40007000, 4096)                = 0
open("/lib/libresolv.so.0", O_RDONLY)   = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=4640, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
read(4, "\177ELF\1\1\1a\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0\204\2\0\000"..., 4096) = 4096
mmap2(NULL, 36864, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4016f000
mmap2(0x4016f000, 668, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x4016f000
mmap2(0x40177000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x40177000
close(4)                                = 0
munmap(0x40007000, 4096)                = 0
open("/lib/libgcc_s.so.1", O_RDONLY)    = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=31736, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
read(4, "\177ELF\1\1\1a\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0X\25\0\000"..., 4096) = 4096
mmap2(NULL, 65536, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40178000
mmap2(0x40178000, 28800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x40178000
mmap2(0x40187000, 548, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x7) = 0x40187000
close(4)                                = 0
munmap(0x40007000, 4096)                = 0
open("/lib/libc.so.0", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=309856, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
read(4, "\177ELF\1\1\1a\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0 \251\0\000"..., 4096) = 4096
mmap2(NULL, 360448, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40188000
mmap2(0x40188000, 303940, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x40188000
mmap2(0x401da000, 5172, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x4a) = 0x401da000
mmap2(0x401dc000, 16020, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x401dc000
close(4)                                = 0
munmap(0x40007000, 4096)                = 0
open("/lib/libdl.so.0", O_RDONLY)       = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=8900, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40007000
read(4, "\177ELF\1\1\1a\0\0\0\0\0\0\0\0\3\0(\0\1\0\0\0(\10\0\000"..., 4096) = 4096
mmap2(NULL, 40960, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x401e0000
mmap2(0x401e0000, 5868, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x401e0000
mmap2(0x401e9000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x1) = 0x401e9000
close(4)                                = 0
munmap(0x40007000, 4096)                = 0
open("/lib/libgcc_s.so.1", O_RDONLY)    = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=31736, ...}) = 0
close(4)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=309856, ...}) = 0
close(4)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=309856, ...}) = 0
close(4)                                = 0
open("/lib/libgcc_s.so.1", O_RDONLY)    = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=31736, ...}) = 0
close(4)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=309856, ...}) = 0
close(4)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=309856, ...}) = 0
close(4)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=309856, ...}) = 0
close(4)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=309856, ...}) = 0
close(4)                                = 0
open("/lib/libc.so.0", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=309856, ...}) = 0
close(4)                                = 0
munmap(0x40006000, 1796)                = 0
stat("/lib/ld-uClibc.so.0", {st_mode=S_IFREG|0755, st_size=21096, ...}) = 0
mprotect(0x40137000, 4096, PROT_READ)   = 0
mprotect(0x4015c000, 4096, PROT_READ)   = 0
mprotect(0x40177000, 4096, PROT_READ)   = 0
mprotect(0x401da000, 4096, PROT_READ)   = 0
mprotect(0x401e9000, 4096, PROT_READ)   = 0
mprotect(0x4000c000, 4096, PROT_READ)   = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B115200 opost isig icanon echo ...}) = 0
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B115200 opost isig icanon echo ...}) = 0
open("/dev/null", O_RDWR|O_LARGEFILE)   = 4
close(4)                                = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Process 343 detached
Comment 2 Darren Tucker 2008-02-28 14:04:43 AEDT 
Unfortunately the strace is not very helpful.  Can you run ssh under a debugger and get a stack trace?
Comment 3 Damien Miller 2008-02-28 14:06:34 AEDT 
Did you not read the notice asking not to post long debug traces?

Please provide output from running ssh under gdb. It isn't entirely clear that you have even made it into ssh code from ld.so and crt0.