openssh: The concurrency of settimeofday and ssh connect would lead to coredump

Bug #1734040 reported by wang
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
New
Undecided
Unassigned
Bionic
New
Undecided
Unassigned

Bug Description

Hi, pals:
we found a coredump when we do ssh connection. the basic information as follow:
the stack trace in coredump:
(gdb) bt
#0 0x20007510 in raise () from /lib/libc.so.6
#1 0x2000c718 in abort () from /lib/libc.so.6
#2 0x2053d42c in __mulvsi3 (a=, b=) at /home/l00194794/yocto/c08_sdk/sdk/build/script/cpu_hcc/ppc-linux/../../../toolchain_soft/ppc-linux/src/gcc-4.7.1/libgcc/libgcc2.c:159
#3 0x2050d030 in ms_subtract_diff (start=start@entry=0xbfa20a9c, ms=0x48027c40, ms@entry=0xbfa20a98) at misc.c:871
#4 0x204d2568 in ssh_exchange_identification (timeout_ms=timeout_ms@entry=5000) at sshconnect.c:580
#5 0x204d3e3c in ssh_login (sensitive=sensitive@entry=0x20586ea8, orighost=, hostaddr=hostaddr@entry=0x20586e28, port=, pw=pw@entry=0x20589ae8, timeout_ms=5000)
at sshconnect.c:1346
#6 0x204c433c in main (ac=, av=) at ssh.c:1326

the direct cause of the coredump, is that the function __mulvsi3 in gcc checked the plus operation is overflow, then this gcc function abort().

the reason of the overflow is cause by the time-setting operation when do ssh connect. in function ms_subtract_diff . the timeoutp get a very big value because of the time-change.

So could we add a limitation for the differ of the 2 values get from gettimeofday ? if it's too big, would lead to overflow, we set a default value and report a warning log.
thanks for you attention and expect your reply.

B.R.
Le Wang

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. I appreciate the quality of this bug report and I'm sure it'll be helpful to others experiencing the same issue.

This sounds like an upstream bug to me. Please can you verify this by building directly from the latest upstream source? If this can be confirmed as an upstream bug, the best route to getting it fixed in Ubuntu in this case would be to file an upstream bug if you're able to do that. Otherwise, I'm not sure what we can do directly in Ubuntu to fix the problem.

Slightly old, but still mostly applicable info about doing so can be found at [1]

If you do end up filing an upstream bug, please link to it from here. Thanks!

[1]: https://wiki.ubuntu.com/Bugs/Upstream/OpenSSH

Revision history for this message
Colin Watson (cjwatson) wrote :

This was fixed upstream a while back in response to you reporting it directly to them (https://anongit.mindrot.org/openssh.git/commit/?id=5db6fbf1438b108e5df3e79a1b4de544373bc2d4); that fix was in OpenSSH 7.7p1 and is thus in cosmic. It might not be a bad idea to backport this fix to xenial and bionic, so I've opened bug tasks for that.

Changed in openssh (Ubuntu):
status: New → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Is there a sccenario where this can be easily triggered? I'm thinking both in terms of priority for this fix, and for an SRU test case description.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.