Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>.
(full text, mbox, link).
Subject: sigdie must not be called from a signal handler context
Date: Fri, 12 Sep 2008 10:37:53 +0200
Package: openssh-server
Version: 4.3p2-9etch2
This code:
void
sigdie(const char *fmt,...)
{
va_list args;
va_start(args, fmt);
do_log(SYSLOG_LEVEL_FATAL, fmt, args);
va_end(args);
_exit(1);
}
is not safe to call from signal handlers (mainly due to snprintf-type
formatting and syslog calls in do_log). However, it is called from a
signal handler in sshd.c:
/*
* Signal handler for the alarm after the login grace period has expired.
*/
static void
grace_alarm_handler(int sig)
{
if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0)
kill(pmonitor->m_pid, SIGALRM);
/* Log error and exit. */
sigdie("Timeout before authentication for %s", get_remote_ipaddr());
}
Severity set to `important' from `normal'
Request was from Peter Palfrader <weasel@debian.org>
to control@bugs.debian.org.
(Mon, 15 Sep 2008 18:45:12 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>: Bug#498678; Package openssh-server.
(full text, mbox, link).
Acknowledgement sent to Peter Palfrader <weasel@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>.
(full text, mbox, link).
Hi,
this bug is affecting debian.org machines in a serious way.
Sometimes sshd's privsep children do not reap their own children. After
MaxStartup such children have been spawned sshd will not accept any new
connections.
root 3960 0.0 0.0 4932 1100 ? Ss Sep12 0:04 /usr/sbin/sshd
root 27129 0.0 0.0 7440 2728 ? Ss 12:38 0:00 \_ sshd: debbugs [priv]
sshd 27130 0.0 0.0 0 0 ? Z 12:38 0:00 | \_ [sshd] <defunct>
the 27129 sshd is stuck here:
(gdb) bt
#0 0xf7c3acd9 in __lll_mutex_lock_wait () from /lib/tls/libc.so.6
#1 0xf7c2a73c in _L_mutex_lock_285 () from /lib/tls/libc.so.6
#2 0x3694a138 in ?? ()
#3 0x00000020 in ?? ()
#4 0x080cd008 in ?? ()
#5 0x00000400 in ?? ()
#6 0x0808df77 in __func__.12408 ()
#7 0xff94a55c in ?? ()
#8 0xff94a15c in ?? ()
#9 0x00000002 in ?? ()
#10 0xff94a968 in ?? ()
#11 0x08075afa in do_log (level=135057416, fmt=0x1 <Address 0x1 out of bounds>, args=0x20 <Address 0x20 out of bounds>) at ../log.c:364
#12 0x08075afa in do_log (level=SYSLOG_LEVEL_FATAL, fmt=0x8086ae4 "Timeout before authentication for %s", args=0xff94a9a4 "XÅ\r\b@\224ÿ") at ../log.c:364
#13 0x08075ec3 in sigdie (fmt=0x8086ae4 "Timeout before authentication for %s") at ../log.c:140
#14 0x0804ddc6 in grace_alarm_handler (sig=14) at ../sshd.c:317
#15 <signal handler called>
#16 0xf7c2ee3c in send () from /lib/tls/libc.so.6
#17 0xf7c2a3c2 in vsyslog () from /lib/tls/libc.so.6
#18 0xf7c2a672 in syslog () from /lib/tls/libc.so.6
#19 0x08075b0f in do_log (level=SYSLOG_LEVEL_INFO, fmt=0x808a150 "%s %s for %s%.100s from %.200s port %d%s", args=0xff94b5c4 "Ý\237\b\bIÃ\b\bnÛ\b\b\020_\r\bXÅ\r\b~€") at ../log.c:365
#20 0x08075e63 in logit (fmt=0x808a150 "%s %s for %s%.100s from %.200s port %d%s") at ../log.c:154
#21 0x08057280 in auth_log (authctxt=0x80d5928, authenticated=1, method=0x808c349 "publickey", info=0x808a86c " ssh2") at ../auth.c:246
#22 0x08062f3b in monitor_child_preauth (_authctxt=0x80d5928, pmonitor=0x80d5fc8) at ../monitor.c:365
#23 0x080508a8 in main (ac=2, av=<value optimized out>) at ../sshd.c:605
I don't know if this lockup condition is triggerable in a reliable way
by (local or remote and/or unauthenticated) users but even if not it
happened several times on rietz.d.o, requiring DSA intervention using
OOB access to the system.
This is really an issue that should be fixed for lenny (if present), and
maybe even for etch, still.
