Created attachment 3180 [details] The assembly code for main function Configure: ./configure --prefix=/usr --target=arm-none-linux-gnueabi --host=arm-none-linux-gnueabi --build=i686-pc-linux-gnu --prefix=/usr --with-ssl-engine --with-ssl-dir=/export/local/hdiao/openssl/install_1.02/usr --with-pam CFLAGS='-I/export/local/hdiao/zlib/zlib_install/usr/include/ -I/export/local/hdiao/linux_pam/linux_pam_install/usr/include' LDFLAGS='-L/export/local/hdiao/zlib/zlib_install/usr/lib -L/export/local/hdiao/linux_pam/linux_pam_install/lib ' --exec-prefix=/usr --sysconfdir=/etc --localstatedir=/var --program-prefix="" --disable-gtk-doc --disable-gtk-doc-html --disable-doc --disable-docs --disable-documentation --with-xmlto=no --with-fop=no --disable-dependency-tracking --enable-ipv6 --disable-nls --disable-static --enable-shared --disable-prelude --disable-isadir --disable-nis --disable-db --disable-regenerate-docu --libdir=/lib --disable-selinux Startup SSHD Quit anyway? (y or n) y root@sitara-platform:~# gdb /usr/sbin/sshd GNU gdb (GDB) 7.4 Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "arm-unknown-linux-gnueabi". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/sbin/sshd...(no debugging symbols found)...done. (gdb) set height 0 (gdb) b main Breakpoint 1 at 0xbca8 (gdb) r Starting program: /usr/sbin/sshd warning: Unable to find libthread_db matching inferior's thread library, thread debugging will not be available. Breakpoint 1, 0x400b6ca8 in main () (gdb) bt #0 0x400b6ca8 in main () (gdb) i r r0 0x1 1 r1 0xbef6ee34 3203853876 r2 0xbef6ee3c 3203853884 r3 0x400b6ca8 1074490536 r4 0x4018331c 1075327772 r5 0x0 0 r6 0x400b1f98 1074470808 r7 0x0 0 r8 0x0 0 r9 0x0 0 r10 0x40210000 1075904512 r11 0x0 0 r12 0x405a3958 1079654744 sp 0xbef6ece8 0xbef6ece8 lr 0x40490fd4 1078530004 pc 0x400b6ca8 0x400b6ca8 <main> cpsr 0x60000010 1610612752 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x400b6cd8 in main () (gdb) bt #0 0x400b6cd8 in main () (gdb) q A debugging session is active. Inferior 1 [process 1866] will be killed. Quit anyway? (y or n) y root@sitara-platform:~# gdb /usr/sbin/sshd GNU gdb (GDB) 7.4 Copyright (C) 2012 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "arm-unknown-linux-gnueabi". For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>... Reading symbols from /usr/sbin/sshd...(no debugging symbols found)...done. (gdb) b main Breakpoint 1 at 0xbca8 (gdb) r Starting program: /usr/sbin/sshd warning: Unable to find libthread_db matching inferior's thread library, thread debugging will not be available. Breakpoint 1, 0x400eaca8 in main () (gdb) set heigt 0 No symbol "heigt" in current context. (gdb) set height 0 (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x400eacd8 in main () (gdb) i r r0 0xbecb0c50 3200978000 r1 0xbecb0e34 3200978484 r2 0x105c68 1072232 r3 0x654 1620 r4 0x401b731c 1075540764 r5 0x0 0 r6 0x400e5f98 1074683800 r7 0x0 0 r8 0x0 0 r9 0x0 0 r10 0x40220000 1075970048 r11 0xbecb0ce4 3200978148 r12 0x405ae958 1079699800 sp 0xbecb0ba0 0xbecb0ba0 lr 0x4049bfd4 1078575060 pc 0x400eacd8 0x400eacd8 <main+48> cpsr 0x60000010 1610612752 (gdb) x /i $pc => 0x400eacd8 <main+48>: ldr r3, [r0, r3] (gdb) disassemble main Dump of assembler code for function main: 0x400eaca8 <+0>: push {r4, r11, lr} 0x400eacac <+4>: add r11, sp, #8 0x400eacb0 <+8>: sub sp, sp, #316 ; 0x13c 0x400eacb4 <+12>: ldr r2, [pc, #3896] ; 0x400ebbf4 <main+3916> 0x400eacb8 <+16>: str r2, [r11, #-304] ; 0x130 0x400eacbc <+20>: ldr r3, [r11, #-304] ; 0x130 0x400eacc0 <+24>: add r3, pc, r3 0x400eacc4 <+28>: str r3, [r11, #-304] ; 0x130 0x400eacc8 <+32>: str r0, [r11, #-248] ; 0xf8 0x400eaccc <+36>: str r1, [r11, #-252] ; 0xfc 0x400eacd0 <+40>: ldr r3, [pc, #3872] ; 0x400ebbf8 <main+3920> 0x400eacd4 <+44>: ldr r0, [r11, #-300] ; 0x12c => 0x400eacd8 <+48>: ldr r3, [r0, r3] 0x400eacdc <+52>: ldr r3, [r3] 0x400eace0 <+56>: str r3, [r11, #-16] 0x400eace4 <+60>: mov r3, #0 0x400eace8 <+64>: str r3, [r11, #-28] 0x400eacec <+68>: mov r3, #1 I also found something weird. There are some invalid instructions when I disassembled main function. 0x400ebcb8 <+4112>: ldrdeq r1, [r0], -r4 0x400ebcbc <+4116>: ; <UNDEFINED> instruction: 0x000011b0 0x400ebcc0 <+4120>: ; <UNDEFINED> instruction: 0xfffc799c 0x400ebcc4 <+4124>: ; <UNDEFINED> instruction: 0xfffc79b8 0x400ebcc8 <+4128>: ; <UNDEFINED> instruction: 0xfffc79c0 0x400ebccc <+4132>: ; <UNDEFINED> instruction: 0xfffc79c8
I found the root cause. I tested it in different version from 5.9~7.8. I found that this issue only happens after version 6.5. I checked the release notes. Found the following notes. After adding options "--with-pie --without-hardening --without-stackprotect", it works well. So it is not the issue Portable OpenSSH: * Please note that this is the last version of Portable OpenSSH that will support versions of OpenSSL prior to 0.9.6. Support (i.e. SSH_OLD_EVP) will be removed following the 6.5p1 release. * Portable OpenSSH will attempt compile and link as a Position Independent Executable on Linux, OS X and OpenBSD on recent gcc- like compilers. Other platforms and older/other compilers may request this using the --with-pie configure flag. * A number of other toolchain-related hardening options are used automatically if available, including -ftrapv to abort on signed integer overflow and options to write-protect dynamic linking information. The use of these options may be disabled using the --without-hardening configure flag. * If the toolchain supports it, one of the -fstack-protector-strong, -fstack-protector-all or -fstack-protector compilation flag are used to add guards to mitigate attacks based on stack overflows. The use of these options may be disabled using the --without-stackprotect configure option.
closing resolved bugs as of 8.6p1 release