### Dropbear MMAP problem?

Matt Johnston matt at ucc.asn.au
Wed Jul 8 23:52:28 WST 2009 

Ah right. That code block is what switches from the root
user (which Dropbear runs as) to the uid of whichever user
they have logged in as. If the only user logging in is root,
you could remove the "if (getuid() == 0)" block and just leave
the check that the login uid matches the running user.

I assume the bit that crashes on exit is the call to 
common_session_cleanup() via svr_dropbear_exit(). I've attached
a patch that will only run the cleanup for the main server
process - does that look OK?

Cheers,
Matt

On Wed, Jul 08, 2009 at 11:05:20AM -0400, Steve Spano wrote:
> Hello!
> 
> Thanks for the reply Matt! I have dropbear working now, the problem (after
> several trips through the code) was here in svr-chansession.c 
> 
> //removed by fle because it is causing a problem
> #if(0)
> 	/* We can only change uid/gid as root ... */
> 	if (getuid() == 0) {
> 
> 		if ((setgid(ses.authstate.pw_gid) < 0) ||
> 			(initgroups(ses.authstate.pw_name, 
> 						ses.authstate.pw_gid) < 0))
> {
> 			dropbear_exit("error changing user group");
> 		}
> 		if (setuid(ses.authstate.pw_uid) < 0) {
> 			dropbear_exit("error changing user");
> 		}
> 	} else {
> 		/* ... but if the daemon is the same uid as the requested
> uid, we don't
> 		 * need to */
> 
> 		/* XXX - there is a minor issue here, in that if there are
> multiple
> 		 * usernames with the same uid, but differing groups, then
> the
> 		 * differing groups won't be set (as with initgroups()). The
> solution
> 		 * is for the sysadmin not to give out the UID twice */
> 		if (getuid() != ses.authstate.pw_uid) {
> 			dropbear_exit("couldn't	change user as non-root");
> 		}
> 	}
> #endif
> 
> It appers that my system was not able to set the GID, so we bailed out and
> never issued the shell or started the terminal.
> When the bail-out occurred, the code improperly exits becaue the child PID
> was never put into the "pid arrary" (see the notes on the "Race condition"
> also desecribed around the sesssigchild_handler.
> Since we use VFORK, and we didn't properly exit the child, the parent stack
> is messed up and we forget our encryption algorithm, which causes a buffer
> error, and subsequent program exit.
> 
> Now, my "fix" was just to IF-out the uid/gid items.
> Is that bad? What is the intent of the above code?
> 
> Steve Spano, President
> Finger Lakes Engineering
> 
> 
> 
> -----Original Message-----
> From: Matt Johnston [mailto:matt at ucc.asn.au] 
> Sent: Wednesday, July 08, 2009 10:54 AM
> To: Steve Spano
> Cc: dropbear at ucc.asn.au
> Subject: Re: ### Dropbear MMAP problem?
> 
> 
> I'm pretty sure there are some problems running Dropbear standalone, since
> that part isn't really vfork safe. Could you try running from an inetd (give
> it -i argument) and see if that works?
> 
> Matt
> 
> On Tue, Jul 07, 2009 at 02:12:53PM -0400, Steve Spano wrote:
> > Hello,
> >  
> > I am attempting to get dropbear working on a Xilinx Microblaze system. 
> > I have compiled it and it is excuting, but there seems to be some 
> > buffer/alloc problem of some kind that I am not sure yet how to 
> > resolve. This is an MMU-LESS system and compiled against uCLibc I can 
> > connect, exchange keys, and authenticate my username password 
> > propertly However, when the terminal session begins, I get an error 
> > about  un mapping non-mmaped memory and then a subsequent buffer_incr 
> > problem and then an exit.
> >  
> > The trace log is below - can anyone offer suggestions?
> >  
> > Thanks
> >  
> >  
> > quit
> > 221 Goodbye
> > # ./dropbeart -    -F
> > TRACE (79): enter loadhostkeys
> > TRACE (79): enter buf_get_priv_key
> > TRACE (79): enter rsa_key_free
> > TRACE (79): leave rsa_key_free: key == NULL
> > TRACE (79): enter buf_get_rsa_priv_key
> > TRACE (79): enter buf_get_rsa_pub_key
> > TRACE (79): leave buf_get_rsa_pub_key: success
> > TRACE (79): leave buf_get_rsa_priv_key
> > TRACE (79): leave buf_get_priv_key
> > TRACE (79): enter buf_get_priv_key
> > TRACE (79): enter dsa_key_free
> > TRACE (79): enter dsa_key_free: key == NULL
> > TRACE (79): enter buf_get_dss_pub_key
> > TRACE (79): leave buf_get_dss_pub_key: success
> > TRACE (79): leave buf_get_priv_key
> > TRACE (79): leave loadhostkeys
> > TRACE (79): listensockets: 1 to try
> >  
> > TRACE (79): listening on ':22'
> > TRACE (79): enter dropbear_listen
> > TRACE (79): dropbear_listen: all interfaces
> > TRACE (79): bind(22) failed
> > TRACE (79): leave dropbear_listen: success, 1 socks bound [79] Jul 07 
> > 15:55:58 Not backgrounding [79] Jul 07 15:56:13 Child connection from 
> > 192.168.1.21:2594 TRACE (79): enter session_init
> > TRACE (79): setnonblocking: 3
> > TRACE (79): leave setnonblocking
> > TRACE (79): setnonblocking: 5
> > TRACE (79): leave setnonblocking
> > TRACE (79): kexinitialise()
> > TRACE (79): leave session_init
> > TRACE (79): enter ident_readln
> > TRACE (79): leave ident_readln: return 36
> > TRACE (79): remoteident: SSH-2.0-1.84 sshlib: Tunnelier 4.29
> > TRACE (79): enter encrypt_packet()
> > TRACE (79): encrypt_packet type is 20
> > TRACE (79): enter writemac
> > TRACE (79): leave writemac
> > TRACE (79): enter enqueue
> > TRACE (79): leave enqueue
> > TRACE (79): leave encrypt_packet()
> > TRACE (79): DATAALLOWED=0
> > TRACE (79): -> KEXINIT
> > TRACE (79): enter write_packet
> > TRACE (79): empty queue dequeing
> > TRACE (79): leave write_packet
> > TRACE (79): enter read_packet
> > TRACE (79): leave read_packet
> > TRACE (79): maybe_empty_reply_queue - no data allowed
> > TRACE (79): enter read_packet
> > TRACE (79): enter decrypt_packet
> > TRACE (79): leave decrypt_packet
> > TRACE (79): leave read_packet
> > TRACE (79): enter process_packet
> > TRACE (79): process_packet: packet type = 20
> > TRACE (79): <- KEXINIT
> > TRACE (79): enter recv_msg_kexinit
> > TRACE (79): buf_match_algo:
> >
> diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellma
> > n-group1-sha1
> > TRACE (79): kex algo diffie-hellman-group1-sha1
> > TRACE (79): buf_match_algo: ssh-rsa,ssh-dss
> > TRACE (79): hostkey algo ssh-rsa
> > TRACE (79): buf_match_algo:
> >
> aes256-ctr,twofish256-ctr,twofish-ctr,aes128-ctr,twofish128-ctr,blowfish-ctr
> >
> ,3des-ctr,cast128-ctr,aes256-cbc,twofish256-cbc,twofish-cbc,aes128-cbc,twofi
> > sh128-cbc,blowfish-cbc,3des-cbc,arcfour,cast128-cbc
> > TRACE (79): enc c2s is  aes256-ctr
> > TRACE (79): buf_match_algo:
> >
> aes256-ctr,twofish256-ctr,twofish-ctr,aes128-ctr,twofish128-ctr,blowfish-ctr
> >
> ,3des-ctr,cast128-ctr,aes256-cbc,twofish256-cbc,twofish-cbc,aes128-cbc,twofi
> > sh128-cbc,blowfish-cbc,3des-cbc,arcfour,cast128-cbc
> > TRACE (79): enc s2c is  aes256-ctr
> > TRACE (79): buf_match_algo: hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
