sshd segfaults with incomplete /etc/hosts

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

sshd segfaults with incomplete /etc/hosts

Seth Hanford
While working on consolidating some firewalls, I ended up creating an
incomplete /etc/hosts file entry. One line of that file was simply an IP
address:
192.168.100.25

Upon ssh from that host (.25) to my sshd server (192.168.100.4), the
sshd on .4 segfaulted. Log output of /usr/sbin/sshd included below.

It appears as if line 71 of canohost.c is not properly handling this
hosts entry. I verified this on another host that I had at the same
patch level & which I hadn't been messing around with. (all it took was
to add the IP to /etc/hosts and 'pkill -HUP sshd')

Obviously my /etc/hosts was wrong, but it seems like sshd shouldn't
segfault here.

Both systems are OpenBSD 5.5-stable, May 2.
OpenBSD 5.5 (GENERIC) #1: Fri May  2 15:30:02 EDT 2014
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 520028160 (495MB)
avail mem = 497676288 (474MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (364 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 07/30/2013
bios0: VMware, Inc. VMware Virtual Platform
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3)
S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3)
S11F(S3) S12F(S3) S13F(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1230 V2 @ 3.30GHz, 3299.46 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 65MHz
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 11, 24 pins
acpimcfg0 at acpi0 addr 0xf0000000, bus 0-127
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpibat0 at acpi0: BAT1 not present
acpibat1 at acpi0: BAT2 not present
acpiac0 at acpi0: AC unit online
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: LID_
vmt0 at mainbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <NECVMWar, VMware IDE CDR10, 1.00> ATAPI
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus
disabled
"VMware VMCI" rev 0x10 at pci0 dev 7 function 7 not configured
vga1 at pci0 dev 15 function 0 "VMware SVGA II" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
mpi0 at pci0 dev 16 function 0 "Symbios Logic 53c1030" rev 0x01: apic 1
int 17
scsibus1 at mpi0: 16 targets, initiator 7
sd0 at scsibus1 targ 0 lun 0: <VMware, Virtual disk, 1.0> SCSI2 0/direct
fixed
sd0: 8192MB, 512 bytes/sector, 16777216 sectors
mpi0: target 0 Sync at 160MHz width 16bit offset 127 QAS 1 DT 1 IU 1
ppb1 at pci0 dev 17 function 0 "VMware PCI" rev 0x02
pci2 at ppb1 bus 2
em0 at pci2 dev 0 function 0 "Intel 82545EM" rev 0x01: apic 1 int 18,
address 00:0c:29:b3:f2:d1
em1 at pci2 dev 1 function 0 "Intel 82545EM" rev 0x01: apic 1 int 19,
address 00:0c:29:b3:f2:db
em2 at pci2 dev 2 function 0 "Intel 82545EM" rev 0x01: apic 1 int 16,
address 00:0c:29:b3:f2:e5
em3 at pci2 dev 4 function 0 "Intel 82545EM" rev 0x01: apic 1 int 18,
address 00:0c:29:b3:f2:ef
ppb2 at pci0 dev 21 function 0 "VMware PCIE" rev 0x01
pci3 at ppb2 bus 3
ppb3 at pci0 dev 21 function 1 "VMware PCIE" rev 0x01
pci4 at ppb3 bus 4
ppb4 at pci0 dev 21 function 2 "VMware PCIE" rev 0x01
pci5 at ppb4 bus 5
ppb5 at pci0 dev 21 function 3 "VMware PCIE" rev 0x01
pci6 at ppb5 bus 6
ppb6 at pci0 dev 21 function 4 "VMware PCIE" rev 0x01
pci7 at ppb6 bus 7
ppb7 at pci0 dev 21 function 5 "VMware PCIE" rev 0x01
pci8 at ppb7 bus 8
ppb8 at pci0 dev 21 function 6 "VMware PCIE" rev 0x01
pci9 at ppb8 bus 9
ppb9 at pci0 dev 21 function 7 "VMware PCIE" rev 0x01
pci10 at ppb9 bus 10
ppb10 at pci0 dev 22 function 0 "VMware PCIE" rev 0x01
pci11 at ppb10 bus 11
ppb11 at pci0 dev 22 function 1 "VMware PCIE" rev 0x01
pci12 at ppb11 bus 12
ppb12 at pci0 dev 22 function 2 "VMware PCIE" rev 0x01
pci13 at ppb12 bus 13
ppb13 at pci0 dev 22 function 3 "VMware PCIE" rev 0x01
pci14 at ppb13 bus 14
ppb14 at pci0 dev 22 function 4 "VMware PCIE" rev 0x01
pci15 at ppb14 bus 15
ppb15 at pci0 dev 22 function 5 "VMware PCIE" rev 0x01
pci16 at ppb15 bus 16
ppb16 at pci0 dev 22 function 6 "VMware PCIE" rev 0x01
pci17 at ppb16 bus 17
ppb17 at pci0 dev 22 function 7 "VMware PCIE" rev 0x01
pci18 at ppb17 bus 18
ppb18 at pci0 dev 23 function 0 "VMware PCIE" rev 0x01
pci19 at ppb18 bus 19
ppb19 at pci0 dev 23 function 1 "VMware PCIE" rev 0x01
pci20 at ppb19 bus 20
ppb20 at pci0 dev 23 function 2 "VMware PCIE" rev 0x01
pci21 at ppb20 bus 21
ppb21 at pci0 dev 23 function 3 "VMware PCIE" rev 0x01
pci22 at ppb21 bus 22
ppb22 at pci0 dev 23 function 4 "VMware PCIE" rev 0x01
pci23 at ppb22 bus 23
ppb23 at pci0 dev 23 function 5 "VMware PCIE" rev 0x01
pci24 at ppb23 bus 24
ppb24 at pci0 dev 23 function 6 "VMware PCIE" rev 0x01
pci25 at ppb24 bus 25
ppb25 at pci0 dev 23 function 7 "VMware PCIE" rev 0x01
pci26 at ppb25 bus 26
ppb26 at pci0 dev 24 function 0 "VMware PCIE" rev 0x01
pci27 at ppb26 bus 27
ppb27 at pci0 dev 24 function 1 "VMware PCIE" rev 0x01
pci28 at ppb27 bus 28
ppb28 at pci0 dev 24 function 2 "VMware PCIE" rev 0x01
pci29 at ppb28 bus 29
ppb29 at pci0 dev 24 function 3 "VMware PCIE" rev 0x01
pci30 at ppb29 bus 30
ppb30 at pci0 dev 24 function 4 "VMware PCIE" rev 0x01
pci31 at ppb30 bus 31
ppb31 at pci0 dev 24 function 5 "VMware PCIE" rev 0x01
pci32 at ppb31 bus 32
ppb32 at pci0 dev 24 function 6 "VMware PCIE" rev 0x01
pci33 at ppb32 bus 33
ppb33 at pci0 dev 24 function 7 "VMware PCIE" rev 0x01
pci34 at ppb33 bus 34
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (5924428ae8b55a71.a) swap on sd0b dump on sd0b



