Hello,
I am no maintainer, just tried to reproduce this issue which I could
inside a minimal Bullseye amd64 qemu VM with the instructions
from the linked Ubuntu bug.
I could not reproduce it within Bookworm or Trixie/testing.
Without "LogLevel DEBUG" it was also not observable.
Unfortunately did also not happen with a ssh package built with asan enabled.
And I upgraded step by step via snapshot.d.o, around 2021-11-15 it
stopped to be an issue. This step brought openssh 8.7p1-1.
Downgrading just openssh 8.4p1-6 in this exact VM showed it again.
Therefore I assume this issue got fixed between openssh 8.4p1-6 and 8.7p1-1.
Kind regards,
Bernhard
#13 <signal handler called>
#14 malloc_consolidate (av=av@entry=0x7faa3b64cb80 <main_arena>) at
malloc.c:4518
#15 0x00007faa3b5023d5 in _int_malloc (av=av@entry=0x7faa3b64cb80 <main_arena>,
bytes=bytes@entry=8193) at malloc.c:3699
#16 0x00007faa3b503063 in malloc_check (sz=8192, caller=<optimized out>) at
hooks.c:239
#17 0x00007faa3b504cea in __libc_calloc (n=n@entry=1,
elem_size=elem_size@entry=8192) at malloc.c:3387
#18 0x00007faa3b4f6ef4 in __GI___open_memstream
(bufloc=bufloc@entry=0x7ffe636eb6e0, sizeloc=sizeloc@entry=0x7ffe636eb6e8) at
memstream.c:83
#19 0x00007faa3b5726e1 in __vsyslog_internal (pri=39, fmt=0x55b451dcb150
"%.500s", ap=0x7ffe636eb7d0, mode_flags=2) at ../misc/syslog.c:181
#20 0x00007faa3b572d5f in __syslog_chk (pri=pri@entry=7, flag=flag@entry=1,
fmt=fmt@entry=0x55b451dcb150 "%.500s") at ../misc/syslog.c:136
#21 0x000055b451d87e16 in syslog (__fmt=0x55b451dcb150 "%.500s", __pri=7) at
/usr/include/x86_64-linux-gnu/bits/syslog.h:31
#22 do_log (level=level@entry=SYSLOG_LEVEL_DEBUG1, fmt=fmt@entry=0x55b451dba421
"Forked child %ld.", args=args@entry=0x7ffe636ec110) at ../../log.c:484
#23 0x000055b451d88254 in debug (fmt=fmt@entry=0x55b451dba421 "Forked child
%ld.") at ../../log.c:229
#24 0x000055b451d3c86e in server_accept_loop (config_s=0x7ffe636ec270, newsock=<synthetic
pointer>, sock_out=<synthetic pointer>, sock_in=<synthetic pointer>) at
../../sshd.c:1377
#25 main (ac=<optimized out>, av=<optimized out>) at ../../sshd.c:2089
# 2024-04-23 Bullseye/stable amd64 qemu VM
apt update
apt dist-upgrade
apt install systemd-coredump moreutils parallel htop fakeroot mc ccache gdb
openssh-server-dbgsym
apt build-dep glibc
apt build-dep openssh-server
mkdir /home/benutzer/source/glibc/orig -p
cd /home/benutzer/source/glibc/orig
apt source glibc
mkdir /home/benutzer/source/openssh-server/orig -p
cd /home/benutzer/source/openssh-server/orig
apt source openssh-server
sed -i.bak 's/#LogLevel INFO/LogLevel DEBUG/g' /etc/ssh/sshd_config
systemctl restart sshd
ssh-keygen -b 4096
ssh-copy-id -i .ssh/id_rsa.pub benutzer@localhost
parallel -j 32 -N0 "ssh benutzer@localhost 'true'" ::: {1..20000}
benutzer@debian:~/.ssh$ ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/benutzer/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/benutzer/.ssh/id_rsa
Your public key has been saved in /home/benutzer/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:Hgx6dUtFBhKiI0wBYKtXMkwZeRcP/eEZCUsU69bbO+o benutzer@debian
The key's randomart image is:
+---[RSA 4096]----+
|+o== ++B+.++ |
|.=+ ...=.++o |
| .*.+.. =oo+ |
|. = o = ++. |
|. . . . S o |
| . . o . o |
| . . . |
| .. |
| .E... |
+----[SHA256]-----+
benutzer@debian:~$ ssh-copy-id -i .ssh/id_rsa.pub benutzer@localhost
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter
out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are
prompted now it is to install the new keys
benutzer@localhost's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'benutzer@localhost'"
and check to make sure that only the key(s) you wanted were added.