> > TRACE (79): hash c2s is  hmac-sha1
> > TRACE (79): buf_match_algo: hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
> > TRACE (79): hash s2c is  hmac-sha1
> > TRACE (79): buf_match_algo: none
> > TRACE (79): hash c2s is  none
> > TRACE (79): buf_match_algo: none
> > TRACE (79): hash s2c is  none
> > TRACE (79): leave recv_msg_kexinit
> > TRACE (79): leave process_packet
> > TRACE (79): maybe_empty_reply_queue - no data allowed
> > TRACE (79): enter read_packet
> > TRACE (79): enter decrypt_packet
> > TRACE (79): leave decrypt_packet
> > TRACE (79): leave read_packet
> > TRACE (79): enter process_packet
> > TRACE (79): process_packet: packet type = 30
> > TRACE (79): enter recv_msg_kexdh_init
> > TRACE (79): enter send_msg_kexdh_reply
> > TRACE (79): enter send_msg_kexdh_reply
> > TRACE (79): enter buf_put_pub_key
> > TRACE (79): enter buf_put_rsa_pub_key
> > TRACE (79): enter buf_putmpint
> > TRACE (79): leave buf_putmpint
> > TRACE (79): enter buf_putmpint
> > TRACE (79): leave buf_putmpint
> > TRACE (79): leave buf_put_rsa_pub_key
> > TRACE (79): leave buf_put_pub_key
> > TRACE (79): enter buf_putmpint
> > TRACE (79): leave buf_putmpint
> > TRACE (79): enter buf_putmpint
> > TRACE (79): leave buf_putmpint
> > TRACE (79): enter buf_putmpint
> > TRACE (79): leave buf_putmpint
> > TRACE (79): enter buf_put_pub_key
> > TRACE (79): enter buf_put_rsa_pub_key
> > TRACE (79): enter buf_putmpint
> > TRACE (79): leave buf_putmpint
> > TRACE (79): enter buf_putmpint
> > TRACE (79): leave buf_putmpint
> > TRACE (79): leave buf_put_rsa_pub_key
> > TRACE (79): leave buf_put_pub_key
> > TRACE (79): enter buf_putmpint
> > TRACE (79): leave buf_putmpint
> > TRACE (79): enter buf_put_rsa_sign
> > TRACE (79): leave buf_put_rsa_sign
> > TRACE (79): enter encrypt_packet()
> > TRACE (79): encrypt_packet type is 31
> > TRACE (79): enter writemac
> > TRACE (79): leave writemac
> > TRACE (79): enter enqueue
> > TRACE (79): leave enqueue
> > TRACE (79): leave encrypt_packet()
> > TRACE (79): leave send_msg_kexdh_reply
> > TRACE (79): enter send_msg_newkeys
> > TRACE (79): enter encrypt_packet()
> > TRACE (79): encrypt_packet type is 21
> > TRACE (79): enter writemac
> > TRACE (79): leave writemac
> > TRACE (79): enter enqueue
> > TRACE (79): leave enqueue
> > TRACE (79): leave encrypt_packet()
> > TRACE (79): SENTNEWKEYS=1
> > TRACE (79): -> MSG_NEWKEYS
> > TRACE (79): leave send_msg_newkeys
> > TRACE (79): leave recv_msg_kexdh_init
> > TRACE (79): leave process_packet
> > TRACE (79): maybe_empty_reply_queue - no data allowed
> > TRACE (79): enter write_packet
> > TRACE (79): leave write_packet
> > TRACE (79): enter read_packet
> > TRACE (79): enter decrypt_packet
> > TRACE (79): leave decrypt_packet
> > TRACE (79): leave read_packet
> > TRACE (79): enter process_packet
> > TRACE (79): process_packet: packet type = 2
> > TRACE (79): leave process_packet
> > TRACE (79): maybe_empty_reply_queue - no data allowed
> > TRACE (79): enter write_packet
> > TRACE (79): empty queue dequeing
> > TRACE (79): leave write_packet
> > TRACE (79): enter read_packet
> > TRACE (79): enter decrypt_packet
> > TRACE (79): leave decrypt_packet
> > TRACE (79): leave read_packet
> > TRACE (79): enter process_packet
> > TRACE (79): process_packet: packet type = 21
> > TRACE (79): <- MSG_NEWKEYS
> > TRACE (79): enter recv_msg_newkeys
> > TRACE (79): while SENTNEWKEYS=1
> > TRACE (79): enter gen_new_keys
> > TRACE (79): enter buf_putmpint
> > TRACE (79): leave buf_putmpint
> > TRACE (79): leave gen_new_keys
> > TRACE (79): kexinitialise()
> > TRACE (79):  -> DATAALLOWED=1
> > TRACE (79): leave recv_msg_newkeys
> > TRACE (79): leave process_packet
> > TRACE (79): enter read_packet
> > TRACE (79): enter decrypt_packet
> > TRACE (79): leave decrypt_packet
> > TRACE (79): leave read_packet
> > TRACE (79): enter process_packet
> > TRACE (79): process_packet: packet type = 5
> > TRACE (79): enter recv_msg_service_request
> > TRACE (79): accepting service ssh-userauth
> > TRACE (79): enter encrypt_packet()
> > TRACE (79): encrypt_packet type is 6
> > TRACE (79): enter writemac
> > TRACE (79): leave writemac
> > TRACE (79): enter enqueue
> > TRACE (79): leave enqueue
> > TRACE (79): leave encrypt_packet()
> > TRACE (79): leave recv_msg_service_request: done ssh-userauth
> > TRACE (79): leave process_packet
> > TRACE (79): enter write_packet
> > TRACE (79): empty queue dequeing
> > TRACE (79): leave write_packet
> > TRACE (79): enter read_packet
> > TRACE (79): enter decrypt_packet
> > TRACE (79): leave decrypt_packet
> > TRACE (79): leave read_packet
> > TRACE (79): enter process_packet
> > TRACE (79): process_packet: packet type = 50
> > TRACE (79): enter recv_msg_userauth_request
> > TRACE (79): recv_msg_userauth_request: 'none' request
> > TRACE (79): enter send_msg_userauth_failure
> > TRACE (79): auth fail: methods 6, 'publickey,password'
> > TRACE (79): enter encrypt_packet()
> > TRACE (79): encrypt_packet type is 51
> > TRACE (79): enter writemac
> > TRACE (79): leave writemac
> > TRACE (79): enter enqueue
> > TRACE (79): leave enqueue
> > TRACE (79): leave encrypt_packet()
> > TRACE (79): leave send_msg_userauth_failure
> > TRACE (79): leave process_packet
> > TRACE (79): enter write_packet
> > TRACE (79): empty queue dequeing
> > TRACE (79): leave write_packet
> > TRACE (79): enter read_packet
> > TRACE (79): enter decrypt_packet
> > TRACE (79): leave decrypt_packet
> > TRACE (79): leave read_packet
> > TRACE (79): enter process_packet
> > TRACE (79): process_packet: packet type = 2
> > TRACE (79): leave process_packet
> > TRACE (79): enter read_packet
> > TRACE (79): enter decrypt_packet
> > TRACE (79): leave decrypt_packet
> > TRACE (79): leave read_packet
> > TRACE (79): enter process_packet
> > TRACE (79): process_packet: packet type = 50
> > TRACE (79): enter recv_msg_userauth_request
> > TRACE (79): enter checkusername
> > TRACE (79): shell is /bin/sh
> > TRACE (79): test shell is '/bin/sh'
> > TRACE (79): matching shell
> > TRACE (79): uid = 0
> > TRACE (79): leave checkusername
> > [79] Jul 07 15:58:54 password auth succeeded for 'Administrator' from
> > 192.168.1.21:2594
> > TRACE (79): enter send_msg_userauth_success
> > TRACE (79): enter encrypt_packet()
> > TRACE (79): encrypt_packet type is 52
> > TRACE (79): enter writemac
> > TRACE (79): leave writemac
> > TRACE (79): enter enqueue
> > TRACE (79): leave enqueue
> > TRACE (79): leave encrypt_packet()
> > TRACE (79): leave send_msg_userauth_success
> > TRACE (79): leave process_packet
> > TRACE (79): enter write_packet
> > TRACE (79): empty queue dequeing
> > TRACE (79): leave write_packet
> > TRACE (79): enter read_packet
> > TRACE (79): enter decrypt_packet
> > TRACE (79): leave decrypt_packet
> > TRACE (79): leave read_packet
> > TRACE (79): enter process_packet
> > TRACE (79): process_packet: packet type = 2
> > TRACE (79): leave process_packet
> > TRACE (79): enter read_packet
> > TRACE (79): enter decrypt_packet
> > TRACE (79): leave decrypt_packet
> > TRACE (79): leave read_packet
> > TRACE (79): enter process_packet
> > TRACE (79): process_packet: packet type = 90
> > TRACE (79): enter recv_msg_channel_open
> > TRACE (79): matched type 'session'
> > TRACE (79): enter newchannel
> > TRACE (79): leave newchannel
> > TRACE (79): enter send_msg_channel_open_confirmation
> > TRACE (79): enter encrypt_packet()
> > TRACE (79): encrypt_packet type is 91
> > TRACE (79): enter writemac
> > TRACE (79): leave writemac
> > TRACE (79): enter enqueue
> > TRACE (79): leave enqueue
> > TRACE (79): leave encrypt_packet()
> > TRACE (79): leave send_msg_channel_open_confirmation
> > TRACE (79): leave recv_msg_channel_open
> > TRACE (79): leave process_packet
> > TRACE (79): check_close: writefd -2, readfd -2, errfd -1, sent_close 0,
> > recv_close 0
> > TRACE (79): writebuf size 0 extrabuf size 0
> > TRACE (79): sesscheckclose, pid is -1
> > TRACE (79): sesscheckclose, pid is -1
> > TRACE (79): enter write_packet
> > TRACE (79): empty queue dequeing
> > TRACE (79): leave write_packet
> > TRACE (79): check_close: writefd -2, readfd -2, errfd -1, sent_close 0,
> > recv_close 0
> > TRACE (79): writebuf size 0 extrabuf size 0
> > TRACE (79): sesscheckclose, pid is -1
> > TRACE (79): sesscheckclose, pid is -1
> > TRACE (79): enter read_packet
> > TRACE (79): enter decrypt_packet
> > TRACE (79): leave decrypt_packet
> > TRACE (79): leave read_packet
> > TRACE (79): enter process_packet
> > TRACE (79): process_packet: packet type = 98
> > TRACE (79): enter recv_msg_channel_request
> > TRACE (79): enter chansessionrequest
> > TRACE (79): type is pty-req
> > TRACE (79): enter sessionpty
> > TRACE (79): enter get_termmodes
> > TRACE (79): term mode str 0 p->l 46 p->p 46
> > TRACE (79): leave get_termmodes: empty terminal modes string
> > TRACE (79): leave sessionpty
> > TRACE (79): enter send_msg_channel_success
> > TRACE (79): enter encrypt_packet()
> > TRACE (79): encrypt_packet type is 99
> > TRACE (79): enter writemac
> > TRACE (79): leave writemac
> > TRACE (79): enter enqueue
> > TRACmunmap of non-mmaped memory by process 79 (dropbear): 00000018
> > munmap of non-mmaped memory by process 79 (dropbear): 00000010
> > E (79): leave enqueue
> > TRACE (79): leamunmap of non-mmaped memory by process 79 (dropbear):
> > b8082ce0
> > ve encrypt_packet()
> > TRACE (79): leave send_msg_channel_success
> > TRACE (79): leave chansessionrequest
> > TRACE (79): leave recv_msg_channel_request
> > TRACE (79): leave process_packet
> > TRACE (79): check_close: writefd -2, readfd -2, errfd -1, sent_close 0,
> > recv_close 0
> > TRACE (79): writebuf size 0 extrabuf size 0
> > TRACE (79): sesscheckclose, pid is -1
