Fixed
Created: Jun 5, 2019
Updated: Apr 12, 2021
Resolved Date: Jun 16, 2019
Found In Version: 10.18.44.7
Fix Version: 10.18.44.8
Severity: Severe
Applicable for: Wind River Linux LTS 18
Component/s: Userspace
*Result:*
After a while sshd crashes
*Additional info:
*
Same issue, but different code segment, already reported in
PSA 00059131
[https://support2.windriver.com/index.php?page=defects&on=view&id=LIN8-4535]
|
[Defect: LIN8-4535 - Wind River Suppor Network|https://support2.windriver.com/index.php?page=defects&on=view&id=LIN8-4535]
support2.windriver.com
openssh can crash due to -ftrapv compiling option|
*Analysis:* Viewing the core dump:
(gdb) bt
#0 __libc_do_syscall () at libc-do-syscall.S:49
#1 0xb6bdad28 in __libc_signal_restore_set (set=0xbed12e20) at ../sysdeps/unix/sysv/linux/internal-signals.h:84
#2 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:48
#3 0xb6bcc164 in __GI_abort () at abort.c:79
#4 0x7f5d4c36 in *__subvsi3* (a=<optimized out>, b=<optimized out>)
at ../../../../../../../work-shared/gcc-8.2.0-r0/gcc-8.2.0/libgcc/libgcc2.c:119
#5 0x7f5d383e in *strlcat* (
dst=dst@entry=0x7fffffb8 "umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com",
src=src@entry=0x7f5d56fc ",", siz=0, siz@entry=109) *at strlcat.c:46*
#6 0x7f5c5f8e in kex_names_cat (a=<optimized out>, b=<optimized out>) at kex.c:194
#7 0x7f5c60f0 in kex_assemble_names (listp=listp@entry=0x7f617e64 <options+1148>, def=<optimized out>,
all=all@entry=0x7ffff8e0 "hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hm"...)
at kex.c:269
#8 0x7f5864a4 in assemble_algorithms (o=o@entry=0x7f6179e8 <options>) at servconf.c:207
#9 0x7f58a2b4 in copy_set_server_options (dst=dst@entry=0x7f6179e8 <options>, src=src@entry=0x7fffe5a8,
preauth=preauth@entry=1) at servconf.c:2324
#10 0x7f59b3f4 in mm_getpwnamallow (username=username@entry=0x7fffb170 "root") at monitor_wrap.c:334
#11 0x7f58f1c6 in input_userauth_request (type=<optimized out>, seq=<optimized out>, ssh=0x7fff6060) at auth2.c:276
#12 0x7f5bd834 in ssh_dispatch_run (ssh=ssh@entry=0x7fff6060, mode=mode@entry=0, done=done@entry=0x7fff7510)
at dispatch.c:113
#13 0x7f5bd8ca in ssh_dispatch_run_fatal (ssh=ssh@entry=0x7fff6060, mode=mode@entry=0, done=done@entry=0x7fff7510)
at dispatch.c:133
#14 0x7f58e4f8 in do_authentication2 (authctxt=0x7fff7510) at auth2.c:176
#15 0x7f583a3c in main (ac=<optimized out>, av=<optimized out>) at sshd.c:2179
(gdb) fr 5
#5 0x7f5d383e in *strlcat* (
dst=dst@entry=0x7fffffb8 "umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com",
src=src@entry=0x7f5d56fc ",", siz=0, siz@entry=109) at strlcat.c:46
46 dlen = d - dst;
(gdb) p dst
$4 = 0x7fffffb8 "umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com"
strlcat.c i OpenSSH
...
/* Find the end of dst and adjust bytes left but don't go past end */
while (n-- != 0 && *d != '\0')
d++;
*dlen = d - dst;* <- rad 46**
n = siz - dlen;...
Making the equivalent fix, attached, of LIN8-4535 should make the issue go away.
