Bug 3189 - channel mux_ctx memory leak
Summary: channel mux_ctx memory leak
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 8.3p1
Hardware: ix86 Linux
: P3 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_8_4
  Show dependency treegraph
 
Reported: 2020-07-01 08:01 AEST by Sergiy
Modified: 2020-10-02 14:54 AEST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sergiy 2020-07-01 08:01:22 AEST 
mux_ctx is allocated at mux_master_read_cb() but not freed.
This can cause ssh process memory leak when multiplexing is used.

Steps to reproduce:

- Create ControlMaster

    $ ./ssh -o ControlPath=~/.ssh/mux -o ControlMaster=yes -N -n localhost

- Use multiplexing

    $ while true; do ./ssh -o ControlPath=~/.ssh/mux localhost true; done

- Watch RSS of ssh process

[eiichi at build-c7 ~]$ LANG=C pidstat -r -p 62937 10 60
Linux 3.10.0-1062.9.1.el7.x86_64 (build-c7)     05/21/20        _x86_64_        (8 CPU)

08:20:50          PID  minflt/s  majflt/s     VSZ    RSS   %MEM  Command
08:21:00        62937      0.40      0.00  128032   2920   0.04  ssh
08:21:10        62937      0.30      0.00  128164   2920   0.04  ssh
08:21:20        62937      0.40      0.00  128164   2920   0.04  ssh
08:21:30        62937      0.50      0.00  128164   2920   0.04  ssh
08:21:40        62937      0.40      0.00  128164   2920   0.04  ssh
08:21:50        62937      0.40      0.00  128164   2920   0.04  ssh
08:22:00        62937      0.40      0.00  128164   2920   0.04  ssh
08:22:10        62937      0.40      0.00  128164   2920   0.04  ssh
08:22:20        62937      0.40      0.00  128164   2920   0.04  ssh
08:22:30        62937      0.40      0.00  128292   3068   0.04  ssh
08:22:40        62937      0.30      0.00  128292   3068   0.04  ssh
08:22:50        62937      0.40      0.00  128292   3068   0.04  ssh
08:23:00        62937      0.40      0.00  128292   3068   0.04  ssh
08:23:10        62937      0.40      0.00  128292   3068   0.04  ssh
08:23:20        62937      0.40      0.00  128292   3068   0.04  ssh
08:23:30        62937      0.30      0.00  128292   3068   0.04  ssh
08:23:40        62937      0.40      0.00  128292   3068   0.04  ssh
08:23:50        62937      0.40      0.00  128292   3068   0.04  ssh
08:24:00        62937      0.40      0.00  128420   3196   0.04  ssh
08:24:10        62937      0.40      0.00  128420   3196   0.04  ssh
08:24:20        62937      0.40      0.00  128420   3196   0.04  ssh


Fix:

diff --git a/channels.c b/channels.c
index 95a51e2..74b3cec 100644
--- a/channels.c
+++ b/channels.c
@@ -621,6 +621,8 @@ channel_free(struct ssh *ssh, Channel *c)
 	c->path = NULL;
 	free(c->listening_addr);
 	c->listening_addr = NULL;
+	free(c->mux_ctx);
+	c->mux_ctx = NULL;
 	while ((cc = TAILQ_FIRST(&c->status_confirms)) != NULL) {
 		if (cc->abandon_cb != NULL)
 			cc->abandon_cb(ssh, c, cc->ctx);
Comment 1 Damien Miller 2020-07-03 17:05:55 AEST 
Patch applied. This will be included in the OpenSSH 8.4 release, due in a couple of months
Comment 2 Damien Miller 2020-07-03 17:18:26 AEST 
I just reverted this patch as it cases the multiplex.sh regress test to fail. Investigating.
Comment 3 Damien Miller 2020-07-03 17:28:10 AEST 
I have restored the free() call but only for channels of type SSH_CHANNEL_MUX_LISTENER - doing it for other channels can clobber the shared mux proxy mode state.
Comment 4 eiichi.tsukata@nutanix.com 2020-07-03 18:14:07 AEST 
The patch and reproducer had been originally posted at 
 https://lists.mindrot.org/pipermail/openssh-unix-dev/2020-May/038501.html
Comment 5 Darren Tucker 2020-10-02 14:54:59 AEST 
Mass close of all bugs fixed in 8.4 release.