sshd cause segfault in libc if too many IP addresses on interface

Bug #1268719 reported by George Shuklin
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
New
Low
Unassigned

Bug Description

sshd cause segfault in libc during new user connecton if too many IP addresses assigned to any interface

If any network interface in system has too many addresses on it, at every new login sshd cause segfault:

sshd[28944]: segfault at 7fff2d3b6ff0 ip 00007fa8f7ac7ee8 sp 00007fff2d3b6ff0 error 6 in libc-2.15.so[7fa8f79ae000+1b5000]

Script to configure addresses:

#!/bin/bash
ip tuntap add mode tun dev ssh_down
for a in `seq 1 4`; do
        for b in `seq 1 254`; do
                echo "10.$a.$b.x " `date '+%Y-%M-%d %H:%m:%S %s'`|tee -a log
                for c in `seq 1 254`;do
                        ip a a 10.$a.$b.$c/8 dev ssh_down
                done
        done
done

It gonna take some time to generate enough addresses (in my case it was about 20 minutes). Somewhere during that time new ssh connections starts to fail.

In my tests crical point was somewhere near 10.3.200.x (3*253*253=~200k addresses).

Reproducibility: always

Security scope: This bug allow user with netadmin priveleges completely disable new logins to server via ssh.

Steps to reproduce:

1. Run script
2. wait until it done
3. Try to log in to that server.

Expected behavior: successfull login
Actual behavior:
ssh_exchange_identification: read: Connection reset by peer
+
[ 622.730506] sshd[32556]: segfault at 7fff3568ffd0 ip 00007f5d1dda7ee8 sp 00007fff3568ffd0 error 6 in libc-2.15.so[7f5d1dc8e000+1b5000]
in dmesg.

Existing ssh connections are not affected.

Ubuntu version:
Description: Ubuntu 12.04.3 LTS
Release: 12.04

ssh version:
openssh-client 1:5.9p1-5ubuntu1.1
openssh-server 1:5.9p1-5ubuntu1.1
ssh 1:5.9p1-5ubuntu1.1

libc version:
libc-bin 2.15-0ubuntu10.5
libc-dev-bin 2.15-0ubuntu10.5
libc6 2.15-0ubuntu10.5
libc6-dev 2.15-0ubuntu10.5

Kernel version:
linux-image-3.2.0-58-generic 3.2.0-58.88

Tags: bot-comment
information type: Private Security → Public Security
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.

To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+bug/1268719/+editstatus and add the package name in the text box next to the word Package.

[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]

tags: added: bot-comment
affects: ubuntu → openssh (Ubuntu)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Unmarking as security bug. If you have CAP_NET_ADMIN then you can disrupt ssh communications by any number of other means.

information type: Public Security → Public
Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Setting this to Importance: Low; justification: "Bugs that affect unusual end-user configurations".

I suggest that you check to see if Debian or upstream directly (compiled from upstream source without packaging) are affected and report this bug in those places if they are affected.

Changed in openssh (Ubuntu):
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.