Bug 223000

Summary: security/openssh-portable: segfault with LibreSSL + LDNS
Product: Ports & Packages Reporter: Bernard Spil <brnrd>
Component: Individual Port(s)Assignee: Bryan Drewery <bdrewery>
Status: Closed FIXED    
Severity: Affects Only Me CC: andrew, clukas, daz, franco, gessel, pkubaj, rootservice, rozhuk.im, sgs, tablooaraz, vidar
Priority: --- Flags: bugzilla: maintainer-feedback? (bdrewery)
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
truss of /usr/local/sbin/sshd none

Description Bernard Spil freebsd_committer 2017-10-14 09:16:23 UTC
If the LIBEDIT option is enabled, the resulting binaries segfault when user-input is required. Building with LIBEDIT disabled results in a working binary.

Tested on 11.1 with LibreSSL 2.6.2.
Comment 1 Piotr Kubaj freebsd_committer 2017-10-14 15:52:09 UTC
I also get a segfault, but having libedit compiled doesn't matter. The error happens when running /usr/local/sbin/sshd. I run 11.1-STABLE with LibreSSL 2.6.2.
Comment 2 Piotr Kubaj freebsd_committer 2017-10-14 15:55:12 UTC
Created attachment 187165 [details]
truss of /usr/local/sbin/sshd
Comment 3 Piotr Kubaj freebsd_committer 2017-10-14 16:11:23 UTC
I've just noticed that the crash happens after reading the first line of the config file, but it doesn't have anything special:
#	$OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

The version I have installed is the newest (7.6.p1_1,1).
Comment 4 Bryan Drewery freebsd_committer 2017-10-14 16:49:53 UTC
The common factor with crashes is libressl or stable-11... very weird.
Comment 5 Andrew Fyfe 2017-10-14 17:02:40 UTC
(In reply to Piotr Kubaj from comment #3)
I noticed the same, if I comment out PermitRootLogin, MaxAuthTries and AuthorizedKeysFile from my sshd_config it then segfaults when loading the host keys.

Disabling LIBEDIT made no difference for me.

FreeBSD 11.1, LibreSSL 2.5.5
Comment 6 Bryan Drewery freebsd_committer 2017-10-14 17:07:59 UTC
Mind sharing your sshd_config?
read(3,"#\t$OpenBSD: sshd_config,v 1.97 "...,4608) = 4291 (0x10c3)
It is reading more than the first line, 4291 bytes read.
Comment 7 Piotr Kubaj freebsd_committer 2017-10-14 17:17:27 UTC
(In reply to Bryan Drewery from comment #6)
The whole file is 4291 bytes long, so that doesn't explain anything:
-rw-r--r--  1 root  wheel  4291 Oct 13 17:39 sshd_config

Still, here you are: https://pastebin.com/NrWjdZkK

The file is slightly shorter because I removed ListenAddress:
egrep -v ListenAddress sshd_config | pastebinit
Comment 8 David Z. 2017-10-14 17:24:29 UTC
Happening to me as well on 11.1-R with libressl.  I tried running sshd using sshd_config.sample as the config file with the same result, so in my case, it segfaults even if there are no changes to sshd_config.  Config options are unchanged as well.
Comment 9 Bryan Drewery freebsd_committer 2017-10-14 17:26:14 UTC
(In reply to Piotr Kubaj from comment #7)
> (In reply to Bryan Drewery from comment #6)
> The whole file is 4291 bytes long, so that doesn't explain anything:
> -rw-r--r--  1 root  wheel  4291 Oct 13 17:39 sshd_config
> 
> Still, here you are: https://pastebin.com/NrWjdZkK
> 
> The file is slightly shorter because I removed ListenAddress:
> egrep -v ListenAddress sshd_config | pastebinit

The point was it is not just reading the first line, it may be processing
other options in there.
Comment 10 Simeon Simeonov 2017-10-14 17:33:49 UTC
Same here.
FreeBSD 11.1-STABLE #0 r324609 (built 12 hours ago), with libressl-2.5.5

Tried also with the default sshd_config:

# /usr/local/etc/rc.d/openssh onestart
Generating public/private dsa key pair.
Segmentation fault (core dumped)
Generating public/private rsa key pair.
Segmentation fault (core dumped)
You already have a Elliptic Curve DSA host key in /usr/local/etc/ssh/ssh_host_ecdsa_key
Skipping protocol version 2 Elliptic Curve DSA Key Generation
Generating public/private ed25519 key pair.
Segmentation fault (core dumped)
Performing sanity check on openssh configuration.
Could not load host key: /usr/local/etc/ssh/ssh_host_rsa_key
Could not load host key: /usr/local/etc/ssh/ssh_host_dsa_key
Could not load host key: /usr/local/etc/ssh/ssh_host_ed25519_key
Starting openssh.
Could not load host key: /usr/local/etc/ssh/ssh_host_rsa_key
Could not load host key: /usr/local/etc/ssh/ssh_host_dsa_key
Could not load host key: /usr/local/etc/ssh/ssh_host_ed25519_key


When trying to use old keys (skipping key generation):

# /usr/local/etc/rc.d/openssh onestart
Performing sanity check on openssh configuration.
Segmentation fault
/usr/local/etc/rc.d/openssh: WARNING: failed precmd routine for openssh
Comment 11 Piotr Kubaj freebsd_committer 2017-10-14 17:55:36 UTC
It looks like compiling without LDNS produces working sshd.
Comment 12 commit-hook freebsd_committer 2017-10-14 18:10:35 UTC
A commit references this bug:

Author: bdrewery
Date: Sat Oct 14 18:09:35 UTC 2017
New revision: 452074
URL: https://svnweb.freebsd.org/changeset/ports/452074

Log:
  Mark broken with libressl as it has several random crashses.

  PR:		223000

Changes:
  head/security/openssh-portable/Makefile
Comment 13 Piotr Kubaj freebsd_committer 2017-10-14 18:15:37 UTC
sshd and LibreSSL seem to work fine here - could you mark it IGNORE (or BROKEN), but only if LDNS is chosen?
Comment 14 David Z. 2017-10-14 18:23:42 UTC
(In reply to Piotr Kubaj from comment #11)
I can confirm that disabling LDNS solves the issue for me.
Comment 15 Markus Kohlmeyer 2017-10-15 22:25:01 UTC
Confirmed that LDNS causes the segfaults and not LibreSSL.
Comment 16 Markus Kohlmeyer 2017-10-15 22:28:38 UTC
Tested on 10.4-STABLE and 11.1-STABLE
Comment 17 Bryan Drewery freebsd_committer 2017-10-16 20:14:58 UTC
(In reply to Markus Kohlmeyer from comment #15)
> Confirmed that LDNS causes the segfaults and not LibreSSL.

Are you using LibreSSL?
Comment 18 Markus Kohlmeyer 2017-10-16 20:57:57 UTC
(In reply to Bryan Drewery from comment #17)
Yes, i'm using security/libressl (2.5.5) on both 10.4 and 11.1
Comment 19 Bryan Drewery freebsd_committer 2017-10-16 21:22:39 UTC
Please try this patch: https://people.freebsd.org/~bdrewery/patches/libressl-ldns.diff
Comment 20 Bryan Drewery freebsd_committer 2017-10-16 21:24:36 UTC
(In reply to Bryan Drewery from comment #19)
> Please try this patch:
> https://people.freebsd.org/~bdrewery/patches/libressl-ldns.diff

The difference is in linking:

before:
         Libraries: -lcrypto -lz -L/usr/local/lib -lutil  -Wl,-rpath,/usr/local/lib -fstack-protector  -L/usr/local/lib  -L/usr/local/lib   -lcrypto -lldns -lcrypt
after:
         Libraries: -lcrypto -lldns -lz -L/usr/local/lib -lutil -lcrypt
Comment 21 Markus Kohlmeyer 2017-10-16 21:41:18 UTC
(In reply to Bryan Drewery from comment #19)
The patch works for me on both 10.4 and 11.1
Comment 22 commit-hook freebsd_committer 2017-10-18 17:19:59 UTC
A commit references this bug:

Author: bdrewery
Date: Wed Oct 18 17:19:26 UTC 2017
New revision: 452358
URL: https://svnweb.freebsd.org/changeset/ports/452358

Log:
  LibreSSL + LDNS: Fix random crashes.

  This happens due to ldns-config --libs adding in too many libraries
  (overlinking), and -lcrypto again, which causes some strange
  conflict/corruption.  By specifying the path to --with-ldns, configure only
  adds in -ldns rather than every library ldns itself needs.

  PR:		223000
  Reported by:	many

Changes:
  head/security/openssh-portable/Makefile
Comment 23 vali gholami 2017-11-26 20:46:44 UTC
MARKED AS SPAM