parallel -j 800 -N0 "ssh benutzer@localhost 'mount; sleep 1; cat /proc/cpuinfo;
free -h; dd if=/dev/zero of=/dev/null bs=1 count=8192; mount -av; sleep
$(($RANDOM % 5)); lscpu'" ::: {1..10000}
# AMD Ryzen 1700, VM, 16 threads
root@debian:~# coredumpctl list
TIME PID UID GID SIG COREFILE EXE
Tue 2024-04-23 00:20:53 CEST 124297 0 0 6 present /usr/sbin/sshd
Tue 2024-04-23 00:23:02 CEST 159284 0 0 6 present /usr/sbin/sshd
Tue 2024-04-23 00:23:47 CEST 229261 0 0 11 present /usr/sbin/sshd
Tue 2024-04-23 00:24:32 CEST 277265 0 0 11 present /usr/sbin/sshd
Tue 2024-04-23 00:24:54 CEST 301567 0 0 6 present /usr/sbin/sshd
root@debian:~# coredumpctl gdb 301567
PID: 301567 (sshd)
UID: 0 (root)
GID: 0 (root)
Signal: 6 (ABRT)
Timestamp: Tue 2024-04-23 00:24:53 CEST (47s ago)
Command Line: sshd: /usr/sbin/sshd -D [listener] 4 of 10-100 startups
Executable: /usr/sbin/sshd
Control Group: /system.slice/ssh.service
Unit: ssh.service
Slice: system.slice
Boot ID: 1fd259cc2ed747a9aaef76e977b483f0
Machine ID: a149817c9a8c4bbda2c4be3e7ba0d6ed
Hostname: debian
Storage:
/var/lib/systemd/coredump/core.sshd.0.1fd259cc2ed747a9aaef76e977b483f0.301567.1713824693000000.zst
Message: Process 301567 (sshd) of user 0 dumped core.
Stack trace of thread 301567:
#0 0x00007ff6d30c9ce1 __GI_raise (libc.so.6 + 0x38ce1)
#1 0x00007ff6d30b3537 __GI_abort (libc.so.6 + 0x22537)
#2 0x00007ff6d310b3e8 __libc_message (libc.so.6 + 0x7a3e8)
#3 0x00007ff6d31126da malloc_printerr (libc.so.6 + 0x816da)
#4 0x00007ff6d31159f4 _int_malloc (libc.so.6 + 0x849f4)
#5 0x00007ff6d3117b51 __libc_calloc (libc.so.6 + 0x86b51)
#6 0x00007ff6d3109ef4 __GI___open_memstream (libc.so.6 +
0x78ef4)
#7 0x00007ff6d31856e1 __vsyslog_internal (libc.so.6 + 0xf46e1)
#8 0x00007ff6d3185d5f __syslog_chk (libc.so.6 + 0xf4d5f)
#9 0x0000555e8e15ee16 n/a (sshd + 0x5ae16)
#10 0x0000555e8e15f254 n/a (sshd + 0x5b254)
#11 0x0000555e8e1154b6 n/a (sshd + 0x114b6)
#12 0x00007ff6d30c9d60 __restore_rt (libc.so.6 + 0x38d60)
#13 0x00007ff6d31134b8 malloc_consolidate (libc.so.6 + 0x824b8)
#14 0x00007ff6d31153d5 _int_malloc (libc.so.6 + 0x843d5)
#15 0x00007ff6d3117b51 __libc_calloc (libc.so.6 + 0x86b51)
#16 0x00007ff6d3109ef4 __GI___open_memstream (libc.so.6 +
0x78ef4)
#17 0x00007ff6d31856e1 __vsyslog_internal (libc.so.6 + 0xf46e1)
#18 0x00007ff6d3185d5f __syslog_chk (libc.so.6 + 0xf4d5f)
#19 0x0000555e8e15ee16 n/a (sshd + 0x5ae16)
#20 0x0000555e8e15f254 n/a (sshd + 0x5b254)
#21 0x0000555e8e11386e n/a (sshd + 0xf86e)
#22 0x00007ff6d30b4d0a __libc_start_main (libc.so.6 + 0x23d0a)
#23 0x0000555e8e1151ba n/a (sshd + 0x111ba)
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
...
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/sshd...
(No debugging symbols found in /usr/sbin/sshd)
[New LWP 301567]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `sshd: /usr/sbin/ss'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht
gefunden.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ff6d30b3537 in __GI_abort () at abort.c:79
#2 0x00007ff6d310b3e8 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ff6d3229390 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ff6d31126da in malloc_printerr (str=str@entry=0x7ff6d322bbb8
"malloc(): unsorted double linked list corrupted") at malloc.c:5347
#4 0x00007ff6d31159f4 in _int_malloc (av=av@entry=0x7ff6d325fb80 <main_arena>,
bytes=bytes@entry=8192) at malloc.c:3744
#5 0x00007ff6d3117b51 in __libc_calloc (n=n@entry=1,
elem_size=elem_size@entry=8192) at malloc.c:3428
#6 0x00007ff6d3109ef4 in __GI___open_memstream
(bufloc=bufloc@entry=0x7ffc3c8f8630, sizeloc=sizeloc@entry=0x7ffc3c8f8638) at
memstream.c:83
#7 0x00007ff6d31856e1 in __vsyslog_internal (pri=39, fmt=0x555e8e1a2150
"%.500s", ap=0x7ffc3c8f8720, mode_flags=2) at ../misc/syslog.c:181
#8 0x00007ff6d3185d5f in __syslog_chk (pri=<optimized out>, flag=<optimized
out>, fmt=<optimized out>) at ../misc/syslog.c:136
#9 0x0000555e8e15ee16 in ?? ()
#10 0x0000555e8e15f254 in ?? ()
#11 0x0000555e8e1154b6 in ?? ()
#12 <signal handler called>
#13 malloc_consolidate (av=av@entry=0x7ff6d325fb80 <main_arena>) at
malloc.c:4511
#14 0x00007ff6d31153d5 in _int_malloc (av=av@entry=0x7ff6d325fb80 <main_arena>,
bytes=bytes@entry=8192) at malloc.c:3699
#15 0x00007ff6d3117b51 in __libc_calloc (n=n@entry=1,
elem_size=elem_size@entry=8192) at malloc.c:3428
#16 0x00007ff6d3109ef4 in __GI___open_memstream
(bufloc=bufloc@entry=0x7ffc3c8f98d0, sizeloc=sizeloc@entry=0x7ffc3c8f98d8) at
memstream.c:83
#17 0x00007ff6d31856e1 in __vsyslog_internal (pri=39, fmt=0x555e8e1a2150
"%.500s", ap=0x7ffc3c8f99c0, mode_flags=2) at ../misc/syslog.c:181
#18 0x00007ff6d3185d5f in __syslog_chk (pri=<optimized out>, flag=<optimized
out>, fmt=<optimized out>) at ../misc/syslog.c:136
#19 0x0000555e8e15ee16 in ?? ()
#20 0x0000555e8e15f254 in ?? ()
#21 0x0000555e8e11386e in ?? ()
#22 0x00007ff6d30b4d0a in __libc_start_main (main=0x555e8e111cf0, argc=2,
argv=0x7ffc3c8fade8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7ffc3c8fadd8) at ../csu/libc-start.c:308
#23 0x0000555e8e1151ba in ?? ()
(gdb)
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ff6d30b3537 in __GI_abort () at abort.c:79
#2 0x00007ff6d310b3e8 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7ff6d3229390 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ff6d31126da in malloc_printerr (str=str@entry=0x7ff6d322bbb8
"malloc(): unsorted double linked list corrupted") at malloc.c:5347
#4 0x00007ff6d31159f4 in _int_malloc (av=av@entry=0x7ff6d325fb80 <main_arena>,
bytes=bytes@entry=8192) at malloc.c:3744
#5 0x00007ff6d3117b51 in __libc_calloc (n=n@entry=1,
elem_size=elem_size@entry=8192) at malloc.c:3428
