### Dropbear MMAP problem?
Steve Spano
steve at fl-eng.com
Wed Jul 8 23:05:20 WST 2009
Hello!
Thanks for the reply Matt! I have dropbear working now, the problem (after
several trips through the code) was here in svr-chansession.c
//removed by fle because it is causing a problem
#if(0)
/* We can only change uid/gid as root ... */
if (getuid() == 0) {
if ((setgid(ses.authstate.pw_gid) < 0) ||
(initgroups(ses.authstate.pw_name,
ses.authstate.pw_gid) < 0))
{
dropbear_exit("error changing user group");
}
if (setuid(ses.authstate.pw_uid) < 0) {
dropbear_exit("error changing user");
}
} else {
/* ... but if the daemon is the same uid as the requested
uid, we don't
* need to */
/* XXX - there is a minor issue here, in that if there are
multiple
* usernames with the same uid, but differing groups, then
the
* differing groups won't be set (as with initgroups()). The
solution
* is for the sysadmin not to give out the UID twice */
if (getuid() != ses.authstate.pw_uid) {
dropbear_exit("couldn't change user as non-root");
}
}
#endif
It appers that my system was not able to set the GID, so we bailed out and
never issued the shell or started the terminal.
When the bail-out occurred, the code improperly exits becaue the child PID
was never put into the "pid arrary" (see the notes on the "Race condition"
also desecribed around the sesssigchild_handler.
Since we use VFORK, and we didn't properly exit the child, the parent stack
is messed up and we forget our encryption algorithm, which causes a buffer
error, and subsequent program exit.
Now, my "fix" was just to IF-out the uid/gid items.
Is that bad? What is the intent of the above code?
Steve Spano, President
Finger Lakes Engineering
-----Original Message-----
From: Matt Johnston [mailto:matt at ucc.asn.au]
Sent: Wednesday, July 08, 2009 10:54 AM
To: Steve Spano
Cc: dropbear at ucc.asn.au
Subject: Re: ### Dropbear MMAP problem?
I'm pretty sure there are some problems running Dropbear standalone, since
that part isn't really vfork safe. Could you try running from an inetd (give
it -i argument) and see if that works?
Matt
On Tue, Jul 07, 2009 at 02:12:53PM -0400, Steve Spano wrote:
> Hello,
>
> I am attempting to get dropbear working on a Xilinx Microblaze system.
> I have compiled it and it is excuting, but there seems to be some
> buffer/alloc problem of some kind that I am not sure yet how to
> resolve. This is an MMU-LESS system and compiled against uCLibc I can
> connect, exchange keys, and authenticate my username password
> propertly However, when the terminal session begins, I get an error
> about un mapping non-mmaped memory and then a subsequent buffer_incr
> problem and then an exit.
>
> The trace log is below - can anyone offer suggestions?
>
> Thanks
>
>
> quit
> 221 Goodbye
> # ./dropbeart -� �� �� � -F
> TRACE (79): enter loadhostkeys
> TRACE (79): enter buf_get_priv_key
> TRACE (79): enter rsa_key_free
> TRACE (79): leave rsa_key_free: key == NULL
> TRACE (79): enter buf_get_rsa_priv_key
> TRACE (79): enter buf_get_rsa_pub_key
> TRACE (79): leave buf_get_rsa_pub_key: success
> TRACE (79): leave buf_get_rsa_priv_key
> TRACE (79): leave buf_get_priv_key
> TRACE (79): enter buf_get_priv_key
> TRACE (79): enter dsa_key_free
> TRACE (79): enter dsa_key_free: key == NULL
> TRACE (79): enter buf_get_dss_pub_key
> TRACE (79): leave buf_get_dss_pub_key: success
> TRACE (79): leave buf_get_priv_key
> TRACE (79): leave loadhostkeys
> TRACE (79): listensockets: 1 to try
>
> TRACE (79): listening on ':22'
> TRACE (79): enter dropbear_listen
