kernel/4626: chrooting sshd - closef panic

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

kernel/4626: chrooting sshd - closef panic

Nikns Siankin
>Number:         4626
>Category:       kernel
>Synopsis:       chrooting sshd - closef panic
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:      
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Nov 20 12:30:01 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     nikns
>Release:        
>Organization:
net
>Environment:

        System      : OpenBSD 3.8
        Architecture: OpenBSD.i386
        Machine     : i386
>Description:
After chrooting sshd and trying to ssh in, closef panic appears:

# panic: closef: count: 0/0
Stopped at      Debugger+0x4:   leave
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
ddb> trace
Debugger(d3af6338,3,d3bf31e0,d3bda480,0) at Debugger+0x4
panic(d04f3f8c,0,0,d05d2f2c,ffffffff) at panic+0x63
closef(d3bda480) at closef+0xd6
ptmioctl(5100,40287401,dabb7e68,3,d3bece18) at ptmioctl+0x192
spec_ioctl(dabb7d58,dabb7e18,dabb7de0,d0242259,d3bc76f0) at spec_ioctl+0x40
spec_vnoperate(dabb7d58,1000,d3bf31e0,d3bece18,d05805c0) at spec_vnoperate+0x16
VOP_IOCTL(d3bc76f0,40287401,dabb7e68,3,d3bf31e0,d3bece18,d3bc7770,d3bece18) at VOP_IOCTL+0x40
vn_ioctl(d3bda420,40287401,dabb7e68,d3bece18) at vn_ioctl+0xd0
sys_ioctl(d3bece18,dabb7f68,dabb7f58,cfbd4ff0,64c) at sys_ioctl+0x112
syscall() at syscall+0x2ee
--- syscall (number 54) ---
0xe51f0ad:
ddb>
ddb> ps
   PID   PPID   PGRP    UID  S       FLAGS  WAIT       COMMAND
*12190  28213  12190      0  7      0x4104             sshd
 28213      1  28213      0  3        0x84  select     sshd
  3391      1   3391      0  3      0x4086  ttyin      ksh
  7733      1   7733      0  3     0x40184  select     sendmail
 28177      1  28177      0  3        0x84  select     cron
 23022      1  23022      0  3        0x84  select     sshd
 14200      1  14200      0  3       0x184  select     inetd
  2625   9050   9050     73  3       0x184  poll       syslogd
  9050      1   9050      0  3        0x84  netio      syslogd
    11      0      0      0  3    0x100204  crypto_wa  crypto
    10      0      0      0  3    0x100204  aiodoned   aiodoned
     9      0      0      0  3    0x100204  syncer     update
     8      0      0      0  3    0x100204  cleaner    cleaner
     7      0      0      0  3    0x100204  reaper     reaper
     6      0      0      0  3    0x100204  pgdaemon   pagedaemon
     5      0      0      0  3    0x100204  pftm       pfpurge
     4      0      0      0  3    0x100204  usbtsk     usbtask
     3      0      0      0  3    0x100204  usbevt     usb0
     2      0      0      0  3    0x100204  kmalloc    kmthread
     1      0      1      0  3      0x4084  wait       init
     0     -1      0      0  3     0x80204  scheduler  swapper
ddb>


>How-To-Repeat:
/bin/mkdir -p /chroot/usr/lib && \
/bin/mkdir -p /chroot/usr/sbin && \
/bin/mkdir -p /chroot/usr/libexec && \
/bin/mkdir -p /chroot/etc/ssh && \
/bin/mkdir -p /chroot/dev && \
/bin/mkdir -p /chroot/var/empty
ldd /usr/sbin/sshd | egrep -v "^$|Name|:" | awk '{ print "cp " $5 " /chroot" $5 }' | sh
cp /etc/ssh/ssh_host_* /chroot/etc/ssh/
cp /etc/ssh/sshd_config /chroot/etc/ssh/

mkdir /chroot/dev

mknod /chroot/dev/null c 2 2
chmod 666 /chroot/dev/null

mknod /chroot/dev/ptm c 81 0
chmod 666 /chroot/dev/ptm

mknod /chroot/dev/ptyp0 c 6 0
chmod 666 /chroot/dev/ptyp0
mknod /chroot/dev/ptyp1 c 6 1
chmod 666 /chroot/dev/ptyp1
mknod /chroot/dev/ptyp2 c 6 2
chmod 666 /chroot/dev/ptyp2
mknod /chroot/dev/ptyp3 c 6 3
chmod 666 /chroot/dev/ptyp3
mknod /chroot/dev/ptyp4 c 6 4
chmod 666 /chroot/dev/ptyp4
mknod /chroot/dev/ptyp5 c 6 5
chmod 666 /chroot/dev/ptyp5
mknod /chroot/dev/ptyp6 c 6 6
chmod 666 /chroot/dev/ptyp6
mknod /chroot/dev/ptyp7 c 6 7
chmod 666 /chroot/dev/ptyp7
mknod /chroot/dev/ptyp8 c 6 8
chmod 666 /chroot/dev/ptyp8
mknod /chroot/dev/ptyp9 c 6 9
chmod 666 /chroot/dev/ptyp9

