Bug 1028643

Summary: Connection remains when fork() fails.
Product: Red Hat Enterprise Linux 6 Reporter: Tetsuo Handa <penguin-kernel>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.4CC: penguin-kernel, pkis, pvrabec, ykinoshi
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssh-5.3p1-97.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1029074 (view as bug list) Environment:
Last Closed: 2014-10-14 07:39:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1070830    
Attachments:
Description Flags
fix cleanup in openssh-5.3p1-audit.patch none

Description Tetsuo Handa 2013-11-09 00:50:00 UTC 
Description of problem:

Please see upstream bug report at https://bugzilla.mindrot.org/show_bug.cgi?id=2167 .
I attached a fix in that report. Please backport to RHEL/Fedora's openssh
package when the fix is committed, for this bug actually blocked an unattended
ssh session (execution of batched job) of an enterprise server.

Version-Release number of selected component (if applicable):

Any.

How reproducible:

100% reproducible when fork() in privsep_postauth() fails.

Steps to Reproduce:

1. Build as usual like "rpmbuild -bb openssh.spec".
2. Go to the build directory and replace fork() in privsep_postauth() in sshd.c
   with -1 and rebuild using "make".
3. Run ./sshd and try to connect as an unprivileged user.

Actual results:

Connection cannot be closed when fork() fails.

Expected results:

Connection should be closed immediately when fork() fails.
Comment 2 Petr Lautrbach 2013-11-11 15:33:52 UTC 
Created attachment 822474 [details]
fix cleanup in openssh-5.3p1-audit.patch

Please apply this patch on your openssh-5.3p1-audit.patch from src.rpm and check if it help you.
Comment 3 Tetsuo Handa 2013-11-12 05:47:15 UTC 
Hello. Thank you for the patch.

The patch fixes fork() failure case in privsep_postauth() but does not fix
fork() failure case in privsep_preauth(), for pmonitor->m_pid == 0 in the
latter function.

I don't know whether it is safe to change privsep_preauth() from

  pid = fork();
  if (pid == -1) {
    fatal("fork of unprivileged child failed");
  } else if (pid != 0) {

to

  pmonitor->m_pid = fork();
  if (pmonitor->m_pid == -1) {
    fatal("fork of unprivileged child failed");
  } else if (pmonitor->m_pid != 0) {

like privsep_postauth() does. But at least changing privsep_preauth() like

   pid = fork();
   if (pid == -1) {
+    pmonitor->m_pid = -1
     fatal("fork of unprivileged child failed");
   } else if (pid != 0) {

can fix fork() failure case in privsep_preauth().

Regards.
Comment 4 Petr Lautrbach 2013-11-12 15:38:16 UTC 
Thanks for testing. You are right about privsep_preauth(). I personally would use:

@@ -633,7 +683,7 @@ privsep_preauth(Authctxt *authctxt)
 	/* Store a pointer to the kex for later rekeying */
 	pmonitor->m_pkex = &xxx_kex;
 
-	pid = fork();
+	pmonitor->m_pid = pid = fork();
 	if (pid == -1) {
 		fatal("fork of unprivileged child failed");
 	} else if (pid != 0) {


but it's only a cosmetic change. The fix will be included in the update.
Comment 10 errata-xmlrpc 2014-10-14 07:39:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-1552.html