#6 0x00007ff6d3109ef4 in __GI___open_memstream
(bufloc=bufloc@entry=0x7ffc3c8f8630, sizeloc=sizeloc@entry=0x7ffc3c8f8638) at
memstream.c:83
#7 0x00007ff6d31856e1 in __vsyslog_internal (pri=39, fmt=0x555e8e1a2150
"%.500s", ap=0x7ffc3c8f8720, mode_flags=2) at ../misc/syslog.c:181
#8 0x00007ff6d3185d5f in __syslog_chk (pri=pri@entry=7, flag=flag@entry=1,
fmt=fmt@entry=0x555e8e1a2150 "%.500s") at ../misc/syslog.c:136
#9 0x0000555e8e15ee16 in syslog (__fmt=0x555e8e1a2150 "%.500s", __pri=7) at
/usr/include/x86_64-linux-gnu/bits/syslog.h:31
#10 do_log (level=level@entry=SYSLOG_LEVEL_DEBUG1, fmt=fmt@entry=0x555e8e190fbd
"main_sigchld_handler: %s", args=args@entry=0x7ffc3c8f9060) at ../../log.c:484
#11 0x0000555e8e15f254 in debug (fmt=fmt@entry=0x555e8e190fbd
"main_sigchld_handler: %s") at ../../log.c:229
#12 0x0000555e8e1154b6 in main_sigchld_handler (sig=17) at ../../sshd.c:360
#13 <signal handler called>
#14 malloc_consolidate (av=av@entry=0x7ff6d325fb80 <main_arena>) at
malloc.c:4511
#15 0x00007ff6d31153d5 in _int_malloc (av=av@entry=0x7ff6d325fb80 <main_arena>,
bytes=bytes@entry=8192) at malloc.c:3699
#16 0x00007ff6d3117b51 in __libc_calloc (n=n@entry=1,
elem_size=elem_size@entry=8192) at malloc.c:3428
#17 0x00007ff6d3109ef4 in __GI___open_memstream
(bufloc=bufloc@entry=0x7ffc3c8f98d0, sizeloc=sizeloc@entry=0x7ffc3c8f98d8) at
memstream.c:83
#18 0x00007ff6d31856e1 in __vsyslog_internal (pri=39, fmt=0x555e8e1a2150
"%.500s", ap=0x7ffc3c8f99c0, mode_flags=2) at ../misc/syslog.c:181
#19 0x00007ff6d3185d5f in __syslog_chk (pri=pri@entry=7, flag=flag@entry=1,
fmt=fmt@entry=0x555e8e1a2150 "%.500s") at ../misc/syslog.c:136
#20 0x0000555e8e15ee16 in syslog (__fmt=0x555e8e1a2150 "%.500s", __pri=7) at
/usr/include/x86_64-linux-gnu/bits/syslog.h:31
#21 do_log (level=level@entry=SYSLOG_LEVEL_DEBUG1, fmt=fmt@entry=0x555e8e191421
"Forked child %ld.", args=args@entry=0x7ffc3c8fa300) at ../../log.c:484
#22 0x0000555e8e15f254 in debug (fmt=fmt@entry=0x555e8e191421 "Forked child
%ld.") at ../../log.c:229
#23 0x0000555e8e11386e in server_accept_loop (config_s=0x7ffc3c8fa460,
newsock=<synthetic pointer>, sock_out=<synthetic pointer>, sock_in=<synthetic
pointer>) at ../../sshd.c:1377
#24 main (ac=<optimized out>, av=<optimized out>) at ../../sshd.c:2089
(gdb) info thread
Id Target Id Frame
* 1 Thread 0x7ff6d2c9d900 (LWP 301567) __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:50
(gdb)
root@debian:/var/log# coredumpctl gdb 277265
PID: 277265 (sshd)
UID: 0 (root)
GID: 0 (root)
Signal: 11 (SEGV)
Timestamp: Tue 2024-04-23 00:24:32 CEST (17min ago)
Command Line: sshd: /usr/sbin/sshd -D [listener] 6 of 10-100 startups
Executable: /usr/sbin/sshd
Control Group: /system.slice/ssh.service
Unit: ssh.service
Slice: system.slice
Boot ID: 1fd259cc2ed747a9aaef76e977b483f0
Machine ID: a149817c9a8c4bbda2c4be3e7ba0d6ed
Hostname: debian
Storage:
/var/lib/systemd/coredump/core.sshd.0.1fd259cc2ed747a9aaef76e977b483f0.277265.1713824672000000.zst
Message: Process 277265 (sshd) of user 0 dumped core.