/usr/sbin/sshd -ddde
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 221
debug2: parse_server_config: config /etc/ssh/sshd_config len 221
debug3: /etc/ssh/sshd_config:52 setting AuthorizedKeysFile
.ssh/authorized_keys
debug3: /etc/ssh/sshd_config:87 setting UsePrivilegeSeparation sandbox
debug3: /etc/ssh/sshd_config:103 setting Subsystem sftp
/usr/libexec/sftp-server
debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1c 10 May 2012
debug3: Incorrect RSA1 identifier
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug3: Incorrect RSA1 identifier
debug3: Could not load "/etc/ssh/ssh_host_rsa_key" as a RSA1 public key
debug1: private host key: #0 type 1 RSA
debug3: Incorrect RSA1 identifier
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type DSA
debug3: Incorrect RSA1 identifier
debug3: Could not load "/etc/ssh/ssh_host_dsa_key" as a RSA1 public key
debug1: private host key: #1 type 2 DSA
debug3: Incorrect RSA1 identifier
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type ECDSA
debug3: Incorrect RSA1 identifier
debug3: Could not load "/etc/ssh/ssh_host_ecdsa_key" as a RSA1 public key
debug1: private host key: #2 type 3 ECDSA
debug3: Incorrect RSA1 identifier
debug3: Incorrect RSA1 identifier
debug3: Could not load "/etc/ssh/ssh_host_ed25519_key" as a RSA1 public key
debug1: private host key: #3 type 4 ED25519
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddde'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: fd 5 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 221
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug3: recv_rexec_state: entering fd = 5
debug3: ssh_msg_recv entering
debug3: recv_rexec_state: done
debug2: parse_server_config: config rexec len 221
debug3: rexec:52 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: rexec:87 setting UsePrivilegeSeparation sandbox
debug3: rexec:103 setting Subsystem sftp /usr/libexec/sftp-server
debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1c 10 May 2012
debug3: Incorrect RSA1 identifier
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug3: Incorrect RSA1 identifier
debug3: Could not load "/etc/ssh/ssh_host_rsa_key" as a RSA1 public key
debug1: private host key: #0 type 1 RSA
debug3: Incorrect RSA1 identifier
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type DSA
debug3: Incorrect RSA1 identifier
debug3: Could not load "/etc/ssh/ssh_host_dsa_key" as a RSA1 public key
debug1: private host key: #1 type 2 DSA
debug3: Incorrect RSA1 identifier
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type ECDSA
debug3: Incorrect RSA1 identifier
debug3: Could not load "/etc/ssh/ssh_host_ecdsa_key" as a RSA1 public key
debug1: private host key: #2 type 3 ECDSA
debug3: Incorrect RSA1 identifier
debug3: Incorrect RSA1 identifier
debug3: Could not load "/etc/ssh/ssh_host_ed25519_key" as a RSA1 public key
debug1: private host key: #3 type 4 ED25519
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.100.25 port 62987 on 192.168.100.4 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing systrace sandbox
debug2: Network child is on pid 2226
debug3: ssh_sandbox_parent: wait for child 2226
debug3: ssh_sandbox_parent: child 2226 stopped
debug3: ssh_sandbox_parent: systrace attach, fd=9
debug3: ssh_sandbox_parent: policy: enable syscall 1
debug3: ssh_sandbox_parent: policy: enable syscall 3
debug3: ssh_sandbox_parent: policy: enable syscall 4
debug3: ssh_sandbox_parent: policy: enable syscall 5
debug3: ssh_sandbox_parent: policy: enable syscall 6
debug3: ssh_sandbox_parent: policy: enable syscall 20
debug3: ssh_sandbox_parent: policy: enable syscall 48
debug3: ssh_sandbox_parent: policy: enable syscall 67
debug3: ssh_sandbox_parent: policy: enable syscall 71
debug3: ssh_sandbox_parent: policy: enable syscall 73
debug3: ssh_sandbox_parent: policy: enable syscall 74
debug3: ssh_sandbox_parent: policy: enable syscall 75
debug3: ssh_sandbox_parent: policy: enable syscall 87
debug3: ssh_sandbox_parent: policy: enable syscall 134
debug3: ssh_sandbox_parent: policy: enable syscall 197
debug3: ssh_sandbox_parent: policy: enable syscall 202
debug3: ssh_sandbox_parent: policy: enable syscall 252
debug3: ssh_sandbox_parent: policy: enable syscall 286
debug3: ssh_sandbox_parent: start child 2226
debug3: preauth child monitor started
debug3: privsep user:group 27:27 [preauth]
debug1: permanently_set_uid: 27/27 [preauth]
debug3: ssh_sandbox_child: ready [preauth]
debug3: ssh_sandbox_child: started [preauth]
debug1: list_hostkey_types:
ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: kex_parse_kexinit:
[hidden email],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[preauth]
debug2: kex_parse_kexinit:
ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[hidden email],[hidden email],[hidden email],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[hidden email]
[preauth]
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[hidden email],[hidden email],[hidden email],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[hidden email]
[preauth]
debug2: kex_parse_kexinit:
[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-md5,hmac-sha1,[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[hidden email],hmac-sha1-96,hmac-md5-96
[preauth]
debug2: kex_parse_kexinit:
[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-md5,hmac-sha1,[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[hidden email],hmac-sha1-96,hmac-md5-96
[preauth]
debug2: kex_parse_kexinit: none,[hidden email] [preauth]
debug2: kex_parse_kexinit: none,[hidden email] [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
debug2: kex_parse_kexinit: reserved 0  [preauth]
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
[preauth]
debug2: kex_parse_kexinit:
[hidden email],[hidden email],ssh-rsa,[hidden email],[hidden email],ssh-dss
[preauth]
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[hidden email],[hidden email],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[hidden email]
[preauth]
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[hidden email],[hidden email],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[hidden email]
[preauth]
debug2: kex_parse_kexinit:
[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-md5,hmac-sha1,[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[hidden email],hmac-sha1-96,hmac-md5-96
[preauth]
debug2: kex_parse_kexinit:
[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-md5,hmac-sha1,[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[hidden email],hmac-sha1-96,hmac-md5-96
[preauth]
debug2: kex_parse_kexinit: none,[hidden email],zlib [preauth]
debug2: kex_parse_kexinit: none,[hidden email],zlib [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
debug2: kex_parse_kexinit: reserved 0  [preauth]
debug2: mac_setup: setup [hidden email] [preauth]
debug1: kex: client->server aes128-ctr [hidden email] none
[preauth]
debug2: mac_setup: setup [hidden email] [preauth]
debug1: kex: server->client aes128-ctr [hidden email] none
[preauth]
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received [preauth]
debug3: mm_request_send entering: type 0 [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI [preauth]
debug3: mm_request_receive_expect entering: type 1 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_choose_dh: remaining 0 [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
debug2: bits set: 547/1024 [preauth]
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
debug2: bits set: 495/1024 [preauth]
debug3: mm_key_sign entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0x112e491eb600(271)
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect entering: type 7 [preauth]
debug3: mm_request_receive entering [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
debug2: kex_derive_keys [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user shanford service ssh-connection method
none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow entering [preauth]
debug3: mm_request_send entering: type 8 [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 192.168.100.25.
Segmentation fault (core dumped)

Reply | Threaded
Open this post in threaded view
|

Re: sshd segfaults with incomplete /etc/hosts

sven falempin
It is working fine here (amd64/5.5)

On Sun, May 11, 2014 at 10:41 PM, Seth Hanford <[hidden email]> wrote:

> While working on consolidating some firewalls, I ended up creating an
> incomplete /etc/hosts file entry. One line of that file was simply an IP
> address:
> 192.168.100.25
>
> Upon ssh from that host (.25) to my sshd server (192.168.100.4), the
> sshd on .4 segfaulted. Log output of /usr/sbin/sshd included below.
>
> It appears as if line 71 of canohost.c is not properly handling this
> hosts entry. I verified this on another host that I had at the same
> patch level & which I hadn't been messing around with. (all it took was
> to add the IP to /etc/hosts and 'pkill -HUP sshd')
>
> Obviously my /etc/hosts was wrong, but it seems like sshd shouldn't
> segfault here.
>
> Both systems are OpenBSD 5.5-stable, May 2.
> OpenBSD 5.5 (GENERIC) #1: Fri May  2 15:30:02 EDT 2014
>     [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
> real mem = 520028160 (495MB)
> avail mem = 497676288 (474MB)
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (364 entries)
> bios0: vendor Phoenix Technologies LTD version "6.00" date 07/30/2013
> bios0: VMware, Inc. VMware Virtual Platform
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S1 S4 S5
> acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
> acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3)
> S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3)
> S11F(S3) S12F(S3) S13F(S3) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Xeon(R) CPU E3-1230 V2 @ 3.30GHz, 3299.46 MHz
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 65MHz
> ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 11, 24 pins
> acpimcfg0 at acpi0 addr 0xf0000000, bus 0-127
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0
> acpibat0 at acpi0: BAT1 not present
> acpibat1 at acpi0: BAT2 not present
> acpiac0 at acpi0: AC unit online
> acpibtn0 at acpi0: SLPB
> acpibtn1 at acpi0: LID_
> vmt0 at mainbus0
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
> ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
> pci1 at ppb0 bus 1
> pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
> pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
> channel 0 configured to compatibility, channel 1 configured to compatibility
> pciide0: channel 0 disabled (no drives)
> atapiscsi0 at pciide0 channel 1 drive 0
> scsibus0 at atapiscsi0: 2 targets
> cd0 at scsibus0 targ 0 lun 0: <NECVMWar, VMware IDE CDR10, 1.00> ATAPI
> 5/cdrom removable
> cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
> piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus
> disabled
> "VMware VMCI" rev 0x10 at pci0 dev 7 function 7 not configured
> vga1 at pci0 dev 15 function 0 "VMware SVGA II" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> mpi0 at pci0 dev 16 function 0 "Symbios Logic 53c1030" rev 0x01: apic 1
> int 17
> scsibus1 at mpi0: 16 targets, initiator 7
> sd0 at scsibus1 targ 0 lun 0: <VMware, Virtual disk, 1.0> SCSI2 0/direct
> fixed
> sd0: 8192MB, 512 bytes/sector, 16777216 sectors
> mpi0: target 0 Sync at 160MHz width 16bit offset 127 QAS 1 DT 1 IU 1
> ppb1 at pci0 dev 17 function 0 "VMware PCI" rev 0x02
> pci2 at ppb1 bus 2
> em0 at pci2 dev 0 function 0 "Intel 82545EM" rev 0x01: apic 1 int 18,
> address 00:0c:29:b3:f2:d1
> em1 at pci2 dev 1 function 0 "Intel 82545EM" rev 0x01: apic 1 int 19,
> address 00:0c:29:b3:f2:db
> em2 at pci2 dev 2 function 0 "Intel 82545EM" rev 0x01: apic 1 int 16,
> address 00:0c:29:b3:f2:e5
> em3 at pci2 dev 4 function 0 "Intel 82545EM" rev 0x01: apic 1 int 18,
> address 00:0c:29:b3:f2:ef
> ppb2 at pci0 dev 21 function 0 "VMware PCIE" rev 0x01
> pci3 at ppb2 bus 3
> ppb3 at pci0 dev 21 function 1 "VMware PCIE" rev 0x01
> pci4 at ppb3 bus 4
> ppb4 at pci0 dev 21 function 2 "VMware PCIE" rev 0x01
> pci5 at ppb4 bus 5
> ppb5 at pci0 dev 21 function 3 "VMware PCIE" rev 0x01
> pci6 at ppb5 bus 6
> ppb6 at pci0 dev 21 function 4 "VMware PCIE" rev 0x01
> pci7 at ppb6 bus 7
> ppb7 at pci0 dev 21 function 5 "VMware PCIE" rev 0x01
> pci8 at ppb7 bus 8
> ppb8 at pci0 dev 21 function 6 "VMware PCIE" rev 0x01
> pci9 at ppb8 bus 9
