Bug 1999263

Summary: frequent sshd segfaults
Product: Red Hat Enterprise Linux 7 Reporter: Paulo Andrade <pandrade>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED ERRATA QA Contact: Marek Havrila <mhavrila>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.9CC: jjelen, jreznik, mhavrila, ssorce
Target Milestone: rcKeywords: OtherQA, Triaged, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-23 17:14:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paulo Andrade 2021-08-30 18:25:28 UTC 
Core was generated by `sshd: ...'.
Program terminated with signal 11, Segmentation fault.
#0  __strncpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:296
296             movdqu  (%rsi), %xmm1
(gdb) bt
#0  __strncpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:296
#1  0x0000556810c56821 in strncpy (__len=118, __src=<optimized out>, __dest=0x7fff959b3d30 "") at /usr/include/bits/string3.h:120
#2  krb5_cleanup_proc (authctxt=authctxt@entry=0x55681228a4f0) at auth-krb5.c:270
#3  0x0000556810c5702d in auth_krb5_password (authctxt=authctxt@entry=0x55681228a4f0, password=password@entry=0x556812299f10 "...") at auth-krb5.c:249
#4  0x0000556810c3a82b in auth_password (authctxt=0x55681228a4f0, password=password@entry=0x556812299f10 "...") at auth-passwd.c:104
#5  0x0000556810c50c02 in mm_answer_authpassword (sock=7, m=0x7fff959b3f60) at monitor.c:905
#6  0x0000556810c53439 in monitor_read (pmonitor=pmonitor@entry=0x55681228a7e0, ent=0x556810ef42a0 <mon_dispatch_proto20+96>, pent=pent@entry=0x7fff959b4008) at monitor.c:566
#7  0x0000556810c53bac in monitor_child_preauth (_authctxt=_authctxt@entry=0x55681228a4f0, pmonitor=0x55681228a7e0) at monitor.c:349
#8  0x0000556810c382d4 in privsep_preauth (authctxt=0x55681228a4f0) at sshd.c:667
#9  main (ac=<optimized out>, av=<optimized out>) at sshd.c:2179
(gdb) f 2
#2  krb5_cleanup_proc (authctxt=authctxt@entry=0x55681228a4f0) at auth-krb5.c:270
270                     strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
(gdb) p krb5_ccname
$1 = '\000' <repeats 16 times>, "\065cc_%u)\000ials cac\a\000\000\000\000\000\000\000\000Z\315\006\035\066\325\337@\256)\022hU\000\000@\256)\022hU\000\000\000\000\000\000\000\000\000\000\312\034\a\220W\177\000\000\a\000\000\000\000\000\000\000y\200\215\217W\177\000\000t\000\000\000hU", '\000' <repeats 18 times>, "\360\244(\022hU\000"
(gdb) p authctxt->krb5_ccname
$2 = 0x0

Customer is using:

  default_ccache_name = FILE:/tmp/krb5cc_%u

after some suggestions from previous support cases, otherwise they would have
/tmp filled very quickly with tens of thousands of files.

  Since it appears to be a side effect of patch Red Hat specific patch
openssh-6.3p1-krb5-use-default_ccache_name.patch it should have a review,
to at least prevent the NULL pointer dereference.
Comment 3 Dmitry Belyavskiy 2021-08-31 14:39:39 UTC 
Yes, it's a bug in the patch. The corresponding patch is removed from RHEL8, and RHEL 8.4 has the NULL check here so it's 7.9-only bug.
Comment 21 errata-xmlrpc 2021-11-23 17:14:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: openssh security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4782