Stack trace of thread 277265:
#0 0x00007fb5d3e937a7 _int_free (libc.so.6 + 0x827a7)
#1 0x00007fb5d3e965af _int_realloc (libc.so.6 + 0x855af)
#2 0x00007fb5d3e97736 __GI___libc_realloc (libc.so.6 + 0x86736)
#3 0x00007fb5d3e89e64 _IO_mem_finish (libc.so.6 + 0x78e64)
#4 0x00007fb5d3e80efd _IO_new_fclose (libc.so.6 + 0x6fefd)
#5 0x00007fb5d3f057e7 __vsyslog_internal (libc.so.6 + 0xf47e7)
#6 0x00007fb5d3f05d5f __syslog_chk (libc.so.6 + 0xf4d5f)
#7 0x000056494d734e16 n/a (sshd + 0x5ae16)
#8 0x000056494d735254 n/a (sshd + 0x5b254)
#9 0x000056494d6e986e n/a (sshd + 0xf86e)
#10 0x00007fb5d3e34d0a __libc_start_main (libc.so.6 + 0x23d0a)
#11 0x000056494d6eb1ba n/a (sshd + 0x111ba)
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
...
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/sshd...
Reading symbols from
/usr/lib/debug/.build-id/d7/1ef5505229d585281cb949a536e6d1c1749a77.debug...
[New LWP 277265]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `sshd: /usr/sbin/ss'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 _int_free (av=0x7fb5d3fdfb80 <main_arena>, p=0x56494f3bf890,
have_lock=<optimized out>) at malloc.c:4341
4341 malloc.c: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0 _int_free (av=0x7fb5d3fdfb80 <main_arena>, p=0x56494f3bf890,
have_lock=<optimized out>) at malloc.c:4341
#1 0x00007fb5d3e965af in _int_realloc (av=av@entry=0x7fb5d3fdfb80
<main_arena>, oldp=oldp@entry=0x56494f3bf840, oldsize=oldsize@entry=8208,
nb=80) at malloc.c:4644
#2 0x00007fb5d3e97736 in __GI___libc_realloc (oldmem=0x56494f3bf850, bytes=63)
at malloc.c:3226
#3 0x00007fb5d3e89e64 in _IO_mem_finish (fp=0x56494f3a5ff0, dummy=<optimized
out>) at memstream.c:131
#4 0x00007fb5d3e80efd in _IO_new_fclose (fp=fp@entry=0x56494f3a5ff0) at
libioP.h:948
#5 0x00007fb5d3f057e7 in __vsyslog_internal (pri=<optimized out>,
fmt=0x56494d778150 "%.500s", ap=0x7fffc4954d70, mode_flags=2) at
../misc/syslog.c:237
#6 0x00007fb5d3f05d5f in __syslog_chk (pri=pri@entry=7, flag=flag@entry=1,
fmt=fmt@entry=0x56494d778150 "%.500s") at ../misc/syslog.c:136
#7 0x000056494d734e16 in syslog (__fmt=0x56494d778150 "%.500s", __pri=7) at
/usr/include/x86_64-linux-gnu/bits/syslog.h:31
#8 do_log (level=level@entry=SYSLOG_LEVEL_DEBUG1, fmt=fmt@entry=0x56494d767421
"Forked child %ld.", args=args@entry=0x7fffc49556b0) at ../../log.c:484
#9 0x000056494d735254 in debug (fmt=fmt@entry=0x56494d767421 "Forked child
%ld.") at ../../log.c:229
#10 0x000056494d6e986e in server_accept_loop (config_s=0x7fffc4955810,
newsock=<synthetic pointer>, sock_out=<synthetic pointer>, sock_in=<synthetic
pointer>) at ../../sshd.c:1377
#11 main (ac=<optimized out>, av=<optimized out>) at ../../sshd.c:2089
(gdb)
cp -a /etc/default/ssh /etc/default/ssh.orig
echo "MALLOC_CHECK_=2" >> /etc/default/ssh
parallel -j 15 -N0 "ssh benutzer@localhost 'true'" ::: {1..10000}
# AMD Ryzen 1700, VM, 16 threads
# MALLOC_CHECK_=2
root@debian:~# coredumpctl list
TIME PID UID GID SIG COREFILE EXE
...