> TRACE (79): dropbear_listen: all interfaces
> TRACE (79): bind(22) failed
> TRACE (79): leave dropbear_listen: success, 1 socks bound [79] Jul 07
> 15:55:58 Not backgrounding [79] Jul 07 15:56:13 Child connection from
> 192.168.1.21:2594 TRACE (79): enter session_init
> TRACE (79): setnonblocking: 3
> TRACE (79): leave setnonblocking
> TRACE (79): setnonblocking: 5
> TRACE (79): leave setnonblocking
> TRACE (79): kexinitialise()
> TRACE (79): leave session_init
> TRACE (79): enter ident_readln
> TRACE (79): leave ident_readln: return 36
> TRACE (79): remoteident: SSH-2.0-1.84 sshlib: Tunnelier 4.29
> TRACE (79): enter encrypt_packet()
> TRACE (79): encrypt_packet type is 20
> TRACE (79): enter writemac
> TRACE (79): leave writemac
> TRACE (79): enter enqueue
> TRACE (79): leave enqueue
> TRACE (79): leave encrypt_packet()
> TRACE (79): DATAALLOWED=0
> TRACE (79): -> KEXINIT
> TRACE (79): enter write_packet
> TRACE (79): empty queue dequeing
> TRACE (79): leave write_packet
> TRACE (79): enter read_packet
> TRACE (79): leave read_packet
> TRACE (79): maybe_empty_reply_queue - no data allowed
> TRACE (79): enter read_packet
> TRACE (79): enter decrypt_packet
> TRACE (79): leave decrypt_packet
> TRACE (79): leave read_packet
> TRACE (79): enter process_packet
> TRACE (79): process_packet: packet type = 20
> TRACE (79): <- KEXINIT
> TRACE (79): enter recv_msg_kexinit
> TRACE (79): buf_match_algo:
>
diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellma
> n-group1-sha1
> TRACE (79): kex algo diffie-hellman-group1-sha1
> TRACE (79): buf_match_algo: ssh-rsa,ssh-dss
> TRACE (79): hostkey algo ssh-rsa
> TRACE (79): buf_match_algo:
>
aes256-ctr,twofish256-ctr,twofish-ctr,aes128-ctr,twofish128-ctr,blowfish-ctr
>
,3des-ctr,cast128-ctr,aes256-cbc,twofish256-cbc,twofish-cbc,aes128-cbc,twofi
> sh128-cbc,blowfish-cbc,3des-cbc,arcfour,cast128-cbc
> TRACE (79): enc c2s is aes256-ctr
> TRACE (79): buf_match_algo:
>
aes256-ctr,twofish256-ctr,twofish-ctr,aes128-ctr,twofish128-ctr,blowfish-ctr
>
,3des-ctr,cast128-ctr,aes256-cbc,twofish256-cbc,twofish-cbc,aes128-cbc,twofi
> sh128-cbc,blowfish-cbc,3des-cbc,arcfour,cast128-cbc
> TRACE (79): enc s2c is aes256-ctr
> TRACE (79): buf_match_algo: hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
> TRACE (79): hash c2s is hmac-sha1
> TRACE (79): buf_match_algo: hmac-sha1,hmac-md5,hmac-sha1-96,hmac-md5-96
> TRACE (79): hash s2c is hmac-sha1
> TRACE (79): buf_match_algo: none
> TRACE (79): hash c2s is none
> TRACE (79): buf_match_algo: none
> TRACE (79): hash s2c is none
> TRACE (79): leave recv_msg_kexinit
> TRACE (79): leave process_packet
> TRACE (79): maybe_empty_reply_queue - no data allowed
> TRACE (79): enter read_packet
> TRACE (79): enter decrypt_packet
> TRACE (79): leave decrypt_packet
> TRACE (79): leave read_packet
> TRACE (79): enter process_packet
> TRACE (79): process_packet: packet type = 30
> TRACE (79): enter recv_msg_kexdh_init
> TRACE (79): enter send_msg_kexdh_reply
> TRACE (79): enter send_msg_kexdh_reply
> TRACE (79): enter buf_put_pub_key
> TRACE (79): enter buf_put_rsa_pub_key
> TRACE (79): enter buf_putmpint
> TRACE (79): leave buf_putmpint
> TRACE (79): enter buf_putmpint
> TRACE (79): leave buf_putmpint
> TRACE (79): leave buf_put_rsa_pub_key
> TRACE (79): leave buf_put_pub_key
> TRACE (79): enter buf_putmpint
> TRACE (79): leave buf_putmpint
> TRACE (79): enter buf_putmpint
> TRACE (79): leave buf_putmpint
> TRACE (79): enter buf_putmpint
> TRACE (79): leave buf_putmpint
> TRACE (79): enter buf_put_pub_key
> TRACE (79): enter buf_put_rsa_pub_key
