Bug 2181440

Summary: openssh-8.7p1-12 and higher has sshd crash issue
Product: Red Hat Enterprise Linux 9 Reporter: v-zhenpy <v-zhenpy>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 9.0CC: dbelyavs, jjelen
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-27 10:46:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description v-zhenpy 2023-03-24 06:30:01 UTC
Description of problem:
sshd crash for openssh-8.7p1-12 and higher
I also filed an issue here : https://issues.redhat.com/browse/RHEL-321

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.install openssh-8.7p1-12 or higher
2.trigger the issue in upstream: fix double-free caused by compat_kex_proposal(); bz3522 - openssh/openssh-portable@12da782 (github.com)
https://github.com/openssh/openssh-portable/commit/12da7823336434a403f25c7cc0c2c6aed0737a35?diff=unified
3.sshd crash due to double free

Actual results:
sshd crash.

Expected results:
no crash.

Additional info:
The issue due to this commit: Fix several memory leaks (585620b0) · Commits · Red Hat / centos-stream / rpms / openssh · GitLab
https://gitlab.com/redhat/centos-stream/rpms/openssh/-/commit/585620b0f1c4cde591c1110e1cb1e7822ee0088b

I try to do a patch and it fixed the issue.
cat openssh-8.7p1-mem-leak2.patch
diff --color -rup a/compat.c b/compat.c
--- a/compat.c  2022-07-14 17:39:23.770268440 +0200
+++ b/compat.c  2023-03-23 17:39:23.770268440 +0200
@@ -191,26 +191,26 @@ compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop)
 char *
 compat_kex_proposal(struct ssh *ssh, char *p)
 {
-       char *cp = NULL;
+       char *cp = NULL, *cp2 = NULL;

        if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0)
                return xstrdup(p);
        debug2_f("original KEX proposal: %s", p);
        if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0)
-               if ((p = match_filter_denylist(p,
+               if ((cp = match_filter_denylist(p,
                    "curve25519-sha256")) == NULL)
                        fatal("match_filter_denylist failed");
        if ((ssh->compat & SSH_OLD_DHGEX) != 0) {
-               cp = p;
-               if ((p = match_filter_denylist(p,
+               if ((cp2 = match_filter_denylist(cp ? cp : p,
                    "diffie-hellman-group-exchange-sha256,"
                    "diffie-hellman-group-exchange-sha1")) == NULL)
                        fatal("match_filter_denylist failed");
                free(cp);
+               cp = cp2;
        }
-       debug2_f("compat KEX proposal: %s", p);
-       if (*p == '\0')
+       if (cp == NULL || *cp == '\0')
                fatal("No supported key exchange algorithms found");
-       return p;
+       debug2_f("compat KEX proposal: %s", cp);
+       return cp;
 }

Comment 1 Dmitry Belyavskiy 2023-03-27 10:46:48 UTC
Many thanks for your report! We are aware of this problem and tracking it via different issue.

*** This bug has been marked as a duplicate of bug 2173669 ***

Comment 2 v-zhenpy 2023-03-28 02:53:55 UTC
Thanks @dbelyavs ! BTW, I don't have access the bug 2173669, if you have any update or fix, could you share us here? thank you!