Dear Maintainer, I could reproduce the issue in a i386 qemu VM with a downgraded 3.16-3-686-pae kernel. Attached file contains a debug session.
At the sysenter instruction in function shmdt the signal SIGSYS is received. Kind regards, Bernhard (gdb) bt #0 shmdt (shmaddr=0xb7740000) at ../sysdeps/unix/sysv/linux/shmdt.c:33 #1 0xb748c35a in cleanup_shm () at ../crypto/rand/rand_unix.c:370 #2 0xb7460fb3 in OPENSSL_cleanup () at ../crypto/init.c:519 #3 OPENSSL_cleanup () at ../crypto/init.c:497 #4 0xb6fdfae0 in __run_exit_handlers (status=0, listp=0xb71883fc <__exit_funcs>, run_list_atexit=true, run_dtors=true) at exit.c:108 #5 0xb6fdfc01 in __GI_exit (status=0) at exit.c:139 #6 0xb774da25 in main (ac=<optimized out>, av=<optimized out>) at ../../sshd.c:2257
Buster/stable i386 qemu VM 2019-12-07 apt update apt dist-ugprade apt install dropbear mc gdb openssh-server-dbgsym libssl1.1-dbgsym apt build-dep openssh-server mkdir /home/benutzer/source/openssh-server/orig -p cd /home/benutzer/source/openssh-server/orig apt source openssh-server cd mkdir /home/benutzer/source/libssl1.1/orig -p cd /home/benutzer/source/libssl1.1/orig apt source libssl1.1 cd wget https://snapshot.debian.org/archive/debian/20141013T184415Z/pool/main/l/linux/linux-image-3.16-3-686-pae_3.16.5-1_i386.deb dpkg -i linux-image-3.16-3-686-pae_3.16.5-1_i386.deb reboot # to kernel 3.16 # to have another ssh available dropbear -p 80 # failed login attempt Dez 07 15:42:55 debian kernel: audit: type=1326 audit(1575729775.309:3): auid=4294967295 uid=104 gid=65534 ses=4294967295 pid=5227 comm="sshd" exe="/usr/sbin/sshd" sig=31 syscall=117 compat=0 ip=0xb76fed4c code=0x0 Dez 07 15:42:55 debian sshd[5226]: Accepted password for benutzer from 10.0.2.2 port 48382 ssh2 Dez 07 15:42:55 debian sshd[5226]: fatal: privsep_preauth: preauth child terminated by signal 31 gdb -q --pid $(pidof sshd) set width 0 set pagination off directory /home/benutzer/source/openssh-server/orig/openssh-7.9p1/debian/po directory /home/benutzer/source/libssl1.1/orig/openssl-1.1.1d/crypto b fork b shmget b shmat b shmdt set follow-fork-mode child cont bt info proc # try to ssh, wait for password prompt, not enter it yet finish info proc bt cont info proc bt cont info proc bt cont # enter password info proc bt display/i $pc root@debian:~# gdb -q --pid $(pidof sshd) Attaching to process 701 Reading symbols from /usr/sbin/sshd...Reading symbols from /usr/lib/debug/.build-id/e1/d218f3aad351129f185477cd07fa0217f1648f.debug...done. done. Reading symbols from /lib/i386-linux-gnu/libwrap.so.0...(no debugging symbols found)...done. Reading symbols from /lib/i386-linux-gnu/libaudit.so.1...(no debugging symbols found)...done. Reading symbols from /lib/i386-linux-gnu/libpam.so.0...(no debugging symbols found)...done. Reading symbols from /lib/i386-linux-gnu/libselinux.so.1...(no debugging symbols found)...done. Reading symbols from /lib/i386-linux-gnu/libsystemd.so.0...(no debugging symbols found)...done. Reading symbols from /usr/lib/i386-linux-gnu/libcrypto.so.1.1...Reading symbols from /usr/lib/debug/.build-id/fa/b89eb04abddd217b9dcbac3092b22b3316bc85.debug...done. done. Reading symbols from /lib/i386-linux-gnu/libutil.so.1...Reading symbols from /usr/lib/debug/.build-id/00/f2ffae5a7d102f8d638567d0ebbf4a50fe8909.debug...done. done. Reading symbols from /lib/i386-linux-gnu/libz.so.1...(no debugging symbols found)...done. Reading symbols from /lib/i386-linux-gnu/libcrypt.so.1...Reading symbols from /usr/lib/debug/.build-id/1a/00e365b7690f55dd90ace5de35843ce25d6b35.debug...done. done. Reading symbols from /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2...(no debugging symbols found)...done. Reading symbols from /usr/lib/i386-linux-gnu/libkrb5.so.3...(no debugging symbols found)...done. Reading symbols from /lib/i386-linux-gnu/libcom_err.so.2...(no debugging symbols found)...done. Reading symbols from /lib/i386-linux-gnu/libc.so.6...Reading symbols from /usr/lib/debug/.build-id/44/72898f10b8f6e536025fe764b9245186520cef.debug...done. done. Reading symbols from /lib/i386-linux-gnu/libnsl.so.1...Reading symbols from /usr/lib/debug/.build-id/e7/ef24c10b8f675406ad572c03bb03453a69670c.debug...done. done. Reading symbols from /lib/i386-linux-gnu/libcap-ng.so.0...(no debugging symbols found)...done. Reading symbols from /lib/i386-linux-gnu/libdl.so.2...Reading symbols from /usr/lib/debug/.build-id/0a/eba38648f88f71c49aff5cc91e5a696e8ba0ef.debug...done. done. Reading symbols from /lib/i386-linux-gnu/libpcre.so.3...(no debugging symbols found)...done. Reading symbols from /lib/ld-linux.so.2...Reading symbols from /usr/lib/debug/.build-id/75/c5f4b3fd81f62a7f2fea8f1c091f3aabf81693.debug...done. done. Reading symbols from /lib/i386-linux-gnu/librt.so.1...Reading symbols from /usr/lib/debug/.build-id/c4/8f25812a51319cbd05b8102b3ce4be0c89266c.debug...done. done. Reading symbols from /lib/i386-linux-gnu/liblzma.so.5...(no debugging symbols found)...done. Reading symbols from /usr/lib/i386-linux-gnu/liblz4.so.1...(no debugging symbols found)...done. Reading symbols from /lib/i386-linux-gnu/libgcrypt.so.20...(no debugging symbols found)...done. Reading symbols from /lib/i386-linux-gnu/libpthread.so.0...Reading symbols from /usr/lib/debug/.build-id/33/f342e4e7272869f07e4621eba7b6c22f92ac08.debug...done. done. [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". Reading symbols from /usr/lib/i386-linux-gnu/libk5crypto.so.3...(no debugging symbols found)...done. Reading symbols from /usr/lib/i386-linux-gnu/libkrb5support.so.0...(no debugging symbols found)...done. Reading symbols from /lib/i386-linux-gnu/libkeyutils.so.1...(no debugging symbols found)...done. Reading symbols from /lib/i386-linux-gnu/libresolv.so.2...Reading symbols from /usr/lib/debug/.build-id/1a/267fbbfeab306634bbb88cec081e66948b3be0.debug...done. done. Reading symbols from /lib/i386-linux-gnu/libgpg-error.so.0...