Re: SSH ~& command crash with a coredump

2017-06-23 Thread Ricardo Mestre 
committed, thanks for the report Gregoire!

On 01:34 Fri 23 Jun , Jeremie Courreges-Anglas wrote:
> Gr??goire Jadi  writes:
> 
> > n 06/21/17 12:16, Ricardo Mestre wrote:
> >> Hi,
> >> 
> >> I can confirm this issue, and the diff below seems to solve it for me.
> >> 
> >> Could you please test it and let us know if it works on your side?
> >
> > It does fix the issue. Thanks you.
> >
> >> 
> >> Reason: In clientloop.c during client_loop() this function calls
> >> client_simple_escape_filter() which then calls process_escapes() which in 
> >> turn
> >> fork()s the process. That being said, the pledge inside client_loop which
> >> applies to this code path lacks the proc promise and therefore aborts ssh.
> 
> At first I couldn't reproduce the crash since I'm using "ControlMaster
> auto". Since all the other pledge calls specify "proc", I don't think
> it's a big drawback.  ok jca@

Re: SSH ~& command crash with a coredump

2017-06-22 Thread Jeremie Courreges-Anglas 
Grégoire Jadi  writes:

> n 06/21/17 12:16, Ricardo Mestre wrote:
>> Hi,
>> 
>> I can confirm this issue, and the diff below seems to solve it for me.
>> 
>> Could you please test it and let us know if it works on your side?
>
> It does fix the issue. Thanks you.
>
>> 
>> Reason: In clientloop.c during client_loop() this function calls
>> client_simple_escape_filter() which then calls process_escapes() which in 
>> turn
>> fork()s the process. That being said, the pledge inside client_loop which
>> applies to this code path lacks the proc promise and therefore aborts ssh.

At first I couldn't reproduce the crash since I'm using "ControlMaster
auto". Since all the other pledge calls specify "proc", I don't think
it's a big drawback.  ok jca@

>> Index: clientloop.c
>> ===
>> RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v
>> retrieving revision 1.299
>> diff -u -p -u -r1.299 clientloop.c
>> --- clientloop.c 31 May 2017 09:15:42 -  1.299
>> +++ clientloop.c 21 Jun 2017 10:14:26 -
>> @@ -1246,7 +1246,7 @@ client_loop(int have_pty, int escape_cha
>>  
>>  } else {
>>  debug("pledge: network");
>> -if (pledge("stdio unix inet dns tty", NULL) == -1)
>> +if (pledge("stdio unix inet dns proc tty", NULL) == -1)
>>  fatal("%s pledge(): %s", __func__, strerror(errno));
>>  }
>> 
>> 
>

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: SSH ~& command crash with a coredump

2017-06-22 Thread Grégoire Jadi 
n 06/21/17 12:16, Ricardo Mestre wrote:
> Hi,
> 
> I can confirm this issue, and the diff below seems to solve it for me.
> 
> Could you please test it and let us know if it works on your side?

It does fix the issue. Thanks you.

> 
> Reason: In clientloop.c during client_loop() this function calls
> client_simple_escape_filter() which then calls process_escapes() which in turn
> fork()s the process. That being said, the pledge inside client_loop which
> applies to this code path lacks the proc promise and therefore aborts ssh.
> 
> Index: clientloop.c
> ===
> RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v
> retrieving revision 1.299
> diff -u -p -u -r1.299 clientloop.c
> --- clientloop.c  31 May 2017 09:15:42 -  1.299
> +++ clientloop.c  21 Jun 2017 10:14:26 -
> @@ -1246,7 +1246,7 @@ client_loop(int have_pty, int escape_cha
>  
>   } else {
>   debug("pledge: network");
> - if (pledge("stdio unix inet dns tty", NULL) == -1)
> + if (pledge("stdio unix inet dns proc tty", NULL) == -1)
>   fatal("%s pledge(): %s", __func__, strerror(errno));
>   }
> 
>

Re: SSH ~& command crash with a coredump

2017-06-21 Thread Ricardo Mestre 
Hi,

I can confirm this issue, and the diff below seems to solve it for me.