mknod /chroot/dev/tty c 1 0
chmod 666 /chroot/dev/tty

cp /usr/share/zoneinfo/Europe/Riga /chroot/etc/localtime
cp /etc/hosts /chroot/etc/hosts
cp /etc/resolv.conf /chroot/etc/resolv.conf

cat /etc/group | grep sshd > /chroot/etc/group
cat /etc/master.passwd | grep root > /chroot/etc/passwords
cat /etc/master.passwd | grep sshd >> /chroot/etc/passwords
cd /chroot/etc && pwd_mkdb -d /chroot/etc passwords
mkdir -p /chroot/usr/libexec/auth
cp /usr/libexec/auth/login_passwd /chroot/usr/libexec/auth/
mkdir -p /chroot/var/run
mkdir -p /chroot/bin
cp /bin/sh /chroot/bin/

/usr/sbin/chroot /chroot /usr/sbin/sshd


Then try to ssh in:
ssh -v host
root@host's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
[a while]
debug1: channel 0: free: client-session, nchannels 1
Read from remote host 10.195.0.2: Connection timed out
Connection to 10.195.0.2 closed.
debug1: Transferred: stdin 0, stdout 0, stderr 90 bytes in 511.0 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.2
debug1: Exit status -1



>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

Reply | Threaded
Open this post in threaded view
|

Re: kernel/4626: chrooting sshd - closef panic

Todd C. Miller
The following reply was made to PR kernel/4626; it has been noted by GNATS.

From: "Todd C. Miller" <[hidden email]>
To: nikns <[hidden email]>
Cc: [hidden email]
Subject: Re: kernel/4626: chrooting sshd - closef panic
Date: Sun, 20 Nov 2005 15:22:46 -0500

 Thanks for the detailed problem report.  I've been able to reproduce
 the crash and should be able to debug it soon.
 
 Please note that you are missing the actual tty device nodes in
 your chroot jail (you just have the pty devices and not the
 corresponding tty ones).  Adding the missing devices may allow
 you to work around the problem.
 
  - todd

Reply | Threaded
Open this post in threaded view
|

Re: kernel/4626: chrooting sshd - closef panic

Todd C. Miller
In reply to this post by Nikns Siankin
The following reply was made to PR kernel/4626; it has been noted by GNATS.

From: "Todd C. Miller" <[hidden email]>
To: nikns <[hidden email]>
Cc: [hidden email]
Subject: Re: kernel/4626: chrooting sshd - closef panic
Date: Sun, 20 Nov 2005 19:43:06 -0500

 Here's a fix.
 
  - todd
 
 Index: sys/kern/tty_pty.c
 ===================================================================
 RCS file: /home/cvs/openbsd/src/sys/kern/tty_pty.c,v
 retrieving revision 1.29
 diff -u -r1.29 tty_pty.c
 --- sys/kern/tty_pty.c 26 May 2005 00:33:45 -0000 1.29
 +++ sys/kern/tty_pty.c 21 Nov 2005 00:42:54 -0000
 @@ -1175,7 +1175,6 @@
  cfp->f_ops = &vnops;
  cfp->f_data = (caddr_t) cnd.ni_vp;
  VOP_UNLOCK(cnd.ni_vp, 0, p);
 - FILE_SET_MATURE(cfp);
 
  /*
  * Open the slave.
 @@ -1229,13 +1228,16 @@
  sfp->f_ops = &vnops;
  sfp->f_data = (caddr_t) snd.ni_vp;
  VOP_UNLOCK(snd.ni_vp, 0, p);
 - FILE_SET_MATURE(sfp);
 
  /* now, put the indexen and names into struct ptmget */
  ptm->cfd = cindx;
  ptm->sfd = sindx;
  memcpy(ptm->cn, pti->pty_pn, sizeof(pti->pty_pn));
  memcpy(ptm->sn, pti->pty_sn, sizeof(pti->pty_sn));
 +
 + /* mark the files mature now that we've passed all errors */
 + FILE_SET_MATURE(cfp);
 + FILE_SET_MATURE(sfp);
 
  fdpunlock(fdp);
  break;