sshd segfaults consistently every time the SftpUmask option is specified in sshd_config. Commenting out that option enables it to run just fine. No other option exhibits any abnormal behavior. This behavior is exhibited even when compiling with CFLAGS="-march=i686 -mtune=i686 -O0". net-misc/openssh was emerged with these USE flags: [ebuild R ] net-misc/openssh-3.9_p1 +X509 +chroot -debug -ipv6 +kerberos +ldap +pam (-selinux) +sftplogging -skey -smartcard -static +tcpd (-uclibc) Emerge info output: server ~ # emerge info Portage 2.0.51_rc6 (default-linux/x86/2004.3, gcc-3.4.2, glibc-2.3.4.20040808-r0, 2.6.9-rc1-nitro4 i686) ================================================================= System uname: 2.6.9-rc1-nitro4 i686 AMD Athlon(tm) XP 2500+ Gentoo Base System version 1.5.3 Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.15.90.0.1.1-r3 Headers: sys-kernel/linux26-headers-2.6.8.1 Libtools: sys-devel/libtool-1.5.2-r5 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-march=athlon-xp -mtune=athlon-xp -pipe -O3 -fstack-protector -fomit-frame-pointer -ftracer -fweb -ffast-math -momit-leaf-frame-pointer -fno-ident" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=athlon-xp -mtune=athlon-xp -pipe -O3 -fstack-protector -fomit-frame-pointer -ftracer -fweb -ffast-math -momit-leaf-frame-pointer -fno-ident -fvisibility-inlines-hidden" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs buildpkg ccache distlocks sandbox sfperms" GENTOO_MIRRORS="http://ftp.iasi.roedu.net/mirrors/gentoo.org http://ftp.lug.ro/gentoo http://gentoo.oregonstate.edu" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="x86 acl adns apache2 berkdb bindist caps crypt cups curl doc encode expat fam foomaticdb gif gnutls gpm hardened imlib jpeg kerberos ldap libwww maildir mailwrapper memlimit mmx mysql ncurses nptl odbc pam pdflib perl pic pie png pwdb python readline ruby samba sasl slang slp snmp socks5 spell sse ssl tcpd tetex tiff truetype unicode xml xml2 zlib"
Re-confirmed on Intel P3 SMP architecture, with different compiler and CFLAGS, same glibc version but both LinuxThreads and NPTL, pristine default configuration file (the only change being commenting / uncommenting SftpUmask). It's definitely a bug, not a compiler or optimization issue. Could the package maintainer perhaps report this upstream? syslog output: moocha ~ # /usr/sbin/sshd -dD Oct 4 14:53:02 moocha sshd[19802]: Server listening on 0.0.0.0 port 22. Oct 4 14:53:11 moocha sshd[19802]: Received signal 15; terminating. strace output (irrelevant shared library mmap stuff trimmed): moocha ~ # strace /usr/sbin/sshd -dD getpid() = 11273 getpid() = 11273 open("/dev/urandom", O_RDONLY|O_NONBLOCK|O_NOCTTY) = 3 select(4, [3], NULL, NULL, {0, 10000}) = 1 (in [3], left {0, 10000}) read(3, "\363\'\236`yr\2711`\310\361\221\340\20\257\0069\31\23J"..., 32) = 32 close(3) = 0 getpid() = 11273 getpid() = 11273 getuid32() = 0 getpid() = 11273 time(NULL) = 1096891418 getpid() = 11273 open("/etc/ssh/sshd_config", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0600, st_size=4385, ...}) = 0 old_mmap(NULL, 131072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4036a000 read(3, "#\t$OpenBSD$\n\n# This is the sshd "..., 131072) = 4385 read(3, "", 131072) = 0 close(3) = 0 munmap(0x4036a000, 131072) = 0 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ ltrace output: moocha ~ # ltrace /usr/sbin/sshd -dD --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++
Okay, I'm stupid. I forgot to actually *specify* the umask value in the config file after the SftpUmask keyword. SftpUmask 022 and sshd starts up with no trouble whatsoever. everything is functional. Can you please lower the priority on this bug? It's still a bug as sshd should't SIGSEGV out but should fail gracefully, but it's not a high priority one.
the SftpUmask option seems to be added by the openssh-3.9_p1-sftplogging-1.2-gentoo.patch ... it isnt present in a vanilla emerge ...
ok, the error seems to be with this bit of code in the patch: + case sSftpUmask: + arg = strdelim(&cp); + umaskptr = arg; + while (*arg && *arg >= '0' && *arg <= '9') + umaskvalue = umaskvalue * 8 + *arg++ - '0';
arg ends up being NULL so dereferencing it is bad ;) new code: + case sSftpUmask: + arg = strdelim(&cp); + umaskptr = arg; + while (arg && *arg && *arg >= '0' && *arg <= '9') + umaskvalue = umaskvalue * 8 + *arg++ - '0'; + if (!arg || *arg || umaskvalue > 0777) + fatal("%s line %d: bad value for sSftpUmask", + filename, linenum); fixed in cvs ... i'll send bugfix upstream too
Thanks!