(no debugging symbols found)...done. Reading symbols from /lib/i386-linux-gnu/libnss_files.so.2...Reading symbols from /usr/lib/debug/.build-id/56/97b1b879c9bfb626321b41573ac4ba4079726b.debug...done. done. 0xb7789d4c in __kernel_vsyscall () (gdb) set width 0 (gdb) set pagination off (gdb) directory /home/benutzer/source/openssh-server/orig/openssh-7.9p1/debian/po Source directories searched: /home/benutzer/source/openssh-server/orig/openssh-7.9p1/debian/po:$cdir:$cwd (gdb) directory /home/benutzer/source/libssl1.1/orig/openssl-1.1.1d/crypto Source directories searched: /home/benutzer/source/libssl1.1/orig/openssl-1.1.1d/crypto:/home/benutzer/source/openssh-server/orig/openssh-7.9p1/debian/po:$cdir:$cwd (gdb) b fork Breakpoint 1 at 0xb70e7a30: file ../sysdeps/nptl/fork.c, line 56. (gdb) b shmget Breakpoint 2 at 0xb7123900: file ../sysdeps/unix/sysv/linux/shmget.c, line 33. (gdb) b shmat Breakpoint 3 at 0xb7123850: file ../sysdeps/unix/sysv/linux/shmat.c, line 30. (gdb) b shmdt Breakpoint 4 at 0xb71238c0: file ../sysdeps/unix/sysv/linux/shmdt.c, line 33. (gdb) set follow-fork-mode child (gdb) cont Continuing. Breakpoint 1, __libc_fork () at ../sysdeps/nptl/fork.c:56 56 ../sysdeps/nptl/fork.c: Datei oder Verzeichnis nicht gefunden. (gdb) bt #0 __libc_fork () at ../sysdeps/nptl/fork.c:56 #1 0xb77c1979 in server_accept_loop (sock_in=<optimized out>, sock_out=<optimized out>, newsock=<optimized out>, config_s=<optimized out>) at ../../sshd.c:1300 #2 0xb77bf33b in main (ac=<optimized out>, av=<optimized out>) at ../../sshd.c:2003 (gdb) info proc process 701 cmdline = '/usr/sbin/sshd -D' cwd = '/' exe = '/usr/sbin/sshd' (gdb) finish Run till exit from #0 __libc_fork () at ../sysdeps/nptl/fork.c:56 [Attaching after Thread 0xb6d98800 (LWP 701) fork to child process 14352] [New inferior 2 (process 14352)] [Detaching after fork from parent process 701] [Inferior 1 (process 701) detached] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". process 14352 is executing new program: /usr/sbin/sshd [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". [Switching to Thread 0xb6d1f800 (LWP 14352)] Thread 2.1 "sshd" hit Breakpoint 2, shmget (key=114, size=1, shmflg=0) at ../sysdeps/unix/sysv/linux/shmget.c:33 33 ../sysdeps/unix/sysv/linux/shmget.c: Datei oder Verzeichnis nicht gefunden. (gdb) info proc process 14352 cmdline = '/usr/sbin/sshd -D -R' cwd = '/' exe = '/usr/sbin/sshd' (gdb) bt #0 shmget (key=114, size=1, shmflg=0) at ../sysdeps/unix/sysv/linux/shmget.c:33 #1 0xb748c3be in wait_random_seeded () at ../crypto/rand/rand_unix.c:391 #2 0xb748c7dd in rand_pool_acquire_entropy (pool=0xb92e9e80) at ../crypto/rand/rand_unix.c:611 #3 0xb748bbcd in rand_drbg_get_entropy (drbg=<optimized out>, pout=0xbfce72b8, entropy=256, min_len=32, max_len=2147483647, prediction_resistance=0) at ../crypto/rand/rand_lib.c:198 #4 0xb7489bb9 in RAND_DRBG_instantiate (drbg=0xb92e6ca0, pers=0xb752687c <ossl_pers_string> "OpenSSL NIST SP 800-90A DRBG", perslen=28) at ../crypto/rand/drbg_lib.c:338 #5 0xb748aa3b