[Bug 1268719] [NEW] sshd cause segfault in libc if too many IP addresses on interface

Launchpad Bug Tracker 1268719 at bugs.launchpad.net
Mon Jan 13 20:35:46 UTC 2014 

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug:

sshd cause segfault in libc during new user connecton if too many IP
addresses assigned to any interface

If any network interface in system has too many addresses on it, at
every new login  sshd cause segfault:

sshd[28944]: segfault at 7fff2d3b6ff0 ip 00007fa8f7ac7ee8 sp
00007fff2d3b6ff0 error 6 in libc-2.15.so[7fa8f79ae000+1b5000]

Script to configure addresses:


#!/bin/bash
ip tuntap add mode tun dev ssh_down
for a in `seq 1 4`; do
        for b in `seq 1 254`; do
                echo "10.$a.$b.x " `date '+%Y-%M-%d %H:%m:%S %s'`|tee -a log
                for c in `seq 1 254`;do
                        ip a a 10.$a.$b.$c/8 dev ssh_down
                done
        done
done

It gonna take some time to generate enough addresses (in my case it was
about 20 minutes). Somewhere during that time new ssh connections starts
to fail.

In my tests crical point was somewhere near 10.3.200.x  (3*253*253=~200k
addresses).

Reproducibility: always

Security scope: This bug allow user with netadmin priveleges completely
disable new logins to server via ssh.

Steps to reproduce:

1. Run script
2.  wait until it done
3. Try to log in to that server.

Expected behavior: successfull login
Actual behavior: 
ssh_exchange_identification: read: Connection reset by peer
+ 
[  622.730506] sshd[32556]: segfault at 7fff3568ffd0 ip 00007f5d1dda7ee8 sp 00007fff3568ffd0 error 6 in libc-2.15.so[7f5d1dc8e000+1b5000]
in dmesg.

Existing ssh connections are not affected.

Ubuntu version:
Description:	Ubuntu 12.04.3 LTS
Release:	12.04


ssh version:
openssh-client                  1:5.9p1-5ubuntu1.1
openssh-server                  1:5.9p1-5ubuntu1.1
ssh                             1:5.9p1-5ubuntu1.1

libc version:
libc-bin                        2.15-0ubuntu10.5 
libc-dev-bin                    2.15-0ubuntu10.5
libc6                           2.15-0ubuntu10.5
libc6-dev                       2.15-0ubuntu10.5

Kernel version:
linux-image-3.2.0-58-generic    3.2.0-58.88

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: bot-comment
-- 
sshd cause segfault in libc if too many IP addresses on interface
https://bugs.launchpad.net/bugs/1268719
You received this bug notification because you are a member of Ubuntu Foundations Bugs, which is subscribed to openssh in Ubuntu.

More information about the foundations-bugs mailing list