Cheers,
weasel
--
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
Message sent on to Florian Weimer <fw@deneb.enyo.de>:
Bug#498678.
(full text, mbox, link).
Severity set to `grave' from `important'
Request was from Florian Weimer <fw@deneb.enyo.de>
to control@bugs.debian.org.
(Mon, 15 Sep 2008 19:27:09 GMT) (full text, mbox, link).
Tags added: security
Request was from Florian Weimer <fw@deneb.enyo.de>
to control@bugs.debian.org.
(Mon, 15 Sep 2008 19:27:10 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>: Bug#498678; Package openssh-server.
(full text, mbox, link).
Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>.
(full text, mbox, link).
On Mon, Sep 15, 2008 at 06:05:27PM +0200, Peter Palfrader wrote:
> This is really an issue that should be fixed for lenny (if present), and
> maybe even for etch, still.
I think this is fixed in lenny already. The current sigdie function
reads:
void
sigdie(const char *fmt,...)
{
#ifdef DO_LOG_SAFE_IN_SIGHAND
va_list args;
va_start(args, fmt);
do_log(SYSLOG_LEVEL_FATAL, fmt, args);
va_end(args);
#endif
_exit(1);
}
defines.h has:
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) && \
defined(SYSLOG_R_SAFE_IN_SIGHAND)
# define DO_LOG_SAFE_IN_SIGHAND
#endif
The easiest element of this conjunction to check is
SYSLOG_R_SAFE_IN_SIGHAND, which configure only defines on OpenBSD.
--
Colin Watson [cjwatson@debian.org]
Tags added: etch
Request was from Colin Watson <cjwatson@debian.org>
to control@bugs.debian.org.
(Mon, 15 Sep 2008 20:15:07 GMT) (full text, mbox, link).
Message sent on to Florian Weimer <fw@deneb.enyo.de>:
Bug#498678.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>: Bug#498678; Package openssh-server.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>.
(full text, mbox, link).
Cc: Peter Palfrader <weasel@debian.org>, 498678@bugs.debian.org, 498678-submitter@bugs.debian.org
Subject: Re: Bug#498678: locks up sshd processes
Date: Mon, 15 Sep 2008 22:26:11 +0200
* Colin Watson:
> On Mon, Sep 15, 2008 at 06:05:27PM +0200, Peter Palfrader wrote:
>> This is really an issue that should be fixed for lenny (if present), and
>> maybe even for etch, still.
>
> I think this is fixed in lenny already. The current sigdie function
> reads:
Yupp, the problem results from a broken patch which attempted to fix
CVE-2006-5051. I'm currently preparing an update for stable.
Message sent on to Florian Weimer <fw@deneb.enyo.de>:
Bug#498678.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>: Bug#498678; Package openssh-server.
(full text, mbox, link).
Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>.
(full text, mbox, link).
To: Florian Weimer <fw@deneb.enyo.de>, 498678@bugs.debian.org
Cc: Peter Palfrader <weasel@debian.org>, 498678-submitter@bugs.debian.org
Subject: Re: Bug#498678: locks up sshd processes
Date: Tue, 16 Sep 2008 01:09:11 +0100
On Mon, Sep 15, 2008 at 10:26:11PM +0200, Florian Weimer wrote:
> * Colin Watson:
> > On Mon, Sep 15, 2008 at 06:05:27PM +0200, Peter Palfrader wrote:
> >> This is really an issue that should be fixed for lenny (if present), and
> >> maybe even for etch, still.
> >
> > I think this is fixed in lenny already. The current sigdie function
> > reads:
>
> Yupp, the problem results from a broken patch which attempted to fix
> CVE-2006-5051. I'm currently preparing an update for stable.
Thanks, much appreciated.
--
Colin Watson [cjwatson@debian.org]
Message sent on to Florian Weimer <fw@deneb.enyo.de>:
Bug#498678.
(full text, mbox, link).
Bug marked as fixed in version 1:4.3p2-9etch3, send any further explanations to Florian Weimer <fw@deneb.enyo.de>
Request was from Florian Weimer <fw@deneb.enyo.de>
to control@bugs.debian.org.
(Wed, 17 Sep 2008 09:12:05 GMT) (full text, mbox, link).
Bug marked as fixed in version 1:4.6p1-1, send any further explanations to Florian Weimer <fw@deneb.enyo.de>
Request was from Florian Weimer <fw@deneb.enyo.de>
to control@bugs.debian.org.
(Wed, 17 Sep 2008 09:12:06 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 16 Oct 2008 07:32:25 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.