sshd crashed on s390x with hw crypto enabled

GNU gdb (Ubuntu 8.2.90-0ubuntu1) 8.2.90
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "s390x-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/sshd...
Reading symbols from /usr/lib/debug/.build-id/18/2cb9bda0be98e50d87a4104872aead696f1998.debug...
[New LWP 27159]
Core was generated by `sshd: ubuntu [net] '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000003ff9d10cd54 in ?? ()
(gdb) bt
#0 0x000003ff9d10cd54 in ?? ()
#1 0x000003ff9dcf155a in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)

Please see also LP 1686618 aka bugzilla LTC Bug 153940 and 156865
With the new crypto features available probably more/new things to be allowed in sshd.
Check that that/if sandboxing works in sshd with hw crypto.

Can you recreate this with debug info installed ?
I'd like to see the callstack with symbol information to find out
where the upper stack frames are located.
I see a lot of audit messages in the syslog snipped. Is there
SELINUX enabled ? If so, try to recreate with selinux disabled.
Some more history at the syslog messages would also help.
If the sandboxed process spawned by the sshd at the login attemt
denies some system calls (for example an ioctl on the device
/dev/zcrypt) there are usually some notes to find there.
Some information about the crypto hardware you are using
would also be fine. Accelerator ? Coprocessor ? The output
of lszcrypt -V would help. Can you see the counter(s) increasing
with each attempt ?

Thanks
Harald Freudenberger

This is Ubuntu, so apparmor is enabled by default, rather than selinux. Also, in stock configurations we shouldn't be disabling selinux/apparmor.

@Frank if there is a crash file, you can do $ ubuntu-bug /var/crash/path-to.crash

For them to be generated, you may need to install apport whoopsie (the non-interactive ui one maybe) cause then launchpad can retrace crashes with debug symbols on.

Oooh, i see crashes anyway, let's see if i can force launchpad to retrace them for us.

Two crash files were already uploaded - see above, but manually.

I just created another nice(er) 'apport-retrace --gdb' output locally on that system (w/ dbgsym):

$ sudo apport-retrace --gdb --rebuild-package-info /var/crash/_usr_sbin_sshd.0.crash
GNU gdb (Ubuntu 8.2.90-0ubuntu1) 8.2.90
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "s390x-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word".
Reading symbols from /usr/sbin/sshd...
Reading symbols from /usr/lib/debug/.build-id/18/2cb9bda0be98e50d87a4104872aead696f1998.debug...
[New LWP 4508]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/s390x-linux-gnu/libthread_db.so.1".
Core was generated by `/usr/sbin/sshd -T'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_rwlock_wrlock_full (abstime=0x0, rwlock=0x0)
    at pthread_rwlock_common.c:581
581 pthread_rwlock_common.c: No such file or directory.
(gdb) bt
#0 __pthread_rwlock_wrlock_full (abstime=0x0, rwlock=0x0)
    at pthread_rwlock_common.c:581
#1 __GI___pthread_rwlock_wrlock (rwlock=0x0) at pthread_rwlock_wrlock.c:27
#2 0x000003ffab27238a in CRYPTO_THREAD_write_lock ()
   from /lib/s390x-linux-gnu/libcrypto.so.1.1
#3 0x000003ffab208b32 in ERR_unload_strings ()
   from /lib/s390x-linux-gnu/libcrypto.so.1.1
#4 0x000003ffab6868b4 in ERR_unload_IBMCA_strings () at e_ibmca_err.c:122
#5 0x000003ffab684dd2 in ibmca_destructor () at e_ibmca.c:754
#6 0x000003ffab7100ea in ?? () from /lib/ld64.so.1
#7 0x000003ffaabc79e8 in __run_exit_handlers (status=<optimized out>,
    listp=0x3ffaad189a8 <__exit_funcs>,
    run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true)
    at exit.c:108
#8 0x000003ffaabc7ad8 in __GI_exit (status=<optimized out>) at exit.c:139
#9 0x000002aa192909c0 in main (ac=<optimized out>, av=<optimized out>)
    at ../../sshd.c:2257
(gdb) quit

(if you wanna see it colored, see attachment)

apport information

apport information

apport information

ubuntu-bug upload see: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1820056

enough ffdc data
Thanks

This happens at ibmca destruction time.
Looks like there is some kind of double free or so in the
destructor for the ibmca engine. We had some issues like
this in the past already. I'll have a look onto the code ...

Thanks Frank and Xnox

regards Harald Freudenberger

------- Comment From <email address hidden> 2019-03-15 08:55 EDT-------
Description will be mirrored via reverse mirroring

------- Comment From <email address hidden> 2019-03-18 10:31 EDT-------
I am unable to recreate this on Ubuntu 18.10. However, I reviewed the destructor code in ibmca and found some code which could be the reason.
So I'll give you a patch for checking - just a shot in the dark...

------- Comment on attachment From <email address hidden> 2019-03-18 10:34 EDT-------

Here is an attempt to maybe fix the issue.
Can you please apply this on top of the ibmca code, build and test ?

Btw. some info about your crypto config would also help me to try to recreate this. Just an lszcrypt -V output would be fine.

Thanks
Harald Freudenberger

$ sudo lszcrypt -b
ap_domain=0xc
ap_max_domain_id=0x54
ap_interrupts are enabled
config_time=30 (seconds)
poll_thread is disabled
poll_timeout=250000 (nanoseconds)

$ sudo lszcrypt -V
CARD.DOMAIN TYPE MODE STATUS REQUESTS PENDING HWTYPE QDEPTH FUNCTIONS DRIVER
--------------------------------------------------------------------------------------------
00 CEX5C CCA-Coproc online 100016 0 11 08 S--D--N-- cex4card
00.000c CEX5C CCA-Coproc online 100016 0 11 08 S--D--N-- cex4queue

This cannot be reproduced on 18.10, as on 18.10 openssh uses libssl1.0.0 package, yet openssl-ibmca is provided for libssl1.1 only.

In disco (19.04), openssh has been upgraded to use libssl1.1 with a matching openssl-ibmca for libssl1.1.

If you want to reproduce this on 18.10, do add 'disco' repository in /etc/apt/sources.list and upgrade to disco's version of openssh-server.

(note that 19.04 uses newer openssl-ibmca too 2.0.2 vs 2.0.0 which was in 18.10).

This PPA:
https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3681

Will soon have openssl-ibmca with above mentioned patch, built and published.

I just verified the updated package:
$ apt-cache policy openssl-ibmca
openssl-ibmca:
  Installed: 2.0.2-0ubuntu2
  Candidate: 2.0.2-0ubuntu2
  Version table:
 *** 2.0.2-0ubuntu2 100
        100 /var/lib/dpkg/status
     2.0.2-0ubuntu1 500
        500 http://us.ports.ubuntu.com/ubuntu-ports disco/universe s390x Packages
and it looks like it fixes the problem.
With this package installed and hw crypto enabled,
I can again remotely (and locally) login again into that disco system w/o a sshd crash.
Thanks!

This bug was fixed in the package openssl-ibmca - 2.0.2-0ubuntu2

---------------
openssl-ibmca (2.0.2-0ubuntu2) disco; urgency=medium

  * Rework error string init and exit. LP: #1819487

 -- Dimitri John Ledkov <email address hidden> Mon, 18 Mar 2019 15:03:08 +0000

------- Comment From <email address hidden> 2019-04-02 07:38 EDT-------
IBM Bugzilla status -> closed, Fix Released with Disco