Tue 2024-04-23 02:46:26 CEST 648738 0 0 6 present /usr/sbin/sshd
Tue 2024-04-23 02:48:17 CEST 652202 0 0 11 present /usr/sbin/sshd
Tue 2024-04-23 02:49:26 CEST 694072 0 0 6 present /usr/sbin/sshd
Tue 2024-04-23 02:50:51 CEST 715173 0 0 6 present /usr/sbin/sshd
Tue 2024-04-23 02:50:55 CEST 750581 0 0 6 present /usr/sbin/sshd
Tue 2024-04-23 02:51:41 CEST 753005 0 0 6 present /usr/sbin/sshd
Tue 2024-04-23 02:51:47 CEST 786034 0 0 6 present /usr/sbin/sshd
Tue 2024-04-23 02:51:50 CEST 790574 0 0 6 present /usr/sbin/sshd
Tue 2024-04-23 02:51:53 CEST 791146 0 0 6 present /usr/sbin/sshd
root@debian:~# coredumpctl gdb 791146
PID: 791146 (sshd)
UID: 0 (root)
GID: 0 (root)
Signal: 6 (ABRT)
Timestamp: Tue 2024-04-23 02:51:53 CEST (6h ago)
Command Line: sshd: /usr/sbin/sshd -D [listener] 10 of 10-100 startups
Executable: /usr/sbin/sshd
Control Group: /system.slice/ssh.service
Unit: ssh.service
Slice: system.slice
Boot ID: 1fd259cc2ed747a9aaef76e977b483f0
Machine ID: a149817c9a8c4bbda2c4be3e7ba0d6ed
Hostname: debian
Storage:
/var/lib/systemd/coredump/core.sshd.0.1fd259cc2ed747a9aaef76e977b483f0.791146.1713833513000000.zst
Message: Process 791146 (sshd) of user 0 dumped core.
Stack trace of thread 791146:
#0 0x00007faa3b4b6ce1 __GI_raise (libc.so.6 + 0x38ce1)
#1 0x00007faa3b4a0537 __GI_abort (libc.so.6 + 0x22537)
#2 0x00007faa3b4f83e8 __libc_message (libc.so.6 + 0x7a3e8)
#3 0x00007faa3b4ff6da malloc_printerr (libc.so.6 + 0x816da)
#4 0x00007faa3b502b2c _int_malloc (libc.so.6 + 0x84b2c)
#5 0x00007faa3b503063 malloc_check (libc.so.6 + 0x85063)
#6 0x00007faa3b4f6eca __GI___open_memstream (libc.so.6 +
0x78eca)
#7 0x00007faa3b5726e1 __vsyslog_internal (libc.so.6 + 0xf46e1)
#8 0x00007faa3b572d5f __syslog_chk (libc.so.6 + 0xf4d5f)
#9 0x000055b451d87e16 syslog (sshd + 0x5ae16)
#10 0x000055b451d88254 debug (sshd + 0x5b254)
#11 0x000055b451d3e4b6 main_sigchld_handler (sshd + 0x114b6)
#12 0x00007faa3b4b6d60 __restore_rt (libc.so.6 + 0x38d60)
#13 0x00007faa3b5004e0 malloc_consolidate (libc.so.6 + 0x824e0)
#14 0x00007faa3b5023d5 _int_malloc (libc.so.6 + 0x843d5)
#15 0x00007faa3b503063 malloc_check (libc.so.6 + 0x85063)
#16 0x00007faa3b504cea __libc_calloc (libc.so.6 + 0x86cea)
#17 0x00007faa3b4f6ef4 __GI___open_memstream (libc.so.6 +
0x78ef4)
#18 0x00007faa3b5726e1 __vsyslog_internal (libc.so.6 + 0xf46e1)
#19 0x00007faa3b572d5f __syslog_chk (libc.so.6 + 0xf4d5f)
#20 0x000055b451d87e16 syslog (sshd + 0x5ae16)
#21 0x000055b451d88254 debug (sshd + 0x5b254)
#22 0x000055b451d3c86e server_accept_loop (sshd + 0xf86e)
#23 0x00007faa3b4a1d0a __libc_start_main (libc.so.6 + 0x23d0a)
#24 0x000055b451d3e1ba _start (sshd + 0x111ba)
GNU gdb (Debian 10.1-1.7) 10.1.90.20210103-git
...