> ppb9 at pci0 dev 21 function 7 "VMware PCIE" rev 0x01
> pci10 at ppb9 bus 10
> ppb10 at pci0 dev 22 function 0 "VMware PCIE" rev 0x01
> pci11 at ppb10 bus 11
> ppb11 at pci0 dev 22 function 1 "VMware PCIE" rev 0x01
> pci12 at ppb11 bus 12
> ppb12 at pci0 dev 22 function 2 "VMware PCIE" rev 0x01
> pci13 at ppb12 bus 13
> ppb13 at pci0 dev 22 function 3 "VMware PCIE" rev 0x01
> pci14 at ppb13 bus 14
> ppb14 at pci0 dev 22 function 4 "VMware PCIE" rev 0x01
> pci15 at ppb14 bus 15
> ppb15 at pci0 dev 22 function 5 "VMware PCIE" rev 0x01
> pci16 at ppb15 bus 16
> ppb16 at pci0 dev 22 function 6 "VMware PCIE" rev 0x01
> pci17 at ppb16 bus 17
> ppb17 at pci0 dev 22 function 7 "VMware PCIE" rev 0x01
> pci18 at ppb17 bus 18
> ppb18 at pci0 dev 23 function 0 "VMware PCIE" rev 0x01
> pci19 at ppb18 bus 19
> ppb19 at pci0 dev 23 function 1 "VMware PCIE" rev 0x01
> pci20 at ppb19 bus 20
> ppb20 at pci0 dev 23 function 2 "VMware PCIE" rev 0x01
> pci21 at ppb20 bus 21
> ppb21 at pci0 dev 23 function 3 "VMware PCIE" rev 0x01
> pci22 at ppb21 bus 22
> ppb22 at pci0 dev 23 function 4 "VMware PCIE" rev 0x01
> pci23 at ppb22 bus 23
> ppb23 at pci0 dev 23 function 5 "VMware PCIE" rev 0x01
> pci24 at ppb23 bus 24
> ppb24 at pci0 dev 23 function 6 "VMware PCIE" rev 0x01
> pci25 at ppb24 bus 25
> ppb25 at pci0 dev 23 function 7 "VMware PCIE" rev 0x01
> pci26 at ppb25 bus 26
> ppb26 at pci0 dev 24 function 0 "VMware PCIE" rev 0x01
> pci27 at ppb26 bus 27
> ppb27 at pci0 dev 24 function 1 "VMware PCIE" rev 0x01
> pci28 at ppb27 bus 28
> ppb28 at pci0 dev 24 function 2 "VMware PCIE" rev 0x01
> pci29 at ppb28 bus 29
> ppb29 at pci0 dev 24 function 3 "VMware PCIE" rev 0x01
> pci30 at ppb29 bus 30
> ppb30 at pci0 dev 24 function 4 "VMware PCIE" rev 0x01
> pci31 at ppb30 bus 31
> ppb31 at pci0 dev 24 function 5 "VMware PCIE" rev 0x01
> pci32 at ppb31 bus 32
> ppb32 at pci0 dev 24 function 6 "VMware PCIE" rev 0x01
> pci33 at ppb32 bus 33
> ppb33 at pci0 dev 24 function 7 "VMware PCIE" rev 0x01
> pci34 at ppb33 bus 34
> isa0 at pcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pms0 at pckbc0 (aux slot)
> pckbc0: using irq 12 for aux slot
> wsmouse0 at pms0 mux 0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> lpt0 at isa0 port 0x378/4 irq 7
> fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
> vscsi0 at root
> scsibus2 at vscsi0: 256 targets
> softraid0 at root
> scsibus3 at softraid0: 256 targets
> root on sd0a (5924428ae8b55a71.a) swap on sd0b dump on sd0b
>
>
>
> /usr/sbin/sshd -ddde
> debug2: load_server_config: filename /etc/ssh/sshd_config
> debug2: load_server_config: done config len = 221
> debug2: parse_server_config: config /etc/ssh/sshd_config len 221
> debug3: /etc/ssh/sshd_config:52 setting AuthorizedKeysFile
> .ssh/authorized_keys
> debug3: /etc/ssh/sshd_config:87 setting UsePrivilegeSeparation sandbox
> debug3: /etc/ssh/sshd_config:103 setting Subsystem sftp
> /usr/libexec/sftp-server
> debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1c 10 May 2012
> debug3: Incorrect RSA1 identifier
> debug1: key_parse_private2: missing begin marker
> debug1: read PEM private key done: type RSA
> debug3: Incorrect RSA1 identifier
> debug3: Could not load "/etc/ssh/ssh_host_rsa_key" as a RSA1 public key
> debug1: private host key: #0 type 1 RSA
> debug3: Incorrect RSA1 identifier
> debug1: key_parse_private2: missing begin marker
> debug1: read PEM private key done: type DSA
> debug3: Incorrect RSA1 identifier
> debug3: Could not load "/etc/ssh/ssh_host_dsa_key" as a RSA1 public key
> debug1: private host key: #1 type 2 DSA
> debug3: Incorrect RSA1 identifier
> debug1: key_parse_private2: missing begin marker
> debug1: read PEM private key done: type ECDSA
> debug3: Incorrect RSA1 identifier
> debug3: Could not load "/etc/ssh/ssh_host_ecdsa_key" as a RSA1 public key
> debug1: private host key: #2 type 3 ECDSA
> debug3: Incorrect RSA1 identifier
> debug3: Incorrect RSA1 identifier
> debug3: Could not load "/etc/ssh/ssh_host_ed25519_key" as a RSA1 public key
> debug1: private host key: #3 type 4 ED25519
> debug1: rexec_argv[0]='/usr/sbin/sshd'
> debug1: rexec_argv[1]='-ddde'
> debug2: fd 3 setting O_NONBLOCK
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> debug2: fd 4 setting O_NONBLOCK
> debug1: Bind to port 22 on ::.
> Server listening on :: port 22.
> debug1: fd 5 clearing O_NONBLOCK
> debug1: Server will not fork when running in debugging mode.
> debug3: send_rexec_state: entering fd = 8 config len 221
> debug3: ssh_msg_send: type 0
> debug3: send_rexec_state: done
> debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
> debug3: recv_rexec_state: entering fd = 5
> debug3: ssh_msg_recv entering
> debug3: recv_rexec_state: done
> debug2: parse_server_config: config rexec len 221
> debug3: rexec:52 setting AuthorizedKeysFile .ssh/authorized_keys
> debug3: rexec:87 setting UsePrivilegeSeparation sandbox
> debug3: rexec:103 setting Subsystem sftp        /usr/libexec/sftp-server
> debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1c 10 May 2012
> debug3: Incorrect RSA1 identifier
> debug1: key_parse_private2: missing begin marker
> debug1: read PEM private key done: type RSA
> debug3: Incorrect RSA1 identifier
> debug3: Could not load "/etc/ssh/ssh_host_rsa_key" as a RSA1 public key
> debug1: private host key: #0 type 1 RSA
> debug3: Incorrect RSA1 identifier
> debug1: key_parse_private2: missing begin marker
> debug1: read PEM private key done: type DSA
> debug3: Incorrect RSA1 identifier
> debug3: Could not load "/etc/ssh/ssh_host_dsa_key" as a RSA1 public key
> debug1: private host key: #1 type 2 DSA
> debug3: Incorrect RSA1 identifier
> debug1: key_parse_private2: missing begin marker
> debug1: read PEM private key done: type ECDSA
> debug3: Incorrect RSA1 identifier
> debug3: Could not load "/etc/ssh/ssh_host_ecdsa_key" as a RSA1 public key
> debug1: private host key: #2 type 3 ECDSA
> debug3: Incorrect RSA1 identifier
> debug3: Incorrect RSA1 identifier
> debug3: Could not load "/etc/ssh/ssh_host_ed25519_key" as a RSA1 public key
> debug1: private host key: #3 type 4 ED25519
> debug1: inetd sockets after dupping: 3, 3
> Connection from 192.168.100.25 port 62987 on 192.168.100.4 port 22
> debug1: Client protocol version 2.0; client software version OpenSSH_6.2
> debug1: match: OpenSSH_6.2 pat OpenSSH* compat 0x04000000
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.6.1
> debug2: fd 3 setting O_NONBLOCK
> debug3: ssh_sandbox_init: preparing systrace sandbox
> debug2: Network child is on pid 2226
> debug3: ssh_sandbox_parent: wait for child 2226
> debug3: ssh_sandbox_parent: child 2226 stopped
> debug3: ssh_sandbox_parent: systrace attach, fd=9
> debug3: ssh_sandbox_parent: policy: enable syscall 1
> debug3: ssh_sandbox_parent: policy: enable syscall 3
> debug3: ssh_sandbox_parent: policy: enable syscall 4
> debug3: ssh_sandbox_parent: policy: enable syscall 5
> debug3: ssh_sandbox_parent: policy: enable syscall 6
> debug3: ssh_sandbox_parent: policy: enable syscall 20
> debug3: ssh_sandbox_parent: policy: enable syscall 48
> debug3: ssh_sandbox_parent: policy: enable syscall 67
> debug3: ssh_sandbox_parent: policy: enable syscall 71
> debug3: ssh_sandbox_parent: policy: enable syscall 73
> debug3: ssh_sandbox_parent: policy: enable syscall 74
> debug3: ssh_sandbox_parent: policy: enable syscall 75
> debug3: ssh_sandbox_parent: policy: enable syscall 87
> debug3: ssh_sandbox_parent: policy: enable syscall 134
> debug3: ssh_sandbox_parent: policy: enable syscall 197
> debug3: ssh_sandbox_parent: policy: enable syscall 202
> debug3: ssh_sandbox_parent: policy: enable syscall 252
> debug3: ssh_sandbox_parent: policy: enable syscall 286
> debug3: ssh_sandbox_parent: start child 2226
> debug3: preauth child monitor started
> debug3: privsep user:group 27:27 [preauth]
> debug1: permanently_set_uid: 27/27 [preauth]
> debug3: ssh_sandbox_child: ready [preauth]
> debug3: ssh_sandbox_child: started [preauth]
> debug1: list_hostkey_types:
> ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> debug1: SSH2_MSG_KEXINIT sent [preauth]
> debug1: SSH2_MSG_KEXINIT received [preauth]
> debug2: kex_parse_kexinit:
> [hidden email],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> [preauth]
> debug2: kex_parse_kexinit:
> ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[hidden email],[hidden email],[hidden email],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[hidden email]
> [preauth]
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[hidden email],[hidden email],[hidden email],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[hidden email]
> [preauth]
> debug2: kex_parse_kexinit:
> [hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-md5,hmac-sha1,[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[hidden email],hmac-sha1-96,hmac-md5-96
> [preauth]
> debug2: kex_parse_kexinit:
> [hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-md5,hmac-sha1,[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[hidden email],hmac-sha1-96,hmac-md5-96
> [preauth]
> debug2: kex_parse_kexinit: none,[hidden email] [preauth]
> debug2: kex_parse_kexinit: none,[hidden email] [preauth]
> debug2: kex_parse_kexinit:  [preauth]
> debug2: kex_parse_kexinit:  [preauth]
> debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
> debug2: kex_parse_kexinit: reserved 0  [preauth]
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> [preauth]
> debug2: kex_parse_kexinit:
> [hidden email],[hidden email],ssh-rsa,[hidden email],[hidden email],ssh-dss
> [preauth]
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[hidden email],[hidden email],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[hidden email]
> [preauth]
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[hidden email],[hidden email],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[hidden email]
> [preauth]
> debug2: kex_parse_kexinit:
> [hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-md5,hmac-sha1,[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[hidden email],hmac-sha1-96,hmac-md5-96
> [preauth]
> debug2: kex_parse_kexinit:
> [hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-md5,hmac-sha1,[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[hidden email],hmac-sha1-96,hmac-md5-96
> [preauth]
> debug2: kex_parse_kexinit: none,[hidden email],zlib [preauth]
> debug2: kex_parse_kexinit: none,[hidden email],zlib [preauth]
> debug2: kex_parse_kexinit:  [preauth]
> debug2: kex_parse_kexinit:  [preauth]
> debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
> debug2: kex_parse_kexinit: reserved 0  [preauth]
> debug2: mac_setup: setup [hidden email] [preauth]
> debug1: kex: client->server aes128-ctr [hidden email] none
> [preauth]
> debug2: mac_setup: setup [hidden email] [preauth]
> debug1: kex: server->client aes128-ctr [hidden email] none
> [preauth]
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received [preauth]
> debug3: mm_request_send entering: type 0 [preauth]
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 0
> debug3: mm_answer_moduli: got parameters: 1024 1024 8192
> debug3: mm_request_send entering: type 1
> debug2: monitor_read: 0 used once, disabling now
> debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI [preauth]
> debug3: mm_request_receive_expect entering: type 1 [preauth]
> debug3: mm_request_receive entering [preauth]
> debug3: mm_choose_dh: remaining 0 [preauth]
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
> debug2: bits set: 547/1024 [preauth]
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
> debug2: bits set: 495/1024 [preauth]
> debug3: mm_key_sign entering [preauth]
> debug3: mm_request_send entering: type 6 [preauth]
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 6
> debug3: mm_answer_sign
> debug3: mm_answer_sign: signature 0x112e491eb600(271)
> debug3: mm_request_send entering: type 7
> debug2: monitor_read: 6 used once, disabling now
> debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
> debug3: mm_request_receive_expect entering: type 7 [preauth]
> debug3: mm_request_receive entering [preauth]
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
> debug2: kex_derive_keys [preauth]
> debug2: set_newkeys: mode 1 [preauth]
> debug1: SSH2_MSG_NEWKEYS sent [preauth]
> debug1: expecting SSH2_MSG_NEWKEYS [preauth]
> debug2: set_newkeys: mode 0 [preauth]
> debug1: SSH2_MSG_NEWKEYS received [preauth]
> debug1: KEX done [preauth]
> debug1: userauth-request for user shanford service ssh-connection method
> none [preauth]
> debug1: attempt 0 failures 0 [preauth]
> debug3: mm_getpwnamallow entering [preauth]
> debug3: mm_request_send entering: type 8 [preauth]
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 8
> debug3: mm_answer_pwnamallow
> debug3: Trying to reverse map address 192.168.100.25.
> Segmentation fault (core dumped)
>



--
---------------------------------------------------------------------------------------------------------------------
() ascii ribbon campaign - against html e-mail
/\

Reply | Threaded
Open this post in threaded view
|

Re: sshd segfaults with incomplete /etc/hosts

Darren Tucker
In reply to this post by Seth Hanford
On Sun, May 11, 2014 at 10:41 PM, Seth Hanford <[hidden email]> wrote:

> While working on consolidating some firewalls, I ended up creating an
> incomplete /etc/hosts file entry. One line of that file was simply an IP
> address:
> 192.168.100.25
>
> Upon ssh from that host (.25) to my sshd server (192.168.100.4), the
> sshd on .4 segfaulted. Log output of /usr/sbin/sshd included below.
>
> It appears as if line 71 of canohost.c is not properly handling this
> hosts entry. I verified this on another host that I had at the same
> patch level & which I hadn't been messing around with. (all it took was
> to add the IP to /etc/hosts and 'pkill -HUP sshd')
>
> Obviously my /etc/hosts was wrong, but it seems like sshd shouldn't
> segfault here.

[...]

Indeed.  It looks like a bug in the libc resolver rather than sshd, though.
 I've been kinda busy recently so I haven't kept up with recent changes so
I'm not sure exactly what's changed in there.  Looks like it should be
readily reproducible outside of sshd with a call to getnameinfo().

$ sudo gdb -q --args /usr/sbin/sshd -r -ouseprivilegeseparation=no -ddd -p
2022
(gdb) run
Starting program: /usr/sbin/sshd -r -ouseprivilegeseparation=no -ddd -p 2022
[...]
Program received signal SIGSEGV, Segmentation fault.
strlen (str=0x0) at /usr/src/lib/libc/string/strlen.c:43
43              for (s = str; *s; ++s)
(gdb) bt
#0  strlen (str=0x0) at /usr/src/lib/libc/string/strlen.c:43
#1  0x0154422d in hostent_set_cname (h=0x88f4f800, name=0x0,
isdname=Variable "isdname" is not available.
)
    at /usr/src/lib/libc/asr/gethostnamadr_async.c:580
#2  0x01544a65 in gethostnamadr_async_run (as=0x86bef800, ar=0xcfbcc68c)
    at /usr/src/lib/libc/asr/gethostnamadr_async.c:452
#3  0x01558e13 in asr_run (as=0x86bef800, ar=0xcfbcc68c)
    at /usr/src/lib/libc/asr/asr.c:199
#4  0x01541acf in getnameinfo_async_run (as=0x83012d00, ar=0xcfbcc68c)
    at /usr/src/lib/libc/asr/getnameinfo_async.c:157
#5  0x01558e13 in asr_run (as=0x83012d00, ar=0xcfbcc68c)
    at /usr/src/lib/libc/asr/asr.c:199
#6  0x01558e87 in asr_run_sync (as=0x83012d00, ar=0xcfbcc68c)
    at /usr/src/lib/libc/asr/asr.c:224
#7  0x0154178b in getnameinfo (sa=0xcfbcc854, salen=16, host=0xcfbccdb0 "",
    hostlen=256, serv=0x0, servlen=0, flags=8)
    at /usr/src/lib/libc/asr/getnameinfo.c:47


--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Reply | Threaded
Open this post in threaded view
|

Re: sshd segfaults with incomplete /etc/hosts

Darren Tucker
On Mon, May 12, 2014 at 04:39:57PM -0400, Darren Tucker wrote:
> Indeed.  It looks like a bug in the libc resolver rather than sshd, though.
>  I've been kinda busy recently so I haven't kept up with recent changes so
> I'm not sure exactly what's changed in there.  Looks like it should be
> readily reproducible outside of sshd with a call to getnameinfo().

It's a null pointer deref.  Without understanding the surrounding code,
the following naive diff fixes it for me.

Eric?

Index: libc/asr/gethostnamadr_async.c
===================================================================
RCS file: /cvs/src/lib/libc/asr/gethostnamadr_async.c,v
retrieving revision 1.28
diff -u -p -r1.28 gethostnamadr_async.c
--- libc/asr/gethostnamadr_async.c 26 Mar 2014 18:13:15 -0000 1.28
+++ libc/asr/gethostnamadr_async.c 12 May 2014 20:46:54 -0000
@@ -577,6 +577,8 @@ hostent_set_cname(struct hostent_ext *h,
  name = buf;
  }
 
+ if (name == NULL)
+ return (-1);
  n = strlen(name) + 1;
  if (h->pos + n >= h->end)
  return (-1);

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Reply | Threaded
Open this post in threaded view
|

Re: sshd segfaults with incomplete /etc/hosts

Florian Obser-2
On Tue, May 13, 2014 at 06:51:16AM +1000, Darren Tucker wrote:

> On Mon, May 12, 2014 at 04:39:57PM -0400, Darren Tucker wrote:
> > Indeed.  It looks like a bug in the libc resolver rather than sshd, though.
> >  I've been kinda busy recently so I haven't kept up with recent changes so
> > I'm not sure exactly what's changed in there.  Looks like it should be
> > readily reproducible outside of sshd with a call to getnameinfo().
>
> It's a null pointer deref.  Without understanding the surrounding code,
> the following naive diff fixes it for me.
>
> Eric?

I think the bug is in hostent_file_match. The following diff has the
advantage that this works in /etc/hosts:

192.0.2.1
192.0.2.1 foo

$ getent hosts 192.0.2.1
192.0.2.1         foo

diff --git gethostnamadr_async.c gethostnamadr_async.c
index 674bcb4..23d6c36 100644
--- gethostnamadr_async.c
+++ gethostnamadr_async.c
@@ -440,8 +440,8 @@ hostent_file_match(FILE *f, int reqtype, int family, const char *data,
  goto found;
  }
  } else {
- if (inet_pton(family, tokens[0], addr) == 1 &&
-    memcmp(addr, data, datalen) == 0)
+ if (tokens[1] != NULL && inet_pton(family, tokens[0],
+     addr) == 1 && memcmp(addr, data, datalen) == 0)
  goto found;
  }
  }

--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: sshd segfaults with incomplete /etc/hosts

Florian Obser-2
On Mon, May 12, 2014 at 09:25:45PM +0000, Florian Obser wrote:

> On Tue, May 13, 2014 at 06:51:16AM +1000, Darren Tucker wrote:
> > On Mon, May 12, 2014 at 04:39:57PM -0400, Darren Tucker wrote:
> > > Indeed.  It looks like a bug in the libc resolver rather than sshd, though.
> > >  I've been kinda busy recently so I haven't kept up with recent changes so
> > > I'm not sure exactly what's changed in there.  Looks like it should be
> > > readily reproducible outside of sshd with a call to getnameinfo().
> >
> > It's a null pointer deref.  Without understanding the surrounding code,
> > the following naive diff fixes it for me.
> >
> > Eric?
>
> I think the bug is in hostent_file_match. The following diff has the
> advantage that this works in /etc/hosts:
>
> 192.0.2.1
> 192.0.2.1 foo
>
> $ getent hosts 192.0.2.1
> 192.0.2.1         foo
>

hm, maybe this is better:

diff --git gethostnamadr_async.c gethostnamadr_async.c
index 674bcb4..1c77bd9 100644
--- gethostnamadr_async.c
+++ gethostnamadr_async.c
@@ -440,6 +440,8 @@ hostent_file_match(FILE *f, int reqtype, int family, const char *data,
  goto found;
  }
  } else {
+ if (n < 2)
+ continue;
  if (inet_pton(family, tokens[0], addr) == 1 &&
     memcmp(addr, data, datalen) == 0)
  goto found;


--
I'm not entirely sure you are real.

Reply | Threaded
Open this post in threaded view
|

Re: sshd segfaults with incomplete /etc/hosts

Eric Faurot-2
On Mon, May 12, 2014 at 09:47:19PM +0000, Florian Obser wrote:

> > > Eric?
> >
> > I think the bug is in hostent_file_match. The following diff has the
> > advantage that this works in /etc/hosts:
> >
> > 192.0.2.1
> > 192.0.2.1 foo
> >
> > $ getent hosts 192.0.2.1
> > 192.0.2.1         foo
> >
>
> hm, maybe this is better:
>
> diff --git gethostnamadr_async.c gethostnamadr_async.c
> index 674bcb4..1c77bd9 100644
> --- gethostnamadr_async.c
> +++ gethostnamadr_async.c
> @@ -440,6 +440,8 @@ hostent_file_match(FILE *f, int reqtype, int family, const char *data,
>   goto found;
>   }
>   } else {
> + if (n < 2)
> + continue;

Yes, but the check must be done for all cases.
The following diff also fixes getnetnamadr.
getaddrinfo is already fine.

Eric.

Index: gethostnamadr_async.c
===================================================================
RCS file: /cvs/src/lib/libc/asr/gethostnamadr_async.c,v
retrieving revision 1.28
diff -u -p -r1.28 gethostnamadr_async.c
--- gethostnamadr_async.c 26 Mar 2014 18:13:15 -0000 1.28
+++ gethostnamadr_async.c 13 May 2014 06:47:41 -0000
@@ -432,6 +432,10 @@ hostent_file_match(FILE *f, int reqtype,
  return (NULL);
  }
 
+ /* there must be an address and at least one name */
+ if (n < 2)
+ continue;
+
  if (reqtype == ASR_GETHOSTBYNAME) {
  for (i = 1; i < n; i++) {
  if (strcasecmp(data, tokens[i]))
Index: getnetnamadr_async.c
===================================================================
RCS file: /cvs/src/lib/libc/asr/getnetnamadr_async.c,v
retrieving revision 1.14
diff -u -p -r1.14 getnetnamadr_async.c
--- getnetnamadr_async.c 26 Mar 2014 18:13:15 -0000 1.14
+++ getnetnamadr_async.c 13 May 2014 06:47:41 -0000
@@ -287,6 +287,10 @@ netent_file_match(FILE *f, int reqtype,
  return (NULL);
  }
 
+ /* there must be an address and at least one name */
+ if (n < 2)
+ continue;
+
  if (reqtype == ASR_GETNETBYADDR) {
  net = inet_network(tokens[1]);
  if (memcmp(&net, data, sizeof net) == 0)

Reply | Threaded
Open this post in threaded view
|

Re: sshd segfaults with incomplete /etc/hosts

Seth Hanford
On 5/13/14, 2:59 AM, Eric Faurot wrote:

>
> Yes, but the check must be done for all cases.
> The following diff also fixes getnetnamadr.
> getaddrinfo is already fine.
>
> Eric.
>

Thanks, everyone!

I see it's committed.
http://marc.info/?l=openbsd-cvs&m=139998227611174&w=2

- Seth

Reply | Threaded
Open this post in threaded view
|

Re: sshd segfaults with incomplete /etc/hosts

Héctor Luis Gimbatti
On the same topic,

$ man 5 hosts
BUGS:
Lines in /etc/hosts are limited to BUFSIZ characters (currently 1024).
Longer lines will be ignored.

I've made a couple of test:
1. If the line has the following pattern:
10.0.1.1 aaaaaaaaaaaaaaaaaa bbbb....b cccc....c zzzz....z

$ getent hosts 10.0.1.1
10.0.1.1 aaaaaaaaaaaaaaaa bbbbbbbbbbbbbbbb ..... iiiiiiiiiiiiiiii

So it trims the line and we are on the SANE size (less than 1024)

2. By LINE its meant to be LINE WITHOUT IP. One can test this by:
10.0.1.1 aaa...a

Where there are 1023 letter a. If IP is taken into account, the line has more than 1024 characteres.