Page MenuHomePhabricator

Crash in libssh in canonical multipass due to certain entries in `~/.ssh/config`
Closed, ResolvedPublic

Description

Canonical multipass, which is in turn used by ubuntu snapcraft may crash unless ~/.ssh/config is moved away. This seems to be due to two issues. One of them is in multipass, that lets libssh parse ~/.ssh/config when there is no reason to do so. The second one seems to be in libssh itself that ends up crashing on pieces of configuration in ~/.ssh/config that it does not understand.

For instance, proxyjump entries or pointers to keys that do not exist seem to be enough to cause the crash.

I believe that the version of libssh in multipass may not be the latest one (probably 0.90). Hence, please forgive the noise if this issue has already been cleared.

Otherwise, https://github.com/canonical/multipass/issues/1259 may constitute a pointer for a bug in libssh.

Event Timeline

Jakuje added a subscriber: Jakuje.Dec 27 2019, 9:56 PM

Without information about the libssh version, what configuration file was used (at least the offending match line), more verbose libssh logs (there is quite a lot of tracing logs around), it is hard to guess what went wrong with the parsing.

Indeed. For the time being, I have opened the bug to follow the multipass issue, where I hope that this data shall be made available. In the meantime, proxyjump as in ProxyJump = myhost seems to be a trigger for the issue.

The backtrace in the attached issue points to the match block parsing:

0   libsystem_c.dylib             	0x00007fff6acc7b44 strcasecmp_l + 92
1   libssh.4.dylib                	0x0000000107d27bbe ssh_config_get_match_opcode + 78
2   libssh.4.dylib                	0x0000000107d2608b ssh_config_parse_line + 763
3   libssh.4.dylib                	0x0000000107d25cfa ssh_config_parse_file + 266
4   libssh.4.dylib                	0x0000000107d40806 ssh_options_parse_config + 262
5   libssh.4.dylib                	0x0000000107d248e4 ssh_connect + 292

if you have some other crash report, please let us know.

Jakuje claimed this task.Apr 14 2020, 6:49 PM
Jakuje triaged this task as Low priority.

Seems like the linked multipass issue is fixed now. I am wondering why it was done by the change of the SSH_OPTIONS_SSH_DIR instead of SSH_OPTIONS_PROCESS_CONFIG which would prevent configuration parsing altogether.

Reading again through the previous comment, you mentioned that ProxyJump = myhost option was triggering the issue. I checked that currently libssh is not crashing with these inputs, but it is neither parsing them correctly. As this format is explicitly (without the whitespace after =) described in the manual page for ssh_config:

Configuration options may be separated by whitespace or optional whitespace and exactly one ‘=’;

and these are correctly handled in openssh, I believe we should follow the same suit in libssh. The following patch should address the parsing issue:

https://gitlab.com/jjelen/libssh-mirror/-/commit/315984fe

Anyway, I checked also the behavior of 0.9.0 branch with this input and I do not see the crash either, so it was probably some different version.