Bug 1028643 - Connection remains when fork() fails.
Connection remains when fork() fails.
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openssh (Show other bugs)
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Petr Lautrbach
Patrik Kis
Depends On:
Blocks: 1070830
  Show dependency treegraph
Reported: 2013-11-08 19:50 EST by Tetsuo Handa
Modified: 2014-10-14 03:39 EDT (History)
4 users (show)

See Also:
Fixed In Version: openssh-5.3p1-97.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1029074 (view as bug list)
Last Closed: 2014-10-14 03:39:41 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
fix cleanup in openssh-5.3p1-audit.patch (641 bytes, patch)
2013-11-11 10:33 EST, Petr Lautrbach
no flags Details | Diff

  None (edit)
Description Tetsuo Handa 2013-11-08 19:50:00 EST
Description of problem:

Please see upstream bug report at https://bugzilla.mindrot.org/show_bug.cgi?id=2167 .
I attached a fix in that report. Please backport to RHEL/Fedora's openssh
package when the fix is committed, for this bug actually blocked an unattended
ssh session (execution of batched job) of an enterprise server.

Version-Release number of selected component (if applicable):


How reproducible:

100% reproducible when fork() in privsep_postauth() fails.

Steps to Reproduce:

1. Build as usual like "rpmbuild -bb openssh.spec".
2. Go to the build directory and replace fork() in privsep_postauth() in sshd.c
   with -1 and rebuild using "make".
3. Run ./sshd and try to connect as an unprivileged user.

Actual results:

Connection cannot be closed when fork() fails.

Expected results:

Connection should be closed immediately when fork() fails.
Comment 2 Petr Lautrbach 2013-11-11 10:33:52 EST
Created attachment 822474 [details]
fix cleanup in openssh-5.3p1-audit.patch

Please apply this patch on your openssh-5.3p1-audit.patch from src.rpm and check if it help you.
Comment 3 Tetsuo Handa 2013-11-12 00:47:15 EST
Hello. Thank you for the patch.

The patch fixes fork() failure case in privsep_postauth() but does not fix
fork() failure case in privsep_preauth(), for pmonitor->m_pid == 0 in the
latter function.

I don't know whether it is safe to change privsep_preauth() from

  pid = fork();
  if (pid == -1) {
    fatal("fork of unprivileged child failed");
  } else if (pid != 0) {


  pmonitor->m_pid = fork();
  if (pmonitor->m_pid == -1) {
    fatal("fork of unprivileged child failed");
  } else if (pmonitor->m_pid != 0) {

like privsep_postauth() does. But at least changing privsep_preauth() like

   pid = fork();
   if (pid == -1) {
+    pmonitor->m_pid = -1
     fatal("fork of unprivileged child failed");
   } else if (pid != 0) {

can fix fork() failure case in privsep_preauth().

Comment 4 Petr Lautrbach 2013-11-12 10:38:16 EST
Thanks for testing. You are right about privsep_preauth(). I personally would use:

@@ -633,7 +683,7 @@ privsep_preauth(Authctxt *authctxt)
 	/* Store a pointer to the kex for later rekeying */
 	pmonitor->m_pkex = &xxx_kex;
-	pid = fork();
+	pmonitor->m_pid = pid = fork();
 	if (pid == -1) {
 		fatal("fork of unprivileged child failed");
 	} else if (pid != 0) {

but it's only a cosmetic change. The fix will be included in the update.
Comment 10 errata-xmlrpc 2014-10-14 03:39:41 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.