[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SIGSEGV on master on ssh_channel_free

Subject: SIGSEGV on master on ssh_channel_free
From: Jason Curl <jason@xxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Sat, 20 May 2017 12:19:39 +0000
To: "libssh@xxxxxxxxxx" <libssh@xxxxxxxxxx>

Hello,

My .NET wrapper (prototype) of libssh is crashing on ssh_channel_free() with
a SIGSEGV. I've compiled abbd6e3 with MSYS2 32-bit with GCC 6.3.0 (see
attachment for cmake output). I'm running on Windows 10 64-bit release 1703.

$ cmake -G"Unix Makefiles" -DCMAKE_INSTALL_PREFIX=/usr/local
-DCMAKE_BUILD_TYPE=Debug -DWITH_SSH1=ON ..

Using GDB to debug I get the following information:

Thread 1 received signal SIGSEGV, Segmentation fault.
0x61cd847c in ssh_list_get_iterator (list=0xfeeefeee)
    at C:/msys64/home/jcurl/libssh/src/misc.c:382
382       return list->root;
(gdb) bt
#0  0x61cd847c in ssh_list_get_iterator (list=0xfeeefeee)
    at C:/msys64/home/jcurl/libssh/src/misc.c:382
#1  0x61cd8491 in ssh_list_find (list=0xfeeefeee, value=0x55101f0)
    at C:/msys64/home/jcurl/libssh/src/misc.c:387
#2  0x61cc771c in ssh_channel_do_free (channel=0x55101f0)
    at C:/msys64/home/jcurl/libssh/src/channels.c:1037
#3  0x61cc76f1 in ssh_channel_free (channel=0x55101f0)
    at C:/msys64/home/jcurl/libssh/src/channels.c:1025
#4  0x014921cd in ?? ()
#5  0x014952f6 in ?? ()

The other frames are from the CLR and are uninteresting.

Sometimes I also get:

Thread 1 received signal SIGSEGV, Segmentation fault.
0x61cc4507 in ssh_buffer_free (buffer=0xfeeefeee)
    at C:/msys64/home/jcurl/libssh/src/buffer.c:108
108       if (buffer->data) {
(gdb) bt
#0  0x61cc4507 in ssh_buffer_free (buffer=0xfeeefeee)
    at C:/msys64/home/jcurl/libssh/src/buffer.c:108
#1  0x61cc774b in ssh_channel_do_free (channel=0x157c230)
    at C:/msys64/home/jcurl/libssh/src/channels.c:1041
#2  0x61cc76f1 in ssh_channel_free (channel=0x157c230)
    at C:/msys64/home/jcurl/libssh/src/channels.c:1025

My .NET program is simple. It does the following logical steps:

ssh_init();
m_Session = ssh_new();
ssh_options_set(m_Session, SSH_OPTIONS_COMPRESSION_LEVEL, 9);
ssh_options_set(m_Session, SSH_OPTIONS_HOST, "mylinuxserver.home.lan");
ssh_options_set(m_Session, SSH_OPTIONS_USER, "myuser");
ssh_connect(m_Session);  // Returns SSH_OK
ssh_pki_import_privkey_file("myprivatekey", null, null, null, &key);
ssh_userauth_none(m_Session, null);  // Returns SSH_AUTH_DENIED as expected
ssh_userauth_try_publickey(m_Session, null, key);  // Returns
SSH_AUTH_SUCCESS as expected
ssh_userauth_publickey(m_Session, null, key);
m_Channel = ssh_channel_new(m_Session);  // returns a pointer
ssh_channel_open_session(m_Channel);  // returns SSH_OK
ssh_channel_request_exec(m_Channel, "ps aux");
ssh_disconnect(m_Session);
ssh_channel_free(m_Channel);  // CRASH HERE

Note, I'm not doing any reading or writing as of yet, as I haven't got that
far.

When getting handles (m_Session, m_Channel), I'm using the MS SafeHandle
(derived), so that I ensure that managed code and the GC doesn't free the
memory too early. I looked in to the code and I made sure that I'm not
calling ssh_free() (which will also free the channels). But just to be sure,
I tested also with just pointers and I get the same crash.

Waiting 1000ms after ssh_channel_request_exec() doesn't change the crash.

If I wait say 500-10000ms in addition, after ssh_ disconnect() and then
follow as above, I get a different exception (but much harder to reproduce):

Thread 1 received signal SIGSEGV, Segmentation fault.
0x61cc769b in ssh_channel_free (channel=0xb7c080)
    at C:/msys64/home/jcurl/libssh/src/channels.c:1013
1013      if (session->alive && channel->state == SSH_CHANNEL_STATE_OPEN) {
(gdb) bt
#0  0x61cc769b in ssh_channel_free (channel=0xb7c080)
    at C:/msys64/home/jcurl/libssh/src/channels.c:1013
(gdb) p session
$1 = (ssh_session) 0xfeeefeee
(gdb) p channel
$2 = (ssh_channel) 0x18ec080

So it looks like the session is being cleaned up, but I'm pretty sure that I
didn't do this explicitly.

$ cmake -G"Unix Makefiles" -DCMAKE_INSTALL_PREFIX=/usr/local -DCMAKE_BUILD_TYPE=Debug -DWITH_SSH1=ON ..
-- The C compiler identification is GNU 6.3.0
-- Check for working C compiler: C:/msys64/mingw32/bin/cc.exe
-- Check for working C compiler: C:/msys64/mingw32/bin/cc.exe -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Could NOT find NSIS (missing:  NSIS_MAKE)
-- Found ZLIB: C:/msys64/mingw32/lib/libz.dll.a (found version "1.2.11")
-- Found OpenSSL: C:/msys64/mingw32/lib/libssl.dll.a;C:/msys64/mingw32/lib/libcrypto.dll.a (found version "1.0.2k")
-- Looking for pthread.h
-- Looking for pthread.h - found
-- Looking for pthread_create
-- Looking for pthread_create - found
-- Found Threads: TRUE
-- Could NOT find GSSAPI (missing:  GSSAPI_LIBRARIES GSSAPI_INCLUDE_DIR)
-- Could NOT find NaCl (missing:  NACL_LIBRARIES NACL_INCLUDE_DIRS)
-- Looking for argp.h
-- Looking for argp.h - not found
-- Looking for pty.h
-- Looking for pty.h - not found
-- Looking for utmp.h
-- Looking for utmp.h - not found
-- Looking for termios.h
-- Looking for termios.h - not found
-- Looking for unistd.h
-- Looking for unistd.h - found
-- Looking for util.h
-- Looking for util.h - not found
-- Looking for libutil.h
-- Looking for libutil.h - not found
-- Looking for sys/time.h
-- Looking for sys/time.h - found
-- Looking for sys/utime.h
-- Looking for sys/utime.h - found
-- Looking for sys/param.h
-- Looking for sys/param.h - found
-- Looking for arpa/inet.h
-- Looking for arpa/inet.h - not found
-- Looking for byteswap.h
-- Looking for byteswap.h - not found
-- Looking for io.h
-- Looking for io.h - found
-- Looking for 3 include files winsock2.h, ..., wspiapi.h
-- Looking for 3 include files winsock2.h, ..., wspiapi.h - found
-- Looking for include files winsock2.h, ws2tcpip.h
-- Looking for include files winsock2.h, ws2tcpip.h - found
-- Looking for openssl/des.h
-- Looking for openssl/des.h - found
-- Looking for openssl/aes.h
-- Looking for openssl/aes.h - found
-- Looking for openssl/blowfish.h
-- Looking for openssl/blowfish.h - found
-- Looking for openssl/ecdh.h