> TRACE (79): enter buf_putmpint
> TRACE (79): leave buf_putmpint
> TRACE (79): enter buf_putmpint
> TRACE (79): leave buf_putmpint
> TRACE (79): leave buf_put_rsa_pub_key
> TRACE (79): leave buf_put_pub_key
> TRACE (79): enter buf_putmpint
> TRACE (79): leave buf_putmpint
> TRACE (79): enter buf_put_rsa_sign
> TRACE (79): leave buf_put_rsa_sign
> TRACE (79): enter encrypt_packet()
> TRACE (79): encrypt_packet type is 31
> TRACE (79): enter writemac
> TRACE (79): leave writemac
> TRACE (79): enter enqueue
> TRACE (79): leave enqueue
> TRACE (79): leave encrypt_packet()
> TRACE (79): leave send_msg_kexdh_reply
> TRACE (79): enter send_msg_newkeys
> TRACE (79): enter encrypt_packet()
> TRACE (79): encrypt_packet type is 21
> TRACE (79): enter writemac
> TRACE (79): leave writemac
> TRACE (79): enter enqueue
> TRACE (79): leave enqueue
> TRACE (79): leave encrypt_packet()
> TRACE (79): SENTNEWKEYS=1
> TRACE (79): -> MSG_NEWKEYS
> TRACE (79): leave send_msg_newkeys
> TRACE (79): leave recv_msg_kexdh_init
> TRACE (79): leave process_packet
> TRACE (79): maybe_empty_reply_queue - no data allowed
> TRACE (79): enter write_packet
> TRACE (79): leave write_packet
> TRACE (79): enter read_packet
> TRACE (79): enter decrypt_packet
> TRACE (79): leave decrypt_packet
> TRACE (79): leave read_packet
> TRACE (79): enter process_packet
> TRACE (79): process_packet: packet type = 2
> TRACE (79): leave process_packet
> TRACE (79): maybe_empty_reply_queue - no data allowed
> TRACE (79): enter write_packet
> TRACE (79): empty queue dequeing
> TRACE (79): leave write_packet
> TRACE (79): enter read_packet
> TRACE (79): enter decrypt_packet
> TRACE (79): leave decrypt_packet
> TRACE (79): leave read_packet
> TRACE (79): enter process_packet
> TRACE (79): process_packet: packet type = 21
> TRACE (79): <- MSG_NEWKEYS
> TRACE (79): enter recv_msg_newkeys
> TRACE (79): while SENTNEWKEYS=1
> TRACE (79): enter gen_new_keys
> TRACE (79): enter buf_putmpint
> TRACE (79): leave buf_putmpint
> TRACE (79): leave gen_new_keys
> TRACE (79): kexinitialise()
> TRACE (79): -> DATAALLOWED=1
> TRACE (79): leave recv_msg_newkeys
> TRACE (79): leave process_packet
> TRACE (79): enter read_packet
> TRACE (79): enter decrypt_packet
> TRACE (79): leave decrypt_packet
> TRACE (79): leave read_packet
> TRACE (79): enter process_packet
> TRACE (79): process_packet: packet type = 5
> TRACE (79): enter recv_msg_service_request
> TRACE (79): accepting service ssh-userauth
> TRACE (79): enter encrypt_packet()
> TRACE (79): encrypt_packet type is 6
> TRACE (79): enter writemac
> TRACE (79): leave writemac
> TRACE (79): enter enqueue
> TRACE (79): leave enqueue
> TRACE (79): leave encrypt_packet()
> TRACE (79): leave recv_msg_service_request: done ssh-userauth
> TRACE (79): leave process_packet
> TRACE (79): enter write_packet
> TRACE (79): empty queue dequeing
> TRACE (79): leave write_packet
> TRACE (79): enter read_packet
> TRACE (79): enter decrypt_packet
> TRACE (79): leave decrypt_packet
> TRACE (79): leave read_packet
> TRACE (79): enter process_packet
> TRACE (79): process_packet: packet type = 50
> TRACE (79): enter recv_msg_userauth_request
> TRACE (79): recv_msg_userauth_request: 'none' request
> TRACE (79): enter send_msg_userauth_failure
> TRACE (79): auth fail: methods 6, 'publickey,password'
> TRACE (79): enter encrypt_packet()
> TRACE (79): encrypt_packet type is 51
> TRACE (79): enter writemac
> TRACE (79): leave writemac
> TRACE (79): enter enqueue
> TRACE (79): leave enqueue
> TRACE (79): leave encrypt_packet()
> TRACE (79): leave send_msg_userauth_failure
