Bug 1999263

Summary:	frequent sshd segfaults
Product:	Red Hat Enterprise Linux 7	Reporter:	Paulo Andrade <pandrade>
Component:	openssh	Assignee:	Dmitry Belyavskiy <dbelyavs>
Status:	CLOSED ERRATA	QA Contact:	Marek Havrila <mhavrila>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.9	CC:	jjelen, jreznik, mhavrila, ssorce
Target Milestone:	rc	Keywords:	OtherQA, Triaged, ZStream
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-11-23 17:14:49 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Paulo Andrade 2021-08-30 18:25:28 UTC

Core was generated by `sshd: ...'.
Program terminated with signal 11, Segmentation fault.
#0  __strncpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:296
296             movdqu  (%rsi), %xmm1
(gdb) bt
#0  __strncpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:296
#1  0x0000556810c56821 in strncpy (__len=118, __src=<optimized out>, __dest=0x7fff959b3d30 "") at /usr/include/bits/string3.h:120
#2  krb5_cleanup_proc (authctxt=authctxt@entry=0x55681228a4f0) at auth-krb5.c:270
#3  0x0000556810c5702d in auth_krb5_password (authctxt=authctxt@entry=0x55681228a4f0, password=password@entry=0x556812299f10 "...") at auth-krb5.c:249
#4  0x0000556810c3a82b in auth_password (authctxt=0x55681228a4f0, password=password@entry=0x556812299f10 "...") at auth-passwd.c:104
#5  0x0000556810c50c02 in mm_answer_authpassword (sock=7, m=0x7fff959b3f60) at monitor.c:905
#6  0x0000556810c53439 in monitor_read (pmonitor=pmonitor@entry=0x55681228a7e0, ent=0x556810ef42a0 <mon_dispatch_proto20+96>, pent=pent@entry=0x7fff959b4008) at monitor.c:566
#7  0x0000556810c53bac in monitor_child_preauth (_authctxt=_authctxt@entry=0x55681228a4f0, pmonitor=0x55681228a7e0) at monitor.c:349
#8  0x0000556810c382d4 in privsep_preauth (authctxt=0x55681228a4f0) at sshd.c:667
#9  main (ac=<optimized out>, av=<optimized out>) at sshd.c:2179
(gdb) f 2
#2  krb5_cleanup_proc (authctxt=authctxt@entry=0x55681228a4f0) at auth-krb5.c:270
270                     strncpy(krb5_ccname, authctxt->krb5_ccname, sizeof(krb5_ccname) - 10);
(gdb) p krb5_ccname
$1 = '\000' <repeats 16 times>, "\065cc_%u)\000ials cac\a\000\000\000\000\000\000\000\000Z\315\006\035\066\325\337@\256)\022hU\000\000@\256)\022hU\000\000\000\000\000\000\000\000\000\000\312\034\a\220W\177\000\000\a\000\000\000\000\000\000\000y\200\215\217W\177\000\000t\000\000\000hU", '\000' <repeats 18 times>, "\360\244(\022hU\000"
(gdb) p authctxt->krb5_ccname
$2 = 0x0

Customer is using:

  default_ccache_name = FILE:/tmp/krb5cc_%u

after some suggestions from previous support cases, otherwise they would have
/tmp filled very quickly with tens of thousands of files.

  Since it appears to be a side effect of patch Red Hat specific patch
openssh-6.3p1-krb5-use-default_ccache_name.patch it should have a review,
to at least prevent the NULL pointer dereference.

Comment 3 Dmitry Belyavskiy 2021-08-31 14:39:39 UTC

Yes, it's a bug in the patch. The corresponding patch is removed from RHEL8, and RHEL 8.4 has the NULL check here so it's 7.9-only bug.

Comment 21 errata-xmlrpc 2021-11-23 17:14:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: openssh security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4782