Bug#946242: fatal: privsep_preauth: preauth child terminated by signal 31

To: 946242@bugs.debian.org
Subject: Bug#946242: fatal: privsep_preauth: preauth child terminated by signal 31
From: Bernhard Übelacker <bernhardu@mailbox.org>
Date: Sat, 7 Dec 2019 16:52:19 +0100
Message-id: <[🔎] 38fd6854-4efb-6fd6-3055-cc37ea0808af@mailbox.org>
Reply-to: Bernhard Übelacker <bernhardu@mailbox.org>, 946242@bugs.debian.org
In-reply-to: <[🔎] 157560312594.19303.11662014722381682062.reportbug@fw.mroczka.com>
References: <[🔎] 157560312594.19303.11662014722381682062.reportbug@fw.mroczka.com> <[🔎] 157560312594.19303.11662014722381682062.reportbug@fw.mroczka.com> <[🔎] 157560312594.19303.11662014722381682062.reportbug@fw.mroczka.com>

Dear Maintainer,
I could reproduce the issue in a i386 qemu VM with
a downgraded 3.16-3-686-pae kernel.
Attached file contains a debug session.

At the sysenter instruction in function shmdt
the signal SIGSYS is received.

Kind regards,
Bernhard


(gdb) bt
#0  shmdt (shmaddr=0xb7740000) at ../sysdeps/unix/sysv/linux/shmdt.c:33
#1  0xb748c35a in cleanup_shm () at ../crypto/rand/rand_unix.c:370
#2  0xb7460fb3 in OPENSSL_cleanup () at ../crypto/init.c:519
#3  OPENSSL_cleanup () at ../crypto/init.c:497
#4  0xb6fdfae0 in __run_exit_handlers (status=0, listp=0xb71883fc <__exit_funcs>, run_list_atexit=true, run_dtors=true) at exit.c:108
#5  0xb6fdfc01 in __GI_exit (status=0) at exit.c:139
#6  0xb774da25 in main (ac=<optimized out>, av=<optimized out>) at ../../sshd.c:2257

Buster/stable i386 qemu VM 2019-12-07

apt update
apt dist-ugprade


apt install dropbear mc gdb openssh-server-dbgsym libssl1.1-dbgsym
apt build-dep openssh-server



mkdir /home/benutzer/source/openssh-server/orig -p
cd    /home/benutzer/source/openssh-server/orig
apt source openssh-server
cd

mkdir /home/benutzer/source/libssl1.1/orig -p
cd    /home/benutzer/source/libssl1.1/orig
apt source libssl1.1
cd



wget https://snapshot.debian.org/archive/debian/20141013T184415Z/pool/main/l/linux/linux-image-3.16-3-686-pae_3.16.5-1_i386.deb
dpkg -i linux-image-3.16-3-686-pae_3.16.5-1_i386.deb


reboot
# to kernel 3.16


# to have another ssh available
dropbear -p 80




# failed login attempt

Dez 07 15:42:55 debian kernel: audit: type=1326 audit(1575729775.309:3): auid=4294967295 uid=104 gid=65534 ses=4294967295 pid=5227 comm="sshd" exe="/usr/sbin/sshd" sig=31 syscall=117 compat=0 ip=0xb76fed4c code=0x0
Dez 07 15:42:55 debian sshd[5226]: Accepted password for benutzer from 10.0.2.2 port 48382 ssh2
Dez 07 15:42:55 debian sshd[5226]: fatal: privsep_preauth: preauth child terminated by signal 31







gdb -q --pid $(pidof sshd)

set width 0
set pagination off
directory /home/benutzer/source/openssh-server/orig/openssh-7.9p1/debian/po
directory /home/benutzer/source/libssl1.1/orig/openssl-1.1.1d/crypto
b fork
b shmget
b shmat
b shmdt
set follow-fork-mode child
cont
bt
info proc

# try to ssh, wait for password prompt, not enter it yet

finish
info proc
bt
cont
info proc
bt
cont
info proc
bt
cont

# enter password

info proc
bt
display/i $pc





root@debian:~# gdb -q --pid $(pidof sshd)
Attaching to process 701
Reading symbols from /usr/sbin/sshd...Reading symbols from /usr/lib/debug/.build-id/e1/d218f3aad351129f185477cd07fa0217f1648f.debug...done.
done.
Reading symbols from /lib/i386-linux-gnu/libwrap.so.0...(no debugging symbols found)...done.
Reading symbols from /lib/i386-linux-gnu/libaudit.so.1...(no debugging symbols found)...done.
Reading symbols from /lib/i386-linux-gnu/libpam.so.0...(no debugging symbols found)...done.
Reading symbols from /lib/i386-linux-gnu/libselinux.so.1...(no debugging symbols found)...done.
Reading symbols from /lib/i386-linux-gnu/libsystemd.so.0...(no debugging symbols found)...done.
Reading symbols from /usr/lib/i386-linux-gnu/libcrypto.so.1.1...Reading symbols from /usr/lib/debug/.build-id/fa/b89eb04abddd217b9dcbac3092b22b3316bc85.debug...done.
done.
Reading symbols from /lib/i386-linux-gnu/libutil.so.1...Reading symbols from /usr/lib/debug/.build-id/00/f2ffae5a7d102f8d638567d0ebbf4a50fe8909.debug...done.
done.
Reading symbols from /lib/i386-linux-gnu/libz.so.1...(no debugging symbols found)...done.
Reading symbols from /lib/i386-linux-gnu/libcrypt.so.1...Reading symbols from /usr/lib/debug/.build-id/1a/00e365b7690f55dd90ace5de35843ce25d6b35.debug...done.
done.
Reading symbols from /usr/lib/i386-linux-gnu/libgssapi_krb5.so.2...(no debugging symbols found)...done.
Reading symbols from /usr/lib/i386-linux-gnu/libkrb5.so.3...(no debugging symbols found)...done.
Reading symbols from /lib/i386-linux-gnu/libcom_err.so.2...(no debugging symbols found)...done.
Reading symbols from /lib/i386-linux-gnu/libc.so.6...Reading symbols from /usr/lib/debug/.build-id/44/72898f10b8f6e536025fe764b9245186520cef.debug...done.
done.
Reading symbols from /lib/i386-linux-gnu/libnsl.so.1...Reading symbols from /usr/lib/debug/.build-id/e7/ef24c10b8f675406ad572c03bb03453a69670c.debug...done.
done.
Reading symbols from /lib/i386-linux-gnu/libcap-ng.so.0...(no debugging symbols found)...done.
Reading symbols from /lib/i386-linux-gnu/libdl.so.2...Reading symbols from /usr/lib/debug/.build-id/0a/eba38648f88f71c49aff5cc91e5a696e8ba0ef.debug...done.
done.
Reading symbols from /lib/i386-linux-gnu/libpcre.so.3...(no debugging symbols found)...done.
Reading symbols from /lib/ld-linux.so.2...Reading symbols from /usr/lib/debug/.build-id/75/c5f4b3fd81f62a7f2fea8f1c091f3aabf81693.debug...done.
done.
Reading symbols from /lib/i386-linux-gnu/librt.so.1...Reading symbols from /usr/lib/debug/.build-id/c4/8f25812a51319cbd05b8102b3ce4be0c89266c.debug...done.
done.
Reading symbols from /lib/i386-linux-gnu/liblzma.so.5...(no debugging symbols found)...done.
Reading symbols from /usr/lib/i386-linux-gnu/liblz4.so.1...(no debugging symbols found)...done.
Reading symbols from /lib/i386-linux-gnu/libgcrypt.so.20...(no debugging symbols found)...done.
Reading symbols from /lib/i386-linux-gnu/libpthread.so.0...Reading symbols from /usr/lib/debug/.build-id/33/f342e4e7272869f07e4621eba7b6c22f92ac08.debug...done.
done.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Reading symbols from /usr/lib/i386-linux-gnu/libk5crypto.so.3...(no debugging symbols found)...done.
Reading symbols from /usr/lib/i386-linux-gnu/libkrb5support.so.0...(no debugging symbols found)...done.
Reading symbols from /lib/i386-linux-gnu/libkeyutils.so.1...(no debugging symbols found)...done.
Reading symbols from /lib/i386-linux-gnu/libresolv.so.2...Reading symbols from /usr/lib/debug/.build-id/1a/267fbbfeab306634bbb88cec081e66948b3be0.debug...done.
done.
Reading symbols from /lib/i386-linux-gnu/libgpg-error.so.0...(no debugging symbols found)...done.
Reading symbols from /lib/i386-linux-gnu/libnss_files.so.2...Reading symbols from /usr/lib/debug/.build-id/56/97b1b879c9bfb626321b41573ac4ba4079726b.debug...done.
done.
0xb7789d4c in __kernel_vsyscall ()
(gdb) set width 0
(gdb) set pagination off
(gdb) directory /home/benutzer/source/openssh-server/orig/openssh-7.9p1/debian/po
Source directories searched: /home/benutzer/source/openssh-server/orig/openssh-7.9p1/debian/po:$cdir:$cwd
(gdb) directory /home/benutzer/source/libssl1.1/orig/openssl-1.1.1d/crypto
Source directories searched: /home/benutzer/source/libssl1.1/orig/openssl-1.1.1d/crypto:/home/benutzer/source/openssh-server/orig/openssh-7.9p1/debian/po:$cdir:$cwd
(gdb) b fork
Breakpoint 1 at 0xb70e7a30: file ../sysdeps/nptl/fork.c, line 56.
(gdb) b shmget
Breakpoint 2 at 0xb7123900: file ../sysdeps/unix/sysv/linux/shmget.c, line 33.
(gdb) b shmat
Breakpoint 3 at 0xb7123850: file ../sysdeps/unix/sysv/linux/shmat.c, line 30.
(gdb) b shmdt
Breakpoint 4 at 0xb71238c0: file ../sysdeps/unix/sysv/linux/shmdt.c, line 33.
(gdb) set follow-fork-mode child
(gdb) cont
Continuing.

Breakpoint 1, __libc_fork () at ../sysdeps/nptl/fork.c:56
56      ../sysdeps/nptl/fork.c: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0  __libc_fork () at ../sysdeps/nptl/fork.c:56
#1  0xb77c1979 in server_accept_loop (sock_in=<optimized out>, sock_out=<optimized out>, newsock=<optimized out>, config_s=<optimized out>) at ../../sshd.c:1300
#2  0xb77bf33b in main (ac=<optimized out>, av=<optimized out>) at ../../sshd.c:2003
(gdb) info proc
process 701
cmdline = '/usr/sbin/sshd -D'
cwd = '/'
exe = '/usr/sbin/sshd'
(gdb) finish
Run till exit from #0  __libc_fork () at ../sysdeps/nptl/fork.c:56
[Attaching after Thread 0xb6d98800 (LWP 701) fork to child process 14352]
[New inferior 2 (process 14352)]
[Detaching after fork from parent process 701]
[Inferior 1 (process 701) detached]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
process 14352 is executing new program: /usr/sbin/sshd
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[Switching to Thread 0xb6d1f800 (LWP 14352)]

Thread 2.1 "sshd" hit Breakpoint 2, shmget (key=114, size=1, shmflg=0) at ../sysdeps/unix/sysv/linux/shmget.c:33
33      ../sysdeps/unix/sysv/linux/shmget.c: Datei oder Verzeichnis nicht gefunden.
(gdb) info proc
process 14352
cmdline = '/usr/sbin/sshd -D -R'
cwd = '/'
exe = '/usr/sbin/sshd'
(gdb) bt
#0  shmget (key=114, size=1, shmflg=0) at ../sysdeps/unix/sysv/linux/shmget.c:33
#1  0xb748c3be in wait_random_seeded () at ../crypto/rand/rand_unix.c:391
#2  0xb748c7dd in rand_pool_acquire_entropy (pool=0xb92e9e80) at ../crypto/rand/rand_unix.c:611
#3  0xb748bbcd in rand_drbg_get_entropy (drbg=<optimized out>, pout=0xbfce72b8, entropy=256, min_len=32, max_len=2147483647, prediction_resistance=0) at ../crypto/rand/rand_lib.c:198
#4  0xb7489bb9 in RAND_DRBG_instantiate (drbg=0xb92e6ca0, pers=0xb752687c <ossl_pers_string> "OpenSSL NIST SP 800-90A DRBG", perslen=28) at ../crypto/rand/drbg_lib.c:338
#5  0xb748aa3b in drbg_setup (parent=parent@entry=0x0) at ../crypto/rand/drbg_lib.c:895
#6  0xb748aae7 in do_rand_drbg_init () at ../crypto/rand/drbg_lib.c:924
#7  do_rand_drbg_init_ossl_ () at ../crypto/rand/drbg_lib.c:909
#8  0xb6dbe4c5 in __pthread_once_slow (once_control=0xb75e5628 <rand_drbg_init>, init_routine=0xb748aa70 <do_rand_drbg_init_ossl_>) at pthread_once.c:116
#9  0xb6dbe53d in __GI___pthread_once (once_control=0xb75e5628 <rand_drbg_init>, init_routine=0xb748aa70 <do_rand_drbg_init_ossl_>) at pthread_once.c:143
#10 0xb74b892c in CRYPTO_THREAD_run_once (once=0xb75e5628 <rand_drbg_init>, init=0xb748aa70 <do_rand_drbg_init_ossl_>) at ../crypto/threads_pthread.c:118
#11 0xb748ac92 in RAND_DRBG_get0_master () at ../crypto/rand/drbg_lib.c:1102
#12 0xb748acd5 in drbg_status () at ../crypto/rand/drbg_lib.c:1084
#13 0xb77a745e in seed_rng () at ../../entropy.c:238
#14 0xb774b26a in main (ac=<optimized out>, av=0xb92d7370) at ../../sshd.c:1696
(gdb) cont
Continuing.

Thread 2.1 "sshd" hit Breakpoint 3, shmat (shmid=0, shmaddr=0x0, shmflg=4096) at ../sysdeps/unix/sysv/linux/shmat.c:30
30      ../sysdeps/unix/sysv/linux/shmat.c: Datei oder Verzeichnis nicht gefunden.
(gdb) info proc
process 14352
cmdline = '/usr/sbin/sshd -D -R'
cwd = '/'
exe = '/usr/sbin/sshd'
(gdb) bt
#0  shmat (shmid=0, shmaddr=0x0, shmflg=4096) at ../sysdeps/unix/sysv/linux/shmat.c:30
#1  0xb748c3e4 in wait_random_seeded () at ../crypto/rand/rand_unix.c:436
#2  0xb748c7dd in rand_pool_acquire_entropy (pool=0xb92e9e80) at ../crypto/rand/rand_unix.c:611
#3  0xb748bbcd in rand_drbg_get_entropy (drbg=<optimized out>, pout=0xbfce72b8, entropy=256, min_len=32, max_len=2147483647, prediction_resistance=0) at ../crypto/rand/rand_lib.c:198
#4  0xb7489bb9 in RAND_DRBG_instantiate (drbg=0xb92e6ca0, pers=0xb752687c <ossl_pers_string> "OpenSSL NIST SP 800-90A DRBG", perslen=28) at ../crypto/rand/drbg_lib.c:338
#5  0xb748aa3b in drbg_setup (parent=parent@entry=0x0) at ../crypto/rand/drbg_lib.c:895
#6  0xb748aae7 in do_rand_drbg_init () at ../crypto/rand/drbg_lib.c:924
#7  do_rand_drbg_init_ossl_ () at ../crypto/rand/drbg_lib.c:909
#8  0xb6dbe4c5 in __pthread_once_slow (once_control=0xb75e5628 <rand_drbg_init>, init_routine=0xb748aa70 <do_rand_drbg_init_ossl_>) at pthread_once.c:116
#9  0xb6dbe53d in __GI___pthread_once (once_control=0xb75e5628 <rand_drbg_init>, init_routine=0xb748aa70 <do_rand_drbg_init_ossl_>) at pthread_once.c:143
#10 0xb74b892c in CRYPTO_THREAD_run_once (once=0xb75e5628 <rand_drbg_init>, init=0xb748aa70 <do_rand_drbg_init_ossl_>) at ../crypto/threads_pthread.c:118
#11 0xb748ac92 in RAND_DRBG_get0_master () at ../crypto/rand/drbg_lib.c:1102
#12 0xb748acd5 in drbg_status () at ../crypto/rand/drbg_lib.c:1084
#13 0xb77a745e in seed_rng () at ../../entropy.c:238
#14 0xb774b26a in main (ac=<optimized out>, av=0xb92d7370) at ../../sshd.c:1696
(gdb) cont
Continuing.

Thread 2.1 "sshd" hit Breakpoint 1, __libc_fork () at ../sysdeps/nptl/fork.c:56
56      ../sysdeps/nptl/fork.c: Datei oder Verzeichnis nicht gefunden.
(gdb) info proc
process 14352
cmdline = 'sshd: [accepted]    '
cwd = '/'
exe = '/usr/sbin/sshd'
(gdb) bt
#0  __libc_fork () at ../sysdeps/nptl/fork.c:56
#1  0xb774cfdc in privsep_preauth (authctxt=0xb92efd10) at ../../sshd.c:596
#2  main (ac=<optimized out>, av=<optimized out>) at ../../sshd.c:2236
(gdb) cont
Continuing.
[Attaching after Thread 0xb6d1f800 (LWP 14352) fork to child process 14353]
[New inferior 3 (process 14353)]
[Detaching after fork from parent process 14352]
[Inferior 2 (process 14352) detached]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[Switching to Thread 0xb6d1f800 (LWP 14353)]

Thread 3.1 "sshd" hit Breakpoint 4, shmdt (shmaddr=0xb7740000) at ../sysdeps/unix/sysv/linux/shmdt.c:33
33      ../sysdeps/unix/sysv/linux/shmdt.c: Datei oder Verzeichnis nicht gefunden.
(gdb) info proc
process 14353
cmdline = 'sshd: benutzer [net]'
cwd = '/run/sshd'
exe = '/usr/sbin/sshd'
(gdb) bt
#0  shmdt (shmaddr=0xb7740000) at ../sysdeps/unix/sysv/linux/shmdt.c:33
#1  0xb748c35a in cleanup_shm () at ../crypto/rand/rand_unix.c:370
#2  0xb7460fb3 in OPENSSL_cleanup () at ../crypto/init.c:519
#3  OPENSSL_cleanup () at ../crypto/init.c:497
#4  0xb6fdfae0 in __run_exit_handlers (status=0, listp=0xb71883fc <__exit_funcs>, run_list_atexit=true, run_dtors=true) at exit.c:108
#5  0xb6fdfc01 in __GI_exit (status=0) at exit.c:139
#6  0xb774da25 in main (ac=<optimized out>, av=<optimized out>) at ../../sshd.c:2257
(gdb) display/i $pc
1: x/i $pc
=> 0xb70aa8c0 <shmdt>:  xor    %edx,%edx
(gdb) nexti
0xb70aa8c2      33      in ../sysdeps/unix/sysv/linux/shmdt.c
1: x/i $pc
=> 0xb70aa8c2 <shmdt+2>:        push   %edi
(gdb) 
0xb70aa8c3      33      in ../sysdeps/unix/sysv/linux/shmdt.c
1: x/i $pc
=> 0xb70aa8c3 <shmdt+3>:        mov    $0x75,%eax
(gdb) 
0xb70aa8c8      33      in ../sysdeps/unix/sysv/linux/shmdt.c
1: x/i $pc
=> 0xb70aa8c8 <shmdt+8>:        push   %esi
(gdb) 
0xb70aa8c9      33      in ../sysdeps/unix/sysv/linux/shmdt.c
1: x/i $pc
=> 0xb70aa8c9 <shmdt+9>:        mov    %edx,%ecx
(gdb) 
0xb70aa8cb      33      in ../sysdeps/unix/sysv/linux/shmdt.c
1: x/i $pc
=> 0xb70aa8cb <shmdt+11>:       mov    %edx,%esi
(gdb) 
0xb70aa8cd      33      in ../sysdeps/unix/sysv/linux/shmdt.c
1: x/i $pc
=> 0xb70aa8cd <shmdt+13>:       push   %ebx
(gdb) 
0xb70aa8ce      33      in ../sysdeps/unix/sysv/linux/shmdt.c
1: x/i $pc
=> 0xb70aa8ce <shmdt+14>:       mov    $0x16,%ebx
(gdb) 
0xb70aa8d3      33      in ../sysdeps/unix/sysv/linux/shmdt.c
1: x/i $pc
=> 0xb70aa8d3 <shmdt+19>:       mov    0x10(%esp),%edi
(gdb) 
0xb70aa8d7      33      in ../sysdeps/unix/sysv/linux/shmdt.c
1: x/i $pc
=> 0xb70aa8d7 <shmdt+23>:       call   *%gs:0x10
(gdb) 
0xb7716d3c in ?? ()
1: x/i $pc
=> 0xb7716d3c:  push   %ecx
(gdb) 
0xb7716d3d in ?? ()
1: x/i $pc
=> 0xb7716d3d:  push   %edx
(gdb) 
0xb7716d3e in ?? ()
1: x/i $pc
=> 0xb7716d3e:  push   %ebp
(gdb) 
0xb7716d3f in ?? ()
1: x/i $pc
=> 0xb7716d3f:  mov    %esp,%ebp
(gdb) 
0xb7716d41 in ?? ()
1: x/i $pc
=> 0xb7716d41:  sysenter 
(gdb) bt
#0  0xb7716d41 in ?? ()
#1  0x00000000 in ?? ()
(gdb) stepi

Program terminated with signal SIGSYS, Bad system call.
The program no longer exists.
(gdb) q

Reply to:

Follow-Ups:
- Bug#946242: fatal: privsep_preauth: preauth child terminated by signal 31
  - From: Colin Watson <cjwatson@debian.org>

References:
- Bug#946242: fatal: privsep_preauth: preauth child terminated by signal 31
  - From: crunch <bob@mroczka.com>

Prev by Date: Bug#945295: marked as done (Unnecessary "invalid attribute length" and "failed to fetch key" warnings with libsimple-tpm-pk11.so)
Next by Date: Bug#946242: fatal: privsep_preauth: preauth child terminated by signal 31
Previous by thread: Bug#946242: fatal: privsep_preauth: preauth child terminated by signal 31
Next by thread: Bug#946242: fatal: privsep_preauth: preauth child terminated by signal 31
Index(es):
- Date
- Thread