> TRACE (79): leave process_packet
> TRACE (79): enter write_packet
> TRACE (79): empty queue dequeing
> TRACE (79): leave write_packet
> TRACE (79): enter read_packet
> TRACE (79): enter decrypt_packet
> TRACE (79): leave decrypt_packet
> TRACE (79): leave read_packet
> TRACE (79): enter process_packet
> TRACE (79): process_packet: packet type = 2
> TRACE (79): leave process_packet
> TRACE (79): enter read_packet
> TRACE (79): enter decrypt_packet
> TRACE (79): leave decrypt_packet
> TRACE (79): leave read_packet
> TRACE (79): enter process_packet
> TRACE (79): process_packet: packet type = 50
> TRACE (79): enter recv_msg_userauth_request
> TRACE (79): enter checkusername
> TRACE (79): shell is /bin/sh
> TRACE (79): test shell is '/bin/sh'
> TRACE (79): matching shell
> TRACE (79): uid = 0
> TRACE (79): leave checkusername
> [79] Jul 07 15:58:54 password auth succeeded for 'Administrator' from
> 192.168.1.21:2594
> TRACE (79): enter send_msg_userauth_success
> TRACE (79): enter encrypt_packet()
> TRACE (79): encrypt_packet type is 52
> TRACE (79): enter writemac
> TRACE (79): leave writemac
> TRACE (79): enter enqueue
> TRACE (79): leave enqueue
> TRACE (79): leave encrypt_packet()
> TRACE (79): leave send_msg_userauth_success
> TRACE (79): leave process_packet
> TRACE (79): enter write_packet
> TRACE (79): empty queue dequeing
> TRACE (79): leave write_packet
> TRACE (79): enter read_packet
> TRACE (79): enter decrypt_packet
> TRACE (79): leave decrypt_packet
> TRACE (79): leave read_packet
> TRACE (79): enter process_packet
> TRACE (79): process_packet: packet type = 2
> TRACE (79): leave process_packet
> TRACE (79): enter read_packet
> TRACE (79): enter decrypt_packet
> TRACE (79): leave decrypt_packet
> TRACE (79): leave read_packet
> TRACE (79): enter process_packet
> TRACE (79): process_packet: packet type = 90
> TRACE (79): enter recv_msg_channel_open
> TRACE (79): matched type 'session'
> TRACE (79): enter newchannel
> TRACE (79): leave newchannel
> TRACE (79): enter send_msg_channel_open_confirmation
> TRACE (79): enter encrypt_packet()
> TRACE (79): encrypt_packet type is 91
> TRACE (79): enter writemac
> TRACE (79): leave writemac
> TRACE (79): enter enqueue
> TRACE (79): leave enqueue
> TRACE (79): leave encrypt_packet()
> TRACE (79): leave send_msg_channel_open_confirmation
> TRACE (79): leave recv_msg_channel_open
> TRACE (79): leave process_packet
> TRACE (79): check_close: writefd -2, readfd -2, errfd -1, sent_close 0,
> recv_close 0
> TRACE (79): writebuf size 0 extrabuf size 0
> TRACE (79): sesscheckclose, pid is -1
> TRACE (79): sesscheckclose, pid is -1
> TRACE (79): enter write_packet
> TRACE (79): empty queue dequeing
> TRACE (79): leave write_packet
> TRACE (79): check_close: writefd -2, readfd -2, errfd -1, sent_close 0,
> recv_close 0
> TRACE (79): writebuf size 0 extrabuf size 0
> TRACE (79): sesscheckclose, pid is -1
> TRACE (79): sesscheckclose, pid is -1
> TRACE (79): enter read_packet
> TRACE (79): enter decrypt_packet
> TRACE (79): leave decrypt_packet
> TRACE (79): leave read_packet
> TRACE (79): enter process_packet
> TRACE (79): process_packet: packet type = 98
> TRACE (79): enter recv_msg_channel_request
> TRACE (79): enter chansessionrequest
> TRACE (79): type is pty-req
> TRACE (79): enter sessionpty
> TRACE (79): enter get_termmodes
> TRACE (79): term mode str 0 p->l 46 p->p 46
> TRACE (79): leave get_termmodes: empty terminal modes string
> TRACE (79): leave sessionpty
> TRACE (79): enter send_msg_channel_success
> TRACE (79): enter encrypt_packet()
