Red Hat Bugzilla – Bug 1028643
Connection remains when fork() fails.
Last modified: 2014-10-14 03:39:41 EDT
Description of problem: Please see upstream bug report at https://bugzilla.mindrot.org/show_bug.cgi?id=2167 . I attached a fix in that report. Please backport to RHEL/Fedora's openssh package when the fix is committed, for this bug actually blocked an unattended ssh session (execution of batched job) of an enterprise server. Version-Release number of selected component (if applicable): Any. How reproducible: 100% reproducible when fork() in privsep_postauth() fails. Steps to Reproduce: 1. Build as usual like "rpmbuild -bb openssh.spec". 2. Go to the build directory and replace fork() in privsep_postauth() in sshd.c with -1 and rebuild using "make". 3. Run ./sshd and try to connect as an unprivileged user. Actual results: Connection cannot be closed when fork() fails. Expected results: Connection should be closed immediately when fork() fails.
Created attachment 822474 [details] fix cleanup in openssh-5.3p1-audit.patch Please apply this patch on your openssh-5.3p1-audit.patch from src.rpm and check if it help you.
Hello. Thank you for the patch. The patch fixes fork() failure case in privsep_postauth() but does not fix fork() failure case in privsep_preauth(), for pmonitor->m_pid == 0 in the latter function. I don't know whether it is safe to change privsep_preauth() from pid = fork(); if (pid == -1) { fatal("fork of unprivileged child failed"); } else if (pid != 0) { to pmonitor->m_pid = fork(); if (pmonitor->m_pid == -1) { fatal("fork of unprivileged child failed"); } else if (pmonitor->m_pid != 0) { like privsep_postauth() does. But at least changing privsep_preauth() like pid = fork(); if (pid == -1) { + pmonitor->m_pid = -1 fatal("fork of unprivileged child failed"); } else if (pid != 0) { can fix fork() failure case in privsep_preauth(). Regards.
Thanks for testing. You are right about privsep_preauth(). I personally would use: @@ -633,7 +683,7 @@ privsep_preauth(Authctxt *authctxt) /* Store a pointer to the kex for later rekeying */ pmonitor->m_pkex = &xxx_kex; - pid = fork(); + pmonitor->m_pid = pid = fork(); if (pid == -1) { fatal("fork of unprivileged child failed"); } else if (pid != 0) { but it's only a cosmetic change. The fix will be included in the update.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2014-1552.html