Bug#1103418: openssh-server irregularly crashing since 10.0p1 upgrade

Wed, 30 Apr 2025 04:45:14 -0700 

On Wed, Apr 30, 2025 at 12:32:33AM +0200, Michel Casabona wrote:

Same problem here since 1:10.0p1-2 was migrated to testing yesterday.


Thanks for chiming in - it's very helpful to have more data.


It seems (but I'm' not sure) that there is less chances to crash when 
using password authentication (PubkeyAuthentication=no).
Also, on mys system it's easier to cause a crash when logging from the 
server itself (either by loopback or ethernet IP address)



Reconfiguring libpam-runtime to exclude ecryptfs doesn't make any 
difference, it still crashes


From the client view (-vvv) the connection is reset at different points,
sometimes after the local version string is shown, with an error message:



This sort of thing points to memory corruption somewhere, which is what 
I suspected, though it unfortunately doesn't really narrow it down.



As advised I tried installing systemd-coredump, valgrind and also 
debuginfod, then modified the script

/usr/local/bin/sshd-session-valgrind like this


DEBUGINFOD_URLS=https://debuginfod.debian.net/ exec valgrind 
--leak-check=full --enable-debuginfod=yes 
/usr/lib/openssh/sshd-session "$@"


Now valgrind shows the name of a function


  avril 29 19:57:25 odysseus sshd[4019365]: ==4019365== Cannot map 
memory to grow the stack for thread #1 to 0x1ffeffc000

  avril 29 19:57:25 odysseus sshd[4019365]: ==4019365==

  avril 29 19:57:25 odysseus sshd[4019365]: ==4019365== Process 
terminating with default action of signal 11 (SIGSEGV): dumping core
  avril 29 19:57:25 odysseus sshd[4019365]: ==4019365==  Access not 
within mapped region at address 0x1FFEFFCD78
  avril 29 19:57:25 odysseus sshd[4019365]: ==4019365== Cannot map 
memory to grow the stack for thread #1 to 0x1ffeffc000
  avril 29 19:57:25 odysseus sshd[4019365]: ==4019365==    at 
0x1BCBC9: glob0 (glob.c:476)



Is that the complete output from valgrind, or did you edit it down?  
It's tantalizingly close to being useful, but it really feels like there 
should be more of it.  Could I have all of the lines matching 
"==4019365=="?



Unfortunately I couldn't get a coredump


  avril 29 19:57:25 odysseus systemd[1]: Started 
systemd-coredump@15-4019403-0.service - Process Core Dump (PID 
4019403/UID 0).
  avril 29 19:57:25 odysseus systemd-coredump[4019404]: Resource 
limits disable core dumping for process 4019365 (memcheck-amd64-).
  avril 29 19:57:25 odysseus systemd-coredump[4019404]: [🡕] Process 
4019365 (memcheck-amd64-) of user 0 terminated abnormally without 
generating a coredump.
  avril 29 19:57:25 odysseus systemd[1]: 
systemd-coredump@15-4019403-0.service: Deactivated successfully.


No idea why, I thought installing systemd-coredump pushed the limits



/etc/security/limits.d/20-coredump-debian.conf raises soft limits, but 
there might be something else in play that's reducing them again.  But 
hopefully more complete valgrind output will be more useful anyway ...


Thanks,

--
Colin Watson (he/him)                              [cjwat...@debian.org]























					Reply via email to