NetBSD Problem Report #53012

From martin@duskware.de  Mon Feb 12 12:05:07 2018
Return-Path: <martin@duskware.de>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id F2D167A1B7
	for <gnats-bugs@gnats.NetBSD.org>; Mon, 12 Feb 2018 12:05:06 +0000 (UTC)
From: martin@NetBSD.org
Reply-To: martin@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: ssh crashes due to openssl version mismatch
X-Send-Pr-Version: 3.95

>Number:         53012
>Category:       bin
>Synopsis:       ssh crashes after openssh version compat changes
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    christos
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Feb 12 12:10:00 +0000 2018
>Closed-Date:    Tue Feb 13 09:57:16 +0000 2018
>Last-Modified:  Tue Feb 13 09:57:16 +0000 2018
>Originator:     Martin Husemann
>Release:        NetBSD 8.99.12
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD thirdstage.duskware.de 8.99.12 NetBSD 8.99.12 (MODULAR) #62: Mon Feb 12 12:18:53 CET 2018 martin@thirdstage.duskware.de:/usr/src/sys/arch/sparc64/compile/MODULAR sparc64
Architecture: sparc64
Machine: sparc64
>Description:

Running ssh against certain machines crashes on sparc64 after authentication:

debug1: Local version string SSH-2.0-OpenSSH_7.6 NetBSD_Secure_Shell-20171007
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.8 NetBSD_Secure_Shell-20150403-hpn13v14-lpk
debug1: match: OpenSSH_6.8 NetBSD_Secure_Shell-20150403-hpn13v14-lpk pat OpenSSH* compat 0x04000000
debug1: Authenticating to xxxxx.xxxxxx.xxxx:22 as 'martin'

Program received signal SIGSEGV, Segmentation fault.
BN_num_bits (a=0x0)
    at /usr/src/crypto/external/bsd/openssl.old/dist/crypto/bn/bn_lib.c:219
219         int i = a->top - 1;
#0  BN_num_bits (a=0x0)
    at /usr/src/crypto/external/bsd/openssl.old/dist/crypto/bn/bn_lib.c:219
#1  0x0000000041f23f1c in sshkey_size (k=k@entry=0x42c18180)
    at /usr/src/crypto/external/bsd/openssh/dist/sshkey.c:261
#2  0x0000000041f44990 in hostfile_read_key (cpp=0xffffffffffff6ef0, 
    bitsp=bitsp@entry=0xffffffffffff6ee0, ret=0x42c18180)
    at /usr/src/crypto/external/bsd/openssh/dist/hostfile.c:183
#3  0x0000000041f45558 in hostkeys_foreach (
    path=path@entry=0x42c4b280 "/etc/ssh/ssh_known_hosts", 
    callback=0x41f43e00 <record_hostkey>, ctx=ctx@entry=0xffffffffffffb0a8, 
    host=host@entry=0x42c22110 "cvs.netbsd.org", ip=ip@entry=0x0, 
    options=options@entry=3)
    at /usr/src/crypto/external/bsd/openssh/dist/hostfile.c:780
#4  0x0000000041f45740 in load_hostkeys (hostkeys=hostkeys@entry=0x42c22120, 
    host=0x42c22110 "cvs.netbsd.org", 
    path=0x42c4b280 "/etc/ssh/ssh_known_hosts")
    at /usr/src/crypto/external/bsd/openssh/dist/hostfile.c:281
#5  0x0000000000123528 in order_hostkeyalgs (port=<optimized out>, 
    hostaddr=0x242e78 <hostaddr>, host=0x42c22100 "cvs.netbsd.org")
    at /usr/src/crypto/external/bsd/openssh/dist/sshconnect2.c:126

(gdb) up
#1  0x0000000041f23f1c in sshkey_size (k=k@entry=0x42c18180)
    at /usr/src/crypto/external/bsd/openssh/dist/sshkey.c:261
261                     return BN_num_bits(k->rsa->p);
(gdb) list
256             case KEY_RSA:
257             case KEY_RSA_CERT:
258     #if OPENSSL_VERSION_NUMBER >= 0x10100000UL
259                     return RSA_bits(k->rsa);
260     #else
261                     return BN_num_bits(k->rsa->p);
262     #endif
(gdb) p *k->rsa
$8 = {pad = 0, version = 0, meth = 0x4244f290, engine = 0x0, n = 0x42c4b4a0, 
  e = 0x42c4b480, d = 0x0, p = 0x0, q = 0x0, dmp1 = 0x0, dmq1 = 0x0, 
  iqmp = 0x0, ex_data = {sk = 0x0, dummy = 0}, references = 1, flags = 6, 
  _method_mod_n = 0x0, _method_mod_p = 0x0, _method_mod_q = 0x0, 
  bignum_data = 0x0, blinding = 0x0, mt_blinding = 0x0}
(gdb) p k->rsa->p
$9 = (BIGNUM *) 0x0



>How-To-Repeat:
Available on request. Basically: "ssh -v $somemachine" does it for me. Works
fine with other machines.

>Fix:
n/a

>Release-Note:

>Audit-Trail:
From: Martin Husemann <martin@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: lib/53012: ssh crashes due to openssl version mismatch
Date: Mon, 12 Feb 2018 14:51:47 +0000

 I can reproduce this on evbarm as well.

 Martin

From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/53012 CVS commit: src/crypto/external/bsd/openssh/dist
Date: Tue, 13 Feb 2018 09:51:33 +0000

 Module Name:	src
 Committed By:	martin
 Date:		Tue Feb 13 09:51:33 UTC 2018

 Modified Files:
 	src/crypto/external/bsd/openssh/dist: sshkey.c

 Log Message:
 Fix copy & pasto (dsa code vs. rsa code) in previous, fixes PR lib/53012
 and recentish sshfs test failures.


 To generate a diff of this commit:
 cvs rdiff -u -r1.12 -r1.13 src/crypto/external/bsd/openssh/dist/sshkey.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

Responsible-Changed-From-To: lib-bug-people->christos
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Tue, 13 Feb 2018 09:57:16 +0000
Responsible-Changed-Why:
Christos' change caused it, better keep track of this for upstreaming the change


State-Changed-From-To: open->closed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Tue, 13 Feb 2018 09:57:16 +0000
State-Changed-Why:
Fixed


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.