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/sshd...
Reading symbols from
/usr/lib/debug/.build-id/d7/1ef5505229d585281cb949a536e6d1c1749a77.debug...
[New LWP 791146]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `sshd: /usr/sbin/ss'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht
gefunden.
(gdb) set width 0
(gdb) set pagination off
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007faa3b4a0537 in __GI_abort () at abort.c:79
#2 0x00007faa3b4f83e8 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7faa3b616390 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007faa3b4ff6da in malloc_printerr (str=str@entry=0x7faa3b618b80
"malloc(): mismatching next->prev_size (unsorted)") at malloc.c:5347
#4 0x00007faa3b502b2c in _int_malloc (av=av@entry=0x7faa3b64cb80 <main_arena>,
bytes=bytes@entry=505) at malloc.c:3741
#5 0x00007faa3b503063 in malloc_check (sz=504, caller=<optimized out>) at
hooks.c:239
#6 0x00007faa3b4f6eca in __GI___open_memstream
(bufloc=bufloc@entry=0x7ffe636ea430, sizeloc=sizeloc@entry=0x7ffe636ea438) at
memstream.c:76
#7 0x00007faa3b5726e1 in __vsyslog_internal (pri=39, fmt=0x55b451dcb150
"%.500s", ap=0x7ffe636ea520, mode_flags=2) at ../misc/syslog.c:181
#8 0x00007faa3b572d5f in __syslog_chk (pri=pri@entry=7, flag=flag@entry=1,
fmt=fmt@entry=0x55b451dcb150 "%.500s") at ../misc/syslog.c:136
#9 0x000055b451d87e16 in syslog (__fmt=0x55b451dcb150 "%.500s", __pri=7) at
/usr/include/x86_64-linux-gnu/bits/syslog.h:31
#10 do_log (level=level@entry=SYSLOG_LEVEL_DEBUG1, fmt=fmt@entry=0x55b451db9fbd
"main_sigchld_handler: %s", args=args@entry=0x7ffe636eae60) at ../../log.c:484
#11 0x000055b451d88254 in debug (fmt=fmt@entry=0x55b451db9fbd
"main_sigchld_handler: %s") at ../../log.c:229
#12 0x000055b451d3e4b6 in main_sigchld_handler (sig=17) at ../../sshd.c:360
#13 <signal handler called>
#14 malloc_consolidate (av=av@entry=0x7faa3b64cb80 <main_arena>) at
malloc.c:4518
#15 0x00007faa3b5023d5 in _int_malloc (av=av@entry=0x7faa3b64cb80 <main_arena>,
bytes=bytes@entry=8193) at malloc.c:3699
#16 0x00007faa3b503063 in malloc_check (sz=8192, caller=<optimized out>) at
hooks.c:239
#17 0x00007faa3b504cea in __libc_calloc (n=n@entry=1,
elem_size=elem_size@entry=8192) at malloc.c:3387
#18 0x00007faa3b4f6ef4 in __GI___open_memstream
(bufloc=bufloc@entry=0x7ffe636eb6e0, sizeloc=sizeloc@entry=0x7ffe636eb6e8) at
memstream.c:83
#19 0x00007faa3b5726e1 in __vsyslog_internal (pri=39, fmt=0x55b451dcb150
"%.500s", ap=0x7ffe636eb7d0, mode_flags=2) at ../misc/syslog.c:181
#20 0x00007faa3b572d5f in __syslog_chk (pri=pri@entry=7, flag=flag@entry=1,
fmt=fmt@entry=0x55b451dcb150 "%.500s") at ../misc/syslog.c:136