Could you please test it and let us know if it works on your side?

Reason: In clientloop.c during client_loop() this function calls
client_simple_escape_filter() which then calls process_escapes() which in turn
fork()s the process. That being said, the pledge inside client_loop which
applies to this code path lacks the proc promise and therefore aborts ssh.

Index: clientloop.c
===
RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v
retrieving revision 1.299
diff -u -p -u -r1.299 clientloop.c
--- clientloop.c31 May 2017 09:15:42 -  1.299
+++ clientloop.c21 Jun 2017 10:14:26 -
@@ -1246,7 +1246,7 @@ client_loop(int have_pty, int escape_cha
 
} else {
debug("pledge: network");
-   if (pledge("stdio unix inet dns tty", NULL) == -1)
+   if (pledge("stdio unix inet dns proc tty", NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
}

SSH ~& command crash with a coredump

2017-06-21 Thread Grégoire Jadi 
>Synopsis:  The ~& SSH command crash with a coredump.
>Category:  system amd64
>Environment:
System  : OpenBSD 6.1
Details : OpenBSD 6.1-current (GENERIC.MP) #20: Mon Jun 19 08:05:02
MDT 2017
 
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

Architecture: OpenBSD.amd64
Machine : amd64
>Description:
The ~& command is used to put SSH in background at logout when  waiting
for forwarded connection / X11 sessions to terminate.

The problem occurs in the 2017-06-19 snapshot and in stable (tested in
a kvm VM).

>How-To-Repeat:

$ ssh somehost
somehost$ ~&
Abort trap (core dumped)
$ dmesg | tail
ssh(36167): syscall 2 "proc"<3>ssh(84227): syscall 2 "proc"
<3>ssh(82010): syscall 2 "proc"

$ gdb -c ssh.core
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for 
details.
This GDB was configured as "amd64-unknown-openbsd6.1".
Core was generated by `ssh'.
Program terminated with signal 6, Aborted.
#0  0x028597d43eca in ?? ()
(gdb) bt
#0  0x028597d43eca in ?? ()
#1  0x028597d8cd45 in ?? ()
#2  0x in ?? ()
(gdb) info reg
rax0x1  1
rbx0x0  0
rcx0x28597d43eca2772801175242
rdx0x0  0
rsi0x7f7ed2e0   140187732464352
rdi0x285baf3d7002773390448384
rbp0x26 0x26
rsp0x7f7ecdf8   0x7f7ecdf8
r8 0x285baf3d7102773390448400
r9 0x7f7ed2e2   140187732464354
r100x0  0
r110x246582
r120x7f7ed770   140187732465520
r130x28535285c402771145743424
r140x285c013d8002773476431872
r150x7f7ed770   140187732465520
rip0x28597d43eca0x28597d43eca
eflags 0x247583
cs 0x2b 43
ss 0x23 35
ds 0x23 35
es 0x23 35
fs 0x23 35
gs 0x23 35


I'd be happy to provide additional information if needed.

dmesg:
OpenBSD 6.1-current (GENERIC.MP) #20: Mon Jun 19 08:05:02 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4062691328 (3874MB)
avail mem = 3933769728 (3751MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe0010 (78 entries)
bios0: vendor LENOVO version "6QET47WW (1.17 )" date 07/14/2010
bios0: LENOVO 3680BA5
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET ASF! SLIC BOOT SSDT
TCPA DMAR SSDT SSDT SSDT
acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP1(S4) EXP2(S4)
EXP3(S4) EXP4(S4) EXP5(S4) EHC1(S3) EHC2(S3) HDEF(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2394.48 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,AES,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 2394476640 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 133MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2394.01 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,POPCNT,AES,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz, 2394.01 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM