I'm investigating a similar issue to #3512 on Arch with OpenSSH 9.1p1 and Glibc 2.36-6 and OpenSSL 3.0.7, though I'm not 100% sure if it's the same problem. The issue is that incoming SSH connections from a modern OpenSSH client work fine, but connections from a somewhat obsolete client (retrocomputing, don't ask) crash with "seccomp violation" for the writev() call -- and after I added it to the allow list, for the tgkill() call. However, the writev() call in question is this: [pid 592791] writev(2, [{iov_base="free(): double free detected in tcache 2", iov_len=40}, {iov_base="\n", iov_len=1}], 2) = 41 So the tgkill() probably makes sense as it comes from libc itself, rather than from OpenSSH. The client in question is PuTTY_Release_0.64, which seems to trigger "compat KEX proposal" in sshd. Version 0.65 doesn't trigger it and doesn't cause a crash.
debug2: monitor_read: 8 used once, disabling now free(): double free detected in tcache 2 Thread 2.1 "sshd" received signal SIGSYS, Bad system call. [Switching to Thread 0x7ffff7e59780 (LWP 594648)] __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 Downloading 0.00 MB source file /usr/src/debug/glibc/nptl/pthread_kill.c 44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0; (gdb) bt #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007ffff77c96b3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78 #2 0x00007ffff7779958 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007ffff776353d in __GI_abort () at abort.c:79 #4 0x00007ffff77bd7ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff78dc44b "%s\n") at ../sysdeps/posix/libc_fatal.c:155 #5 0x00007ffff77d33dc in malloc_printerr (str=str@entry=0x7ffff78df058 "free(): double free detected in tcache 2") at malloc.c:5660 #6 0x00007ffff77d5737 in _int_free (av=0x7ffff7919ba0 <main_arena>, p=0x5555556c4040, have_lock=have_lock@entry=0) at malloc.c:4469 #7 0x00007ffff77d7ba3 in __GI___libc_free (mem=mem@entry=0x5555556c4050) at malloc.c:3385 #8 0x00005555556023b5 in kex_assemble_names (listp=listp@entry=0x55555567bbc8 <options+1224>, def=def@entry=0x5555556c2b40 "sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-s"..., all=all@entry=0x5555556e01c0 "diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group"...) at kex.c:315 #9 0x0000555555567768 in assemble_algorithms (o=o@entry=0x55555567b700 <options>) at servconf.c:233 #10 0x000055555556f22e in copy_set_server_options (dst=dst@entry=0x55555567b700 <options>, src=src@entry=0x5555556d0d50, preauth=preauth@entry=1) at servconf.c:2658 #11 0x0000555555591859 in mm_getpwnamallow (ssh=<optimized out>, username=<optimized out>) at monitor_wrap.c:336 #12 0x0000555555578e0e in input_userauth_request (type=<optimized out>, seq=<optimized out>, ssh=0x5555556e1f00) at auth2.c:286 #13 0x00005555555eb9b7 in ssh_dispatch_run (ssh=ssh@entry=0x5555556e1f00, mode=mode@entry=0, done=done@entry=0x5555556e3af0) at dispatch.c:113 #14 0x00005555555ebb1d in ssh_dispatch_run_fatal (ssh=ssh@entry=0x5555556e1f00, mode=mode@entry=0, done=done@entry=0x5555556e3af0) at dispatch.c:133 #15 0x0000555555576ce4 in do_authentication2 (ssh=ssh@entry=0x5555556e1f00) at auth2.c:177 #16 0x000055555556295f in main (ac=<optimized out>, av=<optimized out>) at sshd.c:2252 (gdb)
Thanks for the report. This has been fixed in OpenSSH 9.2, that has just been released.
OpenSSH 9.3 has been released. Close resolved bugs