in drbg_setup (parent=parent@entry=0x0) at ../crypto/rand/drbg_lib.c:895 #6 0xb748aae7 in do_rand_drbg_init () at ../crypto/rand/drbg_lib.c:924 #7 do_rand_drbg_init_ossl_ () at ../crypto/rand/drbg_lib.c:909 #8 0xb6dbe4c5 in __pthread_once_slow (once_control=0xb75e5628 <rand_drbg_init>, init_routine=0xb748aa70 <do_rand_drbg_init_ossl_>) at pthread_once.c:116 #9 0xb6dbe53d in __GI___pthread_once (once_control=0xb75e5628 <rand_drbg_init>, init_routine=0xb748aa70 <do_rand_drbg_init_ossl_>) at pthread_once.c:143 #10 0xb74b892c in CRYPTO_THREAD_run_once (once=0xb75e5628 <rand_drbg_init>, init=0xb748aa70 <do_rand_drbg_init_ossl_>) at ../crypto/threads_pthread.c:118 #11 0xb748ac92 in RAND_DRBG_get0_master () at ../crypto/rand/drbg_lib.c:1102 #12 0xb748acd5 in drbg_status () at ../crypto/rand/drbg_lib.c:1084 #13 0xb77a745e in seed_rng () at ../../entropy.c:238 #14 0xb774b26a in main (ac=<optimized out>, av=0xb92d7370) at ../../sshd.c:1696 (gdb) cont Continuing. Thread 2.1 "sshd" hit Breakpoint 3, shmat (shmid=0, shmaddr=0x0, shmflg=4096) at ../sysdeps/unix/sysv/linux/shmat.c:30 30 ../sysdeps/unix/sysv/linux/shmat.c: Datei oder Verzeichnis nicht gefunden. (gdb) info proc process 14352 cmdline = '/usr/sbin/sshd -D -R' cwd = '/' exe = '/usr/sbin/sshd' (gdb) bt #0 shmat (shmid=0, shmaddr=0x0, shmflg=4096) at ../sysdeps/unix/sysv/linux/shmat.c:30 #1 0xb748c3e4 in wait_random_seeded () at ../crypto/rand/rand_unix.c:436 #2 0xb748c7dd in rand_pool_acquire_entropy (pool=0xb92e9e80) at ../crypto/rand/rand_unix.c:611 #3 0xb748bbcd in rand_drbg_get_entropy (drbg=<optimized out>, pout=0xbfce72b8, entropy=256, min_len=32, max_len=2147483647, prediction_resistance=0) at ../crypto/rand/rand_lib.c:198 #4 0xb7489bb9 in RAND_DRBG_instantiate (drbg=0xb92e6ca0, pers=0xb752687c <ossl_pers_string> "OpenSSL NIST SP 800-90A DRBG", perslen=28) at ../crypto/rand/drbg_lib.c:338 #5 0xb748aa3b in drbg_setup (parent=parent@entry=0x0) at ../crypto/rand/drbg_lib.c:895 #6 0xb748aae7 in do_rand_drbg_init () at ../crypto/rand/drbg_lib.c:924 #7 do_rand_drbg_init_ossl_ () at ../crypto/rand/drbg_lib.c:909 #8 0xb6dbe4c5 in __pthread_once_slow (once_control=0xb75e5628 <rand_drbg_init>, init_routine=0xb748aa70 <do_rand_drbg_init_ossl_>) at pthread_once.c:116 #9 0xb6dbe53d in __GI___pthread_once (once_control=0xb75e5628 <rand_drbg_init>, init_routine=0xb748aa70 <do_rand_drbg_init_ossl_>) at pthread_once.c:143 #10 0xb74b892c in CRYPTO_THREAD_run_once (once=0xb75e5628 <rand_drbg_init>, init=0xb748aa70 <do_rand_drbg_init_ossl_>) at ../crypto/threads_pthread.c:118 #11 0xb748ac92 in RAND_DRBG_get0_master () at ../crypto/rand/drbg_lib.c:1102 #12 0xb748acd5 in drbg_status () at ../crypto/rand/drbg_lib.c:1084 #13 0xb77a745e in seed_rng () at ../../entropy.c:238 #14 0xb774b26a in main (ac=<optimized out>, av=0xb92d7370) at ../../sshd.c:1696 (gdb) cont Continuing. Thread 2.1 "sshd" hit Breakpoint 1, __libc_fork () at ../sysdeps/nptl/fork.c:56 56 ../sysdeps/nptl/fork.c: Datei