Mailing List Archive

[Bug 3321] New: Abnormal packet reading when SSH and tcmalloc are used together
https://bugzilla.mindrot.org/show_bug.cgi?id=3321

Bug ID: 3321
Summary: Abnormal packet reading when SSH and tcmalloc are used
together
Product: Portable OpenSSH
Version: 8.6p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: major
Priority: P5
Component: ssh
Assignee: unassigned-bugs@mindrot.org
Reporter: kircherlike@outlook.com

tcmalloc is a fast C/C++ memory allocator designed around a fast path
that avoids synchronizing with other threads for most allocations in
the gperftools.

The tcmalloc of gperftools can be found in
https://github.com/gperftools/gperftools. Using tcmalloc replaces the
malloc standard library function of glibc.

In an x86 system, when the memory of tcmalloc is insufficient, the heap
extension obtains the current call stack through libunwind. libunwind
creates a pipe to check whether the address is valid.

In the main function of ssh.c, the pipeline created by saved_av in
xcalloc by using the tcmalloc process is released abnormally by the
closefrom function.

...
#ifndef HAVE_SETPROCTITLE
/* Prepare for later setproctitle emulation */
/* Save argv so it isn't clobbered by setproctitle() emulation
*/
saved_av = xcalloc(ac + 1, sizeof(*saved_av));
for (i = 0; i < ac; i++)
saved_av[i] = xstrdup(av[i]);
saved_av[i] = NULL;
compat_init_setproctitle(ac, av);
av = saved_av;
#endif

seed_rng();

/*
* Discard other fds that are hanging around. These can cause
problem
* with backgrounded ssh processes started by ControlPersist.
*/
closefrom(STDERR_FILENO + 1);
...

When tcmalloc attempts to read the pipe, it incorrectly reads the
contents of connection_in, resulting in an error in the MAC
verification of the packet.

Therefore, swapping the order of xcalloc and closefrom statements is
probably the best way to be compatible for tcmalloc.

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs