NetBSD Problem Report #50936
From www@NetBSD.org Thu Mar 10 23:05:50 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 9F13D7ABD3
for <gnats-bugs@gnats.NetBSD.org>; Thu, 10 Mar 2016 23:05:50 +0000 (UTC)
Message-Id: <20160310230549.B45897AC07@mollari.NetBSD.org>
Date: Thu, 10 Mar 2016 23:05:49 +0000 (UTC)
From: coypu@sdf.org
Reply-To: coypu@sdf.org
To: gnats-bugs@NetBSD.org
Subject: security/openssh segfaults on NetBSD-current
X-Send-Pr-Version: www-1.0
>Number: 50936
>Category: pkg
>Synopsis: security/openssh segfaults on NetBSD-current
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: pkg-manager
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Mar 10 23:10:00 +0000 2016
>Closed-Date: Fri Jun 10 23:21:14 +0000 2016
>Last-Modified: Fri Jun 10 23:21:14 +0000 2016
>Originator: coypu
>Release: pkgsrc-current
>Organization:
>Environment:
NetBSD net.Home 7.99.26 NetBSD 7.99.26 (GENERIC) #0: Thu Mar 10 00:50:19 IST 2016 fly@net.Home:/home/fly/obj/sys/arch/amd64/compile/GENERIC amd64
>Description:
Build security/openssh.
try to run /usr/pkg/bin/ssh user@host where host is valid
get segfault.
base openssl.
I don't think this is a package bug because this package has not seen many changes recently, whereas openssl in base has.
Even reverting the latest change does not fix this problem.
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: lib/50936: security/openssh segfaults on NetBSD-current
Date: Fri, 11 Mar 2016 09:18:22 +0100
This may be completely unrelated, but just to knock out one likely
culprit: what source date did you use to build your userland? Both
gcc and binutils in -current are not working well currently since a
few days.
Martin
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: lib/50936: security/openssh segfaults on NetBSD-current
Date: Fri, 11 Mar 2016 15:17:33 +0100
I can reproduce it.
#0 _reallocarr (ptr=ptr@entry=0x7f7fffff7928, number=1, size=40)
at /usr/src/lib/libc/stdlib/reallocarr.c:63
#1 0x00007f7ff624543e in reallocarray (optr=0x0, nmemb=<optimized out>,
size=size@entry=40) at /usr/src/lib/libc/stdlib/reallocarray.c:46
#2 0x000000000042d269 in record_hostkey (l=l@entry=0x7f7fffff79f0,
_ctx=_ctx@entry=0x7f7fffffbb00) at hostfile.c:255
#3 0x000000000042df3f in hostkeys_foreach (
path=path@entry=0x7f7ff7b3a7e0 "/home/martin/.ssh/known_hosts",
callback=callback@entry=0x42d1f0 <record_hostkey>,
ctx=ctx@entry=0x7f7fffffbb00, host=host@entry=0x7f7ff7b01168 "emmas",
ip=ip@entry=0x0, options=options@entry=3) at hostfile.c:846
#4 0x000000000042e349 in load_hostkeys (
hostkeys=hostkeys@entry=0x7f7ff7b260e0, host=0x7f7ff7b01168 "emmas",
path=0x7f7ff7b3a7e0 "/home/martin/.ssh/known_hosts") at hostfile.c:281
#5 0x000000000041503b in order_hostkeyalgs (port=<optimized out>,
hostaddr=0x6988a0 <hostaddr>,
host=0x6973d8 <options+504> "৳\367\177\177") at sshconnect2.c:115
#6 ssh_kex2 (host=host@entry=0x7f7ff7b01160 "emmas",
hostaddr=hostaddr@entry=0x6988a0 <hostaddr>, port=port@entry=22)
at sshconnect2.c:192
and the pointer that comes out of the reallocarr is not valid.
Martin
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: lib/50936: security/openssh segfaults on NetBSD-current
Date: Fri, 11 Mar 2016 15:27:59 +0100
The pointer returned indirectly is ok:
> #0 _reallocarr (ptr=ptr@entry=0x7f7fffff7928, number=1, size=40)
> at /usr/src/lib/libc/stdlib/reallocarr.c:63
> #1 0x00007f7ff624543e in reallocarray (optr=0x0, nmemb=<optimized out>,
> size=size@entry=40) at /usr/src/lib/libc/stdlib/reallocarray.c:46
untill here, I get for example: $15 = (void *) 0x7f7ff7b32080
but then back in record_hostkey:
> #2 0x000000000042d269 in record_hostkey (l=l@entry=0x7f7fffff79f0,
> _ctx=_ctx@entry=0x7f7fffffbb00) at hostfile.c:255
it is assigned to "tmp" and that is sign extended from 32bit to 64:
(gdb) p tmp
$20 = (struct hostkey_entry *) 0xfffffffff7b32080
and then of course it dies.
Martin
Responsible-Changed-From-To: lib-bug-people->pkg-manager
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Fri, 11 Mar 2016 14:49:20 +0000
Responsible-Changed-Why:
Not a base system issue, bogus configure script.
From: Martin Husemann <martin@duskware.de>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: lib/50936: security/openssh segfaults on NetBSD-current
Date: Fri, 11 Mar 2016 15:48:33 +0100
The configure detects our reallocarray and defines HAVE_REALLOCARRAY, which
then hides all of the pkg internal prototypes.
Our own prototypes are hidden due to missing _OPENBSD_SOURCE.
Warnings/Werror are not tuned high enough to make the build fail.
Martin
From: Alexander Nasonov <alnsn@yandex.ru>
To: gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, lib-bug-people@netbsd.org,
pkgsrc-bugs@netbsd.org, gnats-admin@netbsd.org, martin@NetBSD.org,
coypu@sdf.org
Subject: Re: pkg/50936 (security/openssh segfaults on NetBSD-current)
Date: Fri, 10 Jun 2016 20:27:10 +0100
martin@NetBSD.org wrote:
> Not a base system issue, bogus configure script.
This line in Makefile helps:
CONFIGURE_ENV+= ac_cv_func_reallocarray=no
Alex
State-Changed-From-To: open->closed
State-Changed-By: alnsn@NetBSD.org
State-Changed-When: Fri, 10 Jun 2016 23:21:14 +0000
State-Changed-Why:
Fixed.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home