From owner-freebsd-current@FreeBSD.ORG Wed Aug 8 00:24:06 2007 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9B9416A417 for ; Wed, 8 Aug 2007 00:24:06 +0000 (UTC) (envelope-from michiel@boland.org) Received: from smtp-vbr7.xs4all.nl (smtp-vbr7.xs4all.nl [194.109.24.27]) by mx1.freebsd.org (Postfix) with ESMTP id 39EFB13C459 for ; Wed, 8 Aug 2007 00:24:05 +0000 (UTC) (envelope-from michiel@boland.org) Received: from xs6.xs4all.nl (xs6.xs4all.nl [194.109.21.6]) by smtp-vbr7.xs4all.nl (8.13.8/8.13.8) with ESMTP id l7804vVt053835; Wed, 8 Aug 2007 02:04:57 +0200 (CEST) (envelope-from michiel@boland.org) Received: from xs6.xs4all.nl (boland37@localhost [127.0.0.1]) by xs6.xs4all.nl (8.13.6/8.13.6) with ESMTP id l7804vFn080050; Wed, 8 Aug 2007 02:04:57 +0200 (CEST) (envelope-from michiel@boland.org) Received: from localhost (boland37@localhost) by xs6.xs4all.nl (8.13.6/8.13.6/Submit) with ESMTP id l7804peZ080045; Wed, 8 Aug 2007 02:04:56 +0200 (CEST) (envelope-from michiel@boland.org) X-Authentication-Warning: xs6.xs4all.nl: boland37 owned process doing -bs Date: Wed, 8 Aug 2007 02:04:49 +0200 (CEST) From: Michiel Boland X-X-Sender: boland37@xs6.xs4all.nl To: Poul-Henning Kamp In-Reply-To: <58735.1184519830@critter.freebsd.dk> Message-ID: <20070808013905.P78031-100000@xs6.xs4all.nl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by XS4ALL Virus Scanner Cc: freebsd-current@freebsd.org Subject: Re: sshd broken with UsePrivilegeSeparation=yes on sparc64 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Aug 2007 00:24:06 -0000 On Sun, 15 Jul 2007, Poul-Henning Kamp wrote: >> fd = (*(int *)CMSG_DATA(cmsg)); >> >> So, obviously a gcc bug. I will try to generate a smaller test-case for >> this. > > I'm not convinced that CMSG_DATA is entirely kosher. The problem with the openssh code appears to be the following. In /usr/src/crypto/openssh/monitor_fdpass.c, there are two functions, mm_receive_fd and mm_send_fd that do roughly the following int mm_receive_fd(int sock) { struct msghdr msg; char tmp[CMSG_SPACE(sizeof(int))]; [...] msg.msg_control = tmp; msg.msg_controllen = sizeof(tmp); recvmsg(sock, &msg, 0); etc. Now, there is no guarantee that the 'tmp' array is aligned on a word boundary. Perhaps on i386/amd64, but not on sparc64. As a hack-bandaid, you can more or less fix alignment with this patch --- monitor_fdpass.c.orig 2006-11-10 17:38:34.000000000 +0100 +++ monitor_fdpass.c 2007-08-08 01:37:44.000000000 +0200 @@ -91,7 +91,7 @@ struct msghdr msg; struct iovec vec; ssize_t n; - char ch; + int ch; int fd; #ifndef HAVE_ACCRIGHTS_IN_MSGHDR char tmp[CMSG_SPACE(sizeof(int))]; then recompile /usr/src/secure/lib/libssh A better solution would probably be something like using tmp = malloc(CMSG_SPACE(sizeof(int))]) to really guarantee alignment. But I don't really understand why the original code did not crash with SIGBUS or something, but just returned bogus values for fd. Cheers Michiel