-- Looking for openssl/ecdh.h - found
-- Looking for openssl/ec.h
-- Looking for openssl/ec.h - found
-- Looking for openssl/ecdsa.h
-- Looking for openssl/ecdsa.h - found
-- Looking for EVP_aes_128_ctr
-- Looking for EVP_aes_128_ctr - found
-- Looking for EVP_aes_128_cbc
-- Looking for EVP_aes_128_cbc - found
-- Looking for CRYPTO_THREADID_set_callback
-- Looking for CRYPTO_THREADID_set_callback - found
-- Looking for CRYPTO_ctr128_encrypt
-- Looking for CRYPTO_ctr128_encrypt - found
-- Looking for EVP_CIPHER_CTX_new
-- Looking for EVP_CIPHER_CTX_new - found
-- Looking for isblank
-- Looking for isblank - found
-- Looking for strncpy
-- Looking for strncpy - found
-- Looking for strtoull
-- Looking for strtoull - found
-- Looking for vsnprintf
-- Looking for vsnprintf - found
-- Looking for snprintf
-- Looking for snprintf - found
-- Looking for _vsnprintf_s
-- Looking for _vsnprintf_s - found
-- Looking for _vsnprintf
-- Looking for _vsnprintf - found
-- Looking for _snprintf
-- Looking for _snprintf - found
-- Looking for _snprintf_s
-- Looking for _snprintf_s - found
-- Looking for ntohll
-- Looking for ntohll - not found
-- Looking for htonll
-- Looking for htonll - not found
-- Looking for select
-- Looking for select - found
-- Looking for getaddrinfo
-- Looking for getaddrinfo - found
-- Looking for _strtoui64
-- Looking for _strtoui64 - found
-- Performing Test HAVE_GCC_THREAD_LOCAL_STORAGE
-- Performing Test HAVE_GCC_THREAD_LOCAL_STORAGE - Success
-- Performing Test HAVE_MSC_THREAD_LOCAL_STORAGE
-- Performing Test HAVE_MSC_THREAD_LOCAL_STORAGE - Success
-- Performing Test HAVE_GCC_VOLATILE_MEMORY_PROTECTION
-- Performing Test HAVE_GCC_VOLATILE_MEMORY_PROTECTION - Success
-- Performing Test HAVE_GCC_NARG_MACRO
-- Performing Test HAVE_GCC_NARG_MACRO - Success
-- Performing Test HAVE_COMPILER__FUNC__
-- Performing Test HAVE_COMPILER__FUNC__ - Success
-- Performing Test HAVE_COMPILER__FUNCTION__
-- Performing Test HAVE_COMPILER__FUNCTION__ - Success
-- Found Doxygen: C:/msys64/usr/bin/doxygen.exe (found version "1.8.11")
-- Found DOXYFILE_IN: C:/msys64/home/jcurl/libssh/doc/Doxyfile.in
-- Threads_FOUND=TRUE
-- threads library: Threads_FOUND=TRUE
-- libssh_threads_SRCS=pthread.c
-- The CXX compiler identification is GNU 6.3.0
-- Check for working CXX compiler: C:/msys64/mingw32/bin/c++.exe
-- Check for working CXX compiler: C:/msys64/mingw32/bin/c++.exe -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- ********************************************
-- ********** libssh build options : **********
-- zlib support: ON
-- libgcrypt support: OFF
-- libnacl support: OFF
-- SSH-1 support: ON
-- SFTP support: ON
-- Server support : ON
-- GSSAPI support : 0
-- Pcap debugging support : ON
-- With static library: OFF
-- Unit testing: OFF
-- Client code Unit testing: OFF
-- Public API documentation generation
-- Benchmarks: OFF
-- ********************************************
-- Configuring done
-- Generating done
-- Build files have been written to: C:/msys64/home/jcurl/libssh/build-i686

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Follow-Ups:
Re: SIGSEGV on master on ssh_channel_free	Jason Curl <jason@xxxxxxxxxxxxxxxxxxxxxxxx>

Archive administrator: postmaster@lists.cynapses.org