Debian Bug report logs - #498678
sigdie must not be called from a signal handler context

version graph

Package: openssh-server; Maintainer for openssh-server is Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>; Source for openssh-server is src:openssh (PTS, buildd, popcon).

Reported by: Florian Weimer <fw@deneb.enyo.de>

Date: Fri, 12 Sep 2008 09:18:06 UTC

Severity: grave

Tags: etch, security

Found in version 4.3p2-9etch2

Fixed in versions 1:4.3p2-9etch3, openssh/1:4.6p1-1

Done: Florian Weimer <fw@deneb.enyo.de>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#498678; Package openssh-server. (full text, mbox, link).


Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>
To: submit@bugs.debian.org
Subject: sigdie must not be called from a signal handler context
Date: Fri, 12 Sep 2008 10:37:53 +0200
Package: openssh-server
Version: 4.3p2-9etch2

This code:

void
sigdie(const char *fmt,...)
{
        va_list args;

        va_start(args, fmt);
        do_log(SYSLOG_LEVEL_FATAL, fmt, args);
        va_end(args);
        _exit(1);
}

is not safe to call from signal handlers (mainly due to snprintf-type
formatting and syslog calls in do_log).  However, it is called from a
signal handler in sshd.c:

/*
 * Signal handler for the alarm after the login grace period has expired.
 */
static void
grace_alarm_handler(int sig)
{
        if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
                kill(pmonitor->m_pid, SIGALRM);

        /* Log error and exit. */
        sigdie("Timeout before authentication for %s", get_remote_ipaddr());
}




Severity set to `important' from `normal' Request was from Peter Palfrader <weasel@debian.org> to control@bugs.debian.org. (Mon, 15 Sep 2008 18:45:12 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#498678; Package openssh-server. (full text, mbox, link).


Acknowledgement sent to Peter Palfrader <weasel@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (full text, mbox, link).


Message #12 received at 498678@bugs.debian.org (full text, mbox, reply):

From: Peter Palfrader <weasel@debian.org>
To: 498678@bugs.debian.org
Cc: 498678-submitter@bugs.debian.org
Subject: locks up sshd processes
Date: Mon, 15 Sep 2008 18:05:27 +0200
Hi,

this bug is affecting debian.org machines in a serious way.

Sometimes sshd's privsep children do not reap their own children.  After
MaxStartup such children have been spawned sshd will not accept any new
connections.

root      3960  0.0  0.0   4932  1100 ?        Ss   Sep12   0:04 /usr/sbin/sshd
root     27129  0.0  0.0   7440  2728 ?        Ss   12:38   0:00  \_ sshd: debbugs [priv]
sshd     27130  0.0  0.0      0     0 ?        Z    12:38   0:00  |   \_ [sshd] <defunct>

the 27129 sshd is stuck here:

(gdb) bt
#0  0xf7c3acd9 in __lll_mutex_lock_wait () from /lib/tls/libc.so.6
#1  0xf7c2a73c in _L_mutex_lock_285 () from /lib/tls/libc.so.6
#2  0x3694a138 in ?? ()
#3  0x00000020 in ?? ()
#4  0x080cd008 in ?? ()
#5  0x00000400 in ?? ()
#6  0x0808df77 in __func__.12408 ()
#7  0xff94a55c in ?? ()
#8  0xff94a15c in ?? ()
#9  0x00000002 in ?? ()
#10 0xff94a968 in ?? ()
#11 0x08075afa in do_log (level=135057416, fmt=0x1 <Address 0x1 out of bounds>, args=0x20 <Address 0x20 out of bounds>) at ../log.c:364
#12 0x08075afa in do_log (level=SYSLOG_LEVEL_FATAL, fmt=0x8086ae4 "Timeout before authentication for %s", args=0xff94a9a4 "XÅ\r\b@­\224ÿ") at ../log.c:364
#13 0x08075ec3 in sigdie (fmt=0x8086ae4 "Timeout before authentication for %s") at ../log.c:140
#14 0x0804ddc6 in grace_alarm_handler (sig=14) at ../sshd.c:317
#15 <signal handler called>
#16 0xf7c2ee3c in send () from /lib/tls/libc.so.6
#17 0xf7c2a3c2 in vsyslog () from /lib/tls/libc.so.6
#18 0xf7c2a672 in syslog () from /lib/tls/libc.so.6
#19 0x08075b0f in do_log (level=SYSLOG_LEVEL_INFO, fmt=0x808a150 "%s %s for %s%.100s from %.200s port %d%s", args=0xff94b5c4 "Ý\237\b\bIÃ\b\bnÛ\b\b\020_\r\bXÅ\r\b~€") at ../log.c:365
#20 0x08075e63 in logit (fmt=0x808a150 "%s %s for %s%.100s from %.200s port %d%s") at ../log.c:154
#21 0x08057280 in auth_log (authctxt=0x80d5928, authenticated=1, method=0x808c349 "publickey", info=0x808a86c " ssh2") at ../auth.c:246
#22 0x08062f3b in monitor_child_preauth (_authctxt=0x80d5928, pmonitor=0x80d5fc8) at ../monitor.c:365
#23 0x080508a8 in main (ac=2, av=<value optimized out>) at ../sshd.c:605


I don't know if this lockup condition is triggerable in a reliable way
by (local or remote and/or unauthenticated) users but even if not it
happened several times on rietz.d.o, requiring DSA intervention using
OOB access to the system.

This is really an issue that should be fixed for lenny (if present), and
maybe even for etch, still.

Cheers,
weasel
-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/




Message sent on to Florian Weimer <fw@deneb.enyo.de>:
Bug#498678. (full text, mbox, link).


Severity set to `grave' from `important' Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Mon, 15 Sep 2008 19:27:09 GMT) (full text, mbox, link).


Tags added: security Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Mon, 15 Sep 2008 19:27:10 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#498678; Package openssh-server. (full text, mbox, link).


Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (full text, mbox, link).


Message #24 received at 498678@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>
To: Peter Palfrader <weasel@debian.org>
Cc: 498678@bugs.debian.org, 498678-submitter@bugs.debian.org
Subject: Re: Bug#498678: locks up sshd processes
Date: Mon, 15 Sep 2008 21:11:48 +0100
On Mon, Sep 15, 2008 at 06:05:27PM +0200, Peter Palfrader wrote:
> This is really an issue that should be fixed for lenny (if present), and
> maybe even for etch, still.

I think this is fixed in lenny already. The current sigdie function
reads:

void
sigdie(const char *fmt,...)
{
#ifdef DO_LOG_SAFE_IN_SIGHAND
        va_list args;

        va_start(args, fmt);
        do_log(SYSLOG_LEVEL_FATAL, fmt, args);
        va_end(args);
#endif
        _exit(1);
}

defines.h has:

#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) && \
    defined(SYSLOG_R_SAFE_IN_SIGHAND)
# define DO_LOG_SAFE_IN_SIGHAND
#endif

The easiest element of this conjunction to check is
SYSLOG_R_SAFE_IN_SIGHAND, which configure only defines on OpenBSD.

-- 
Colin Watson                                       [cjwatson@debian.org]




Tags added: etch Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. (Mon, 15 Sep 2008 20:15:07 GMT) (full text, mbox, link).


Message sent on to Florian Weimer <fw@deneb.enyo.de>:
Bug#498678. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#498678; Package openssh-server. (full text, mbox, link).


Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (full text, mbox, link).


Message #34 received at 498678@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>
To: Colin Watson <cjwatson@debian.org>
Cc: Peter Palfrader <weasel@debian.org>, 498678@bugs.debian.org, 498678-submitter@bugs.debian.org
Subject: Re: Bug#498678: locks up sshd processes
Date: Mon, 15 Sep 2008 22:26:11 +0200
* Colin Watson:

> On Mon, Sep 15, 2008 at 06:05:27PM +0200, Peter Palfrader wrote:
>> This is really an issue that should be fixed for lenny (if present), and
>> maybe even for etch, still.
>
> I think this is fixed in lenny already. The current sigdie function
> reads:

Yupp, the problem results from a broken patch which attempted to fix
CVE-2006-5051.  I'm currently preparing an update for stable.




Message sent on to Florian Weimer <fw@deneb.enyo.de>:
Bug#498678. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#498678; Package openssh-server. (full text, mbox, link).


Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>. (full text, mbox, link).


Message #42 received at 498678@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>
To: Florian Weimer <fw@deneb.enyo.de>, 498678@bugs.debian.org
Cc: Peter Palfrader <weasel@debian.org>, 498678-submitter@bugs.debian.org
Subject: Re: Bug#498678: locks up sshd processes
Date: Tue, 16 Sep 2008 01:09:11 +0100
On Mon, Sep 15, 2008 at 10:26:11PM +0200, Florian Weimer wrote:
> * Colin Watson:
> > On Mon, Sep 15, 2008 at 06:05:27PM +0200, Peter Palfrader wrote:
> >> This is really an issue that should be fixed for lenny (if present), and
> >> maybe even for etch, still.
> >
> > I think this is fixed in lenny already. The current sigdie function
> > reads:
> 
> Yupp, the problem results from a broken patch which attempted to fix
> CVE-2006-5051.  I'm currently preparing an update for stable.

Thanks, much appreciated.

-- 
Colin Watson                                       [cjwatson@debian.org]




Message sent on to Florian Weimer <fw@deneb.enyo.de>:
Bug#498678. (full text, mbox, link).


Bug marked as fixed in version 1:4.3p2-9etch3, send any further explanations to Florian Weimer <fw@deneb.enyo.de> Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Wed, 17 Sep 2008 09:12:05 GMT) (full text, mbox, link).


Bug marked as fixed in version 1:4.6p1-1, send any further explanations to Florian Weimer <fw@deneb.enyo.de> Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Wed, 17 Sep 2008 09:12:06 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 16 Oct 2008 07:32:25 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 10:12:53 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.