> > TRACE (79): sesscheckclose, pid is -1
> > TRACE (79): enter write_packet
> > TRACE (79): empty queue dequeing
> > TRACE (79): leave write_packet
> > TRACE (79): enter read_packet
> > TRACE (79): enter decrypt_packet
> > TRACE (79): leave decrypt_packet
> > TRACE (79): leave read_packet
> > TRACE (79): enter process_packet
> > TRACE (79): process_packet: packet type = 98
> > TRACE (79): enter recv_msg_channel_request
> > TRACE (79): enter chansessionrequest
> > TRACE (79): type is x11-req
> > TRACE (79): setnonblocking: 8
> > TRACE (79): leave setnonblocking
> > TRACE (79): new listener num 0 
> > TRACE (79): enter send_msg_channel_success
> > TRACE (79): enter encrypt_packet()
> > TRACE (79): encrypt_packet type is 99
> > TRACE (79): enter writemac
> > TRACE (79): leave writemac
> > TRACE (79): enter enqueue
> > TRACE (79): leave enqueue
> > TRACE (79): leave encrypt_packet()
> > TRACE (79): leave send_msg_channel_success
> > TRACE (79): leave chansessionrequest
> > TRACE (79): leave recv_msg_channel_request
> > TRACE (79): leave process_packet
> > TRACE (79): check_close: writefd -2, readfd -2, errfd -1, sent_close 0,
> > recv_close 0
> > TRACE (79): writebuf size 0 extrabuf size 0
> > TRACE (79): sesscheckclose, pid is -1
> > TRACE (79): sesscheckclose, pid is -1
> > TRACE (79): enter write_packet
> > TRACE (79): empty queue dequeing
> > TRACE (79): leave write_packet
> > TRACE (79): enter read_packet
> > TRACE (79): enter decrypt_packet
> > TRACE (79): leave decrypt_packet
> > TRACE (79): leave read_packet
> > TRACE (79): enter process_packet
> > TRACE (79): process_packet: packet type = 98
> > TRACE (79): enter recv_msg_channel_request
> > TRACE (79): enter chansessionrequest
> > TRACE (79): type is shell
> > TRACE (79): enter sessioncommand
> > TRACE (79): enter ptycommand
> > TRACE (80): back to normal sigchld
> > TRACE (79): enter sigchld handler
> > TRACE (79): sigchld handler: pid 80
> > TRACE (79): using lastexit
> > TRACE (79): leave sigchld handler
> > TRACE (79): continue ptycommand: parent
> > TRACE (79): setnonblocking: 6
> > TRACE (79): leave setnonblocking
> > TRACE (79): leave ptycommand
> > TRACE (79): enter send_msg_channel_success
> > TRACE (79): enter encrypt_packet()
> > TRACE (79): encrypt_packet type is 99
> > [79] Jul 07 15:58:55 exit after auth (Administrator): bad buf_incrlen
> > TRACE (79): enter session_cleanup
> > TRACE (79): enter chancleanup
> > TRACE (79): channel 0 closing
> > TRACE (79): enter remove_channel
> > TRACE (79): channel index is 24
> > TRACE (79): CLOSE writefd 16
> > TRACE (79): CLOSE readfd 24
> > TRACE (79): CLOSE errfd 24
> > TRACE (79): leave remove_channel
> > TRACE (79): leave chancleanup
> > TRACE (79): leave session_cleanup
> > # 
> >  
> >  
> > 
> > Steve Spano, President
> > 
> > Finger Lakes Engineering
> > 
> >  
> > 
> >  
> 
> Checked by AVG - www.avg.com 
> Version: 8.5.387 / Virus Database: 270.13.8/2224 - Release Date: 07/08/09
> 05:53:00
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: no-uclinux-cleanup.diff
Type: text/x-diff
Size: 1492 bytes
Desc: not available
Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20090708/e64010bb/attachment.diff

More information about the Dropbear mailing list