> TRACE (79): encrypt_packet type is 99
> TRACE (79): enter writemac
> TRACE (79): leave writemac
> TRACE (79): enter enqueue
> TRACmunmap of non-mmaped memory by process 79 (dropbear): 00000018
> munmap of non-mmaped memory by process 79 (dropbear): 00000010
> E (79): leave enqueue
> TRACE (79): leamunmap of non-mmaped memory by process 79 (dropbear):
> b8082ce0
> ve encrypt_packet()
> TRACE (79): leave send_msg_channel_success
> TRACE (79): leave chansessionrequest
> TRACE (79): leave recv_msg_channel_request
> TRACE (79): leave process_packet
> TRACE (79): check_close: writefd -2, readfd -2, errfd -1, sent_close 0,
> recv_close 0
> TRACE (79): writebuf size 0 extrabuf size 0
> TRACE (79): sesscheckclose, pid is -1
> TRACE (79): sesscheckclose, pid is -1
> TRACE (79): enter write_packet
> TRACE (79): empty queue dequeing
> TRACE (79): leave write_packet
> TRACE (79): enter read_packet
> TRACE (79): enter decrypt_packet
> TRACE (79): leave decrypt_packet
> TRACE (79): leave read_packet
> TRACE (79): enter process_packet
> TRACE (79): process_packet: packet type = 98
> TRACE (79): enter recv_msg_channel_request
> TRACE (79): enter chansessionrequest
> TRACE (79): type is x11-req
> TRACE (79): setnonblocking: 8
> TRACE (79): leave setnonblocking
> TRACE (79): new listener num 0
> TRACE (79): enter send_msg_channel_success
> TRACE (79): enter encrypt_packet()
> TRACE (79): encrypt_packet type is 99
> TRACE (79): enter writemac
> TRACE (79): leave writemac
> TRACE (79): enter enqueue
> TRACE (79): leave enqueue
> TRACE (79): leave encrypt_packet()
> TRACE (79): leave send_msg_channel_success
> TRACE (79): leave chansessionrequest
> TRACE (79): leave recv_msg_channel_request
> TRACE (79): leave process_packet
> TRACE (79): check_close: writefd -2, readfd -2, errfd -1, sent_close 0,
> recv_close 0
> TRACE (79): writebuf size 0 extrabuf size 0
> TRACE (79): sesscheckclose, pid is -1
> TRACE (79): sesscheckclose, pid is -1
> TRACE (79): enter write_packet
> TRACE (79): empty queue dequeing
> TRACE (79): leave write_packet
> TRACE (79): enter read_packet
> TRACE (79): enter decrypt_packet
> TRACE (79): leave decrypt_packet
> TRACE (79): leave read_packet
> TRACE (79): enter process_packet
> TRACE (79): process_packet: packet type = 98
> TRACE (79): enter recv_msg_channel_request
> TRACE (79): enter chansessionrequest
> TRACE (79): type is shell
> TRACE (79): enter sessioncommand
> TRACE (79): enter ptycommand
> TRACE (80): back to normal sigchld
> TRACE (79): enter sigchld handler
> TRACE (79): sigchld handler: pid 80
> TRACE (79): using lastexit
> TRACE (79): leave sigchld handler
> TRACE (79): continue ptycommand: parent
> TRACE (79): setnonblocking: 6
> TRACE (79): leave setnonblocking
> TRACE (79): leave ptycommand
> TRACE (79): enter send_msg_channel_success
> TRACE (79): enter encrypt_packet()
> TRACE (79): encrypt_packet type is 99
> [79] Jul 07 15:58:55 exit after auth (Administrator): bad buf_incrlen
> TRACE (79): enter session_cleanup
> TRACE (79): enter chancleanup
> TRACE (79): channel 0 closing
> TRACE (79): enter remove_channel
> TRACE (79): channel index is 24
> TRACE (79): CLOSE writefd 16
> TRACE (79): CLOSE readfd 24
> TRACE (79): CLOSE errfd 24
> TRACE (79): leave remove_channel
> TRACE (79): leave chancleanup
> TRACE (79): leave session_cleanup
> #
>
>
>
> Steve Spano, President
>
> Finger Lakes Engineering
>
>
>
>
Checked by AVG - www.avg.com
Version: 8.5.387 / Virus Database: 270.13.8/2224 - Release Date: 07/08/09
05:53:00
More information about the Dropbear
mailing list