#21 0x000055b451d87e16 in syslog (__fmt=0x55b451dcb150 "%.500s", __pri=7) at
/usr/include/x86_64-linux-gnu/bits/syslog.h:31
#22 do_log (level=level@entry=SYSLOG_LEVEL_DEBUG1, fmt=fmt@entry=0x55b451dba421
"Forked child %ld.", args=args@entry=0x7ffe636ec110) at ../../log.c:484
#23 0x000055b451d88254 in debug (fmt=fmt@entry=0x55b451dba421 "Forked child
%ld.") at ../../log.c:229
#24 0x000055b451d3c86e in server_accept_loop (config_s=0x7ffe636ec270,
newsock=<synthetic pointer>, sock_out=<synthetic pointer>, sock_in=<synthetic
pointer>) at ../../sshd.c:1377
#25 main (ac=<optimized out>, av=<optimized out>) at ../../sshd.c:2089
(gdb) frame 14
#14 malloc_consolidate (av=av@entry=0x7faa3b64cb80 <main_arena>) at
malloc.c:4518
4518 malloc.c: Datei oder Verzeichnis nicht gefunden.
(gdb) display/i $pc
1: x/i $pc
=> 0x7faa3b5004e0 <malloc_consolidate+160>: mov %rbp,(%rbx,%rbp,1)
(gdb) print/x $rbx
$1 = 0x55b453395c40
(gdb) print/x $rbp
$2 = 0x3620
(gdb) info symbol 0x55b453395c40
No symbol matches 0x55b453395c40.
(gdb) print p
$3 = (mchunkptr) 0x55b453395c40
(gdb) print *p
$4 = {mchunk_prev_size = 504403158265495717, mchunk_size = 13857, fd =
0x7faa3b64cbe0 <main_arena+96>, bk = 0x7faa3b64cbe0 <main_arena+96>,
fd_nextsize = 0x0, bk_nextsize = 0x0}
(gdb) print/x *p
$5 = {mchunk_prev_size = 0x7000000000000a5, mchunk_size = 0x3621, fd =
0x7faa3b64cbe0, bk = 0x7faa3b64cbe0, fd_nextsize = 0x0, bk_nextsize = 0x0}
(gdb)
directory /home/benutzer/source/glibc/orig/glibc-2.31/malloc
export DEB_CFLAGS_APPEND=-fsanitize=address
export DEB_CPPFLAGS_APPEND=-fsanitize=address
export DEB_CXXFLAGS_APPEND=-fsanitize=address
export DEB_LDFLAGS_APPEND='-fsanitize=address -static-libasan'
export ASAN_OPTIONS=detect_leaks=0
export PATH=/usr/lib/ccache:$PATH
DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage
dpkg -i openssh-client_*deb openssh-server_*deb openssh-server-dbgsym_*deb
openssh-sftp-server_*deb
echo "ASAN_OPTIONS=detect_leaks=0" >> /etc/default/ssh
systemctl stop sshd
systemctl start sshd
# --> Gave no interesting result
https://snapshot.debian.org/archive/debian/20210814T212851Z # visible Bullseye
Release
https://snapshot.debian.org/archive/debian/20210901T090918Z # visible
https://snapshot.debian.org/archive/debian/20210915T024357Z # visible
https://snapshot.debian.org/archive/debian/20211001T033837Z # visible
https://snapshot.debian.org/archive/debian/20211015T025547Z # visible
https://snapshot.debian.org/archive/debian/20211101T024700Z # visible
https://snapshot.debian.org/archive/debian/20211115T024854Z # visible with
1:8.4p1-6
https://snapshot.debian.org/archive/debian/20211115T024854Z # not visible with
1:8.7p1-1
https://snapshot.debian.org/archive/debian/20220101T000000Z # not visible