oder Verzeichnis nicht gefunden. (gdb) info proc process 14352 cmdline = 'sshd: [accepted] ' cwd = '/' exe = '/usr/sbin/sshd' (gdb) bt #0 __libc_fork () at ../sysdeps/nptl/fork.c:56 #1 0xb774cfdc in privsep_preauth (authctxt=0xb92efd10) at ../../sshd.c:596 #2 main (ac=<optimized out>, av=<optimized out>) at ../../sshd.c:2236 (gdb) cont Continuing. [Attaching after Thread 0xb6d1f800 (LWP 14352) fork to child process 14353] [New inferior 3 (process 14353)] [Detaching after fork from parent process 14352] [Inferior 2 (process 14352) detached] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1". [Switching to Thread 0xb6d1f800 (LWP 14353)] Thread 3.1 "sshd" hit Breakpoint 4, shmdt (shmaddr=0xb7740000) at ../sysdeps/unix/sysv/linux/shmdt.c:33 33 ../sysdeps/unix/sysv/linux/shmdt.c: Datei oder Verzeichnis nicht gefunden. (gdb) info proc process 14353 cmdline = 'sshd: benutzer [net]' cwd = '/run/sshd' exe = '/usr/sbin/sshd' (gdb) bt #0 shmdt (shmaddr=0xb7740000) at ../sysdeps/unix/sysv/linux/shmdt.c:33 #1 0xb748c35a in cleanup_shm () at ../crypto/rand/rand_unix.c:370 #2 0xb7460fb3 in OPENSSL_cleanup () at ../crypto/init.c:519 #3 OPENSSL_cleanup () at ../crypto/init.c:497 #4 0xb6fdfae0 in __run_exit_handlers (status=0, listp=0xb71883fc <__exit_funcs>, run_list_atexit=true, run_dtors=true) at exit.c:108 #5 0xb6fdfc01 in __GI_exit (status=0) at exit.c:139 #6 0xb774da25 in main (ac=<optimized out>, av=<optimized out>) at ../../sshd.c:2257 (gdb) display/i $pc 1: x/i $pc => 0xb70aa8c0 <shmdt>: xor %edx,%edx (gdb) nexti 0xb70aa8c2 33 in ../sysdeps/unix/sysv/linux/shmdt.c 1: x/i $pc => 0xb70aa8c2 <shmdt+2>: push %edi (gdb) 0xb70aa8c3 33 in ../sysdeps/unix/sysv/linux/shmdt.c 1: x/i $pc => 0xb70aa8c3 <shmdt+3>: mov $0x75,%eax (gdb) 0xb70aa8c8 33 in ../sysdeps/unix/sysv/linux/shmdt.c 1: x/i $pc => 0xb70aa8c8 <shmdt+8>: push %esi (gdb) 0xb70aa8c9 33 in ../sysdeps/unix/sysv/linux/shmdt.c 1: x/i $pc => 0xb70aa8c9 <shmdt+9>: mov %edx,%ecx (gdb) 0xb70aa8cb 33 in ../sysdeps/unix/sysv/linux/shmdt.c 1: x/i $pc => 0xb70aa8cb <shmdt+11>: mov %edx,%esi (gdb) 0xb70aa8cd 33 in ../sysdeps/unix/sysv/linux/shmdt.c 1: x/i $pc => 0xb70aa8cd <shmdt+13>: push %ebx (gdb) 0xb70aa8ce 33 in ../sysdeps/unix/sysv/linux/shmdt.c 1: x/i $pc => 0xb70aa8ce <shmdt+14>: mov $0x16,%ebx (gdb) 0xb70aa8d3 33 in ../sysdeps/unix/sysv/linux/shmdt.c 1: x/i $pc => 0xb70aa8d3 <shmdt+19>: mov 0x10(%esp),%edi (gdb) 0xb70aa8d7 33 in ../sysdeps/unix/sysv/linux/shmdt.c 1: x/i $pc => 0xb70aa8d7 <shmdt+23>: call *%gs:0x10 (gdb) 0xb7716d3c in ?? () 1: x/i $pc => 0xb7716d3c: push %ecx (gdb) 0xb7716d3d in ?? () 1: x/i $pc => 0xb7716d3d: push %edx (gdb) 0xb7716d3e in ?? () 1: x/i $pc => 0xb7716d3e: push %ebp (gdb) 0xb7716d3f in ?? () 1: x/i $pc => 0xb7716d3f: mov %esp,%ebp (gdb) 0xb7716d41 in ?? () 1: x/i $pc => 0xb7716d41: sysenter (gdb) bt #0 0xb7716d41 in ?? () #1 0x00000000 in ?? () (gdb) stepi Program terminated with signal SIGSYS, Bad system call. The program no longer exists. (gdb) q