Re: SSH ~& command crash with a coredump
committed, thanks for the report Gregoire! On 01:34 Fri 23 Jun , Jeremie Courreges-Anglas wrote: > Gr??goire Jadiwrites: > > > n 06/21/17 12:16, Ricardo Mestre wrote: > >> Hi, > >> > >> I can confirm this issue, and the diff below seems to solve it for me. > >> > >> Could you please test it and let us know if it works on your side? > > > > It does fix the issue. Thanks you. > > > >> > >> Reason: In clientloop.c during client_loop() this function calls > >> client_simple_escape_filter() which then calls process_escapes() which in > >> turn > >> fork()s the process. That being said, the pledge inside client_loop which > >> applies to this code path lacks the proc promise and therefore aborts ssh. > > At first I couldn't reproduce the crash since I'm using "ControlMaster > auto". Since all the other pledge calls specify "proc", I don't think > it's a big drawback. ok jca@
Re: SSH ~& command crash with a coredump
Grégoire Jadiwrites: > n 06/21/17 12:16, Ricardo Mestre wrote: >> Hi, >> >> I can confirm this issue, and the diff below seems to solve it for me. >> >> Could you please test it and let us know if it works on your side? > > It does fix the issue. Thanks you. > >> >> Reason: In clientloop.c during client_loop() this function calls >> client_simple_escape_filter() which then calls process_escapes() which in >> turn >> fork()s the process. That being said, the pledge inside client_loop which >> applies to this code path lacks the proc promise and therefore aborts ssh. At first I couldn't reproduce the crash since I'm using "ControlMaster auto". Since all the other pledge calls specify "proc", I don't think it's a big drawback. ok jca@ >> Index: clientloop.c >> === >> RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v >> retrieving revision 1.299 >> diff -u -p -u -r1.299 clientloop.c >> --- clientloop.c 31 May 2017 09:15:42 - 1.299 >> +++ clientloop.c 21 Jun 2017 10:14:26 - >> @@ -1246,7 +1246,7 @@ client_loop(int have_pty, int escape_cha >> >> } else { >> debug("pledge: network"); >> -if (pledge("stdio unix inet dns tty", NULL) == -1) >> +if (pledge("stdio unix inet dns proc tty", NULL) == -1) >> fatal("%s pledge(): %s", __func__, strerror(errno)); >> } >> >> > -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: SSH ~& command crash with a coredump
n 06/21/17 12:16, Ricardo Mestre wrote: > Hi, > > I can confirm this issue, and the diff below seems to solve it for me. > > Could you please test it and let us know if it works on your side? It does fix the issue. Thanks you. > > Reason: In clientloop.c during client_loop() this function calls > client_simple_escape_filter() which then calls process_escapes() which in turn > fork()s the process. That being said, the pledge inside client_loop which > applies to this code path lacks the proc promise and therefore aborts ssh. > > Index: clientloop.c > === > RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v > retrieving revision 1.299 > diff -u -p -u -r1.299 clientloop.c > --- clientloop.c 31 May 2017 09:15:42 - 1.299 > +++ clientloop.c 21 Jun 2017 10:14:26 - > @@ -1246,7 +1246,7 @@ client_loop(int have_pty, int escape_cha > > } else { > debug("pledge: network"); > - if (pledge("stdio unix inet dns tty", NULL) == -1) > + if (pledge("stdio unix inet dns proc tty", NULL) == -1) > fatal("%s pledge(): %s", __func__, strerror(errno)); > } > >
Re: SSH ~& command crash with a coredump
Hi, I can confirm this issue, and the diff below seems to solve it for me. Could you please test it and let us know if it works on your side? Reason: In clientloop.c during client_loop() this function calls client_simple_escape_filter() which then calls process_escapes() which in turn fork()s the process. That being said, the pledge inside client_loop which applies to this code path lacks the proc promise and therefore aborts ssh. Index: clientloop.c === RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v retrieving revision 1.299 diff -u -p -u -r1.299 clientloop.c --- clientloop.c31 May 2017 09:15:42 - 1.299 +++ clientloop.c21 Jun 2017 10:14:26 - @@ -1246,7 +1246,7 @@ client_loop(int have_pty, int escape_cha } else { debug("pledge: network"); - if (pledge("stdio unix inet dns tty", NULL) == -1) + if (pledge("stdio unix inet dns proc tty", NULL) == -1) fatal("%s pledge(): %s", __func__, strerror(errno)); }
SSH ~& command crash with a coredump
>Synopsis: The ~& SSH command crash with a coredump. >Category: system amd64 >Environment: System : OpenBSD 6.1 Details : OpenBSD 6.1-current (GENERIC.MP) #20: Mon Jun 19 08:05:02 MDT 2017 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP Architecture: OpenBSD.amd64 Machine : amd64 >Description: The ~& command is used to put SSH in background at logout when waiting for forwarded connection / X11 sessions to terminate. The problem occurs in the 2017-06-19 snapshot and in stable (tested in a kvm VM). >How-To-Repeat: $ ssh somehost somehost$ ~& Abort trap (core dumped) $ dmesg | tail ssh(36167): syscall 2 "proc"<3>ssh(84227): syscall 2 "proc" <3>ssh(82010): syscall 2 "proc" $ gdb -c ssh.core GNU gdb 6.3 Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "amd64-unknown-openbsd6.1". Core was generated by `ssh'. Program terminated with signal 6, Aborted. #0 0x028597d43eca in ?? () (gdb) bt #0 0x028597d43eca in ?? () #1 0x028597d8cd45 in ?? () #2 0x in ?? () (gdb) info reg rax0x1 1 rbx0x0 0 rcx0x28597d43eca2772801175242 rdx0x0 0 rsi0x7f7ed2e0 140187732464352 rdi0x285baf3d7002773390448384 rbp0x26 0x26 rsp0x7f7ecdf8 0x7f7ecdf8 r8 0x285baf3d7102773390448400 r9 0x7f7ed2e2 140187732464354 r100x0 0 r110x246582 r120x7f7ed770 140187732465520 r130x28535285c402771145743424 r140x285c013d8002773476431872 r150x7f7ed770 140187732465520 rip0x28597d43eca0x28597d43eca eflags 0x247583 cs 0x2b 43 ss 0x23 35 ds 0x23 35 es 0x23 35 fs 0x23 35 gs 0x23 35 I'd be happy to provide additional information if needed. dmesg: OpenBSD 6.1-current (GENERIC.MP) #20: Mon Jun 19 08:05:02 MDT 2017 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4062691328 (3874MB) avail mem = 3933769728 (3751MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe0010 (78 entries) bios0: vendor LENOVO version "6QET47WW (1.17 )" date 07/14/2010 bios0: LENOVO 3680BA5 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET ASF! SLIC BOOT SSDT TCPA DMAR SSDT SSDT SSDT acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP1(S4) EXP2(S4) EXP3(S4) EXP4(S4) EXP5(S4) EHC1(S3) EHC2(S3) HDEF(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2394.48 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,AES,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: TSC frequency 2394476640 Hz cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 133MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2394.01 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,AES,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2394.01 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM