Bug#1013451: openssh-client: double free or corruption

To: 1013451@bugs.debian.org
Subject: Bug#1013451: openssh-client: double free or corruption
From: Antonio <antdev66@gmail.com>
Date: Fri, 24 Jun 2022 19:01:58 +0200
Message-id: <[🔎] bd3d2581-2009-b76d-7359-25997c3f5c5a@gmail.com>
Reply-to: Antonio <antdev66@gmail.com>, 1013451@bugs.debian.org
References: <[🔎] CAPx8Ocu2QSXwr8bBbT9uwqcJotY-Gt8RuA-6-vwLMf58t16+uQ@mail.gmail.com>

GNU gdb (Debian 12.1-2) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
   <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ssh...
Reading symbols from /usr/lib/debug/.build-id/2a/f97f1bdaee7cdffdc6275b9e837796ba8c0d30.debug...
(gdb) r
Starting program: /usr/bin/ssh -p7386 localhost
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
double free or corruption (!prev)

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
49 ../sysdeps/unix/sysv/linux/raise.c: File o directory non esistente.
(gdb) br
Breakpoint 1 at 0x7ffff785f8a1: file ../sysdeps/unix/sysv/linux/raise.c, line 49.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
#1 0x00007ffff7849546 in __GI_abort () at abort.c:79
#2 0x00007ffff78a0eb8 in __libc_message (action="">=do_abort,
   fmt=fmt@entry=0x7ffff79bea78 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff78a891a in malloc_printerr (
   str=str@entry=0x7ffff79c0fa0 "double free or corruption (!prev)") at malloc.c:5628
#4 0x00007ffff78aa1ac in _int_free (av=0x7ffff79f5ba0 <main_arena>, p=0x5555556b8350,
   have_lock=<optimized out>) at malloc.c:4550
#5 0x00007ffff78ad9b4 in __GI___libc_free (mem=<optimized out>) at malloc.c:3309
#6 0x00007ffff7b2bd2c in ?? () from /usr/lib/x86_64-linux-gnu/libcrypto.so.3
#7 0x00007ffff7b1858e in BN_mod_exp_mont_consttime_x2 () from /usr/lib/x86_64-linux-gnu/libcrypto.so.3
#8 0x00007ffff7c77b6d in ?? () from /usr/lib/x86_64-linux-gnu/libcrypto.so.3
#9 0x00007ffff7c79010 in ?? () from /usr/lib/x86_64-linux-gnu/libcrypto.so.3
#10 0x00007ffff7c7d0d1 in RSA_sign () from /usr/lib/x86_64-linux-gnu/libcrypto.so.3
#11 0x00005555555d6ee0 in ssh_rsa_sign (key=key@entry=0x5555556c89e0, sigp=sigp@entry=0x7fffffffc3c0,
   lenp=lenp@entry=0x7fffffffc3c8, data="">=0x5555556b6e70 "", datalen=<optimized out>,
   alg_ident=alg_ident@entry=0x5555556b2da0 "rsa-sha2-512") at ../../ssh-rsa.c:206
#12 0x000055555559a65e in sshkey_sign (key=key@entry=0x5555556c89e0, sigp=sigp@entry=0x7fffffffc3c0,
   lenp=lenp@entry=0x7fffffffc3c8, data="">=0x5555556b6e70 "", datalen=datalen@entry=542,
   alg=alg@entry=0x5555556b2da0 "rsa-sha2-512", sk_provider=0x5555556a7770 "internal", sk_pin=0x0,
   compat=67108864) at ../../sshkey.c:2787
#13 0x00005555555806ac in identity_sign (alg=0x5555556b2da0 "rsa-sha2-512", compat=67108864,
   datalen=542, data=0x5555556b6e70 "", lenp=0x7fffffffc3c8, sigp=0x7fffffffc3c0, id=0x5555556bb450)
   at ../../sshconnect2.c:1432
#14 sign_and_send_pubkey (ssh=ssh@entry=0x5555556a4ad0, id=id@entry=0x5555556bb450)
   at ../../sshconnect2.c:1602
#15 0x0000555555583752 in input_userauth_pk_ok (type=<optimized out>, seq=<optimized out>,
   ssh=0x5555556a4ad0) at ../../sshconnect2.c:830
#16 0x00005555555c95c6 in ssh_dispatch_run (ssh=ssh@entry=0x5555556a4ad0, mode=mode@entry=0,
   done=done@entry=0x7fffffffc578) at ../../dispatch.c:113
#17 0x00005555555c9719 in ssh_dispatch_run_fatal (ssh=ssh@entry=0x5555556a4ad0, mode=mode@entry=0,
   done=done@entry=0x7fffffffc578) at ../../dispatch.c:133
--Type <RET> for more, q to quit, c to continue without paging--
#18 0x0000555555582906 in ssh_userauth2 (ssh=ssh@entry=0x5555556a4ad0,
   local_user=local_user@entry=0x5555556a8850 "root",
   server_user=server_user@entry=0x5555556a8890 "root", host=host@entry=0x5555556b2390 "localhost",
   sensitive=sensitive@entry=0x55555565c390 <sensitive_data>) at ../../sshconnect2.c:557
#19 0x000055555557c267 in ssh_login (ssh=0x5555556a4ad0,
   sensitive=sensitive@entry=0x55555565c390 <sensitive_data>, orighost=<optimized out>,
   hostaddr=hostaddr@entry=0x55555565c3a0 <hostaddr>, port=<optimized out>, pw=<optimized out>,
   timeout_ms=-1000, cinfo=0x5555556ac190) at ../../sshconnect.c:1573
#20 0x0000555555561dfa in main (ac=<optimized out>, av=<optimized out>) at ../../ssh.c:1661

Reply to:

References:
- Bug#1013451: openssh-client: double free or corruption
  - From: Antonio <antdev66@gmail.com>

Prev by Date: Bug#1013451: openssh-client: double free or corruption
Next by Date: ASDA- Monthly Purchase Order
Previous by thread: Bug#1013451: openssh-client: double free or corruption
Next by thread: Bug#220662: marked as done (ssh no longer takes into account the KeepAlive option)
Index(es):
- Date
- Thread