Page MenuHomePhabricator

Crash in libssh in canonical multipass due to certain entries in `~/.ssh/config`
Closed, ResolvedPublic


Canonical multipass, which is in turn used by ubuntu snapcraft may crash unless ~/.ssh/config is moved away. This seems to be due to two issues. One of them is in multipass, that lets libssh parse ~/.ssh/config when there is no reason to do so. The second one seems to be in libssh itself that ends up crashing on pieces of configuration in ~/.ssh/config that it does not understand.

For instance, proxyjump entries or pointers to keys that do not exist seem to be enough to cause the crash.

I believe that the version of libssh in multipass may not be the latest one (probably 0.90). Hence, please forgive the noise if this issue has already been cleared.

Otherwise, may constitute a pointer for a bug in libssh.

Event Timeline

Without information about the libssh version, what configuration file was used (at least the offending match line), more verbose libssh logs (there is quite a lot of tracing logs around), it is hard to guess what went wrong with the parsing.

Indeed. For the time being, I have opened the bug to follow the multipass issue, where I hope that this data shall be made available. In the meantime, proxyjump as in ProxyJump = myhost seems to be a trigger for the issue.

The backtrace in the attached issue points to the match block parsing:

0   libsystem_c.dylib             	0x00007fff6acc7b44 strcasecmp_l + 92
1   libssh.4.dylib                	0x0000000107d27bbe ssh_config_get_match_opcode + 78
2   libssh.4.dylib                	0x0000000107d2608b ssh_config_parse_line + 763
3   libssh.4.dylib                	0x0000000107d25cfa ssh_config_parse_file + 266
4   libssh.4.dylib                	0x0000000107d40806 ssh_options_parse_config + 262
5   libssh.4.dylib                	0x0000000107d248e4 ssh_connect + 292

if you have some other crash report, please let us know.

Jakuje triaged this task as Low priority.

Seems like the linked multipass issue is fixed now. I am wondering why it was done by the change of the SSH_OPTIONS_SSH_DIR instead of SSH_OPTIONS_PROCESS_CONFIG which would prevent configuration parsing altogether.

Reading again through the previous comment, you mentioned that ProxyJump = myhost option was triggering the issue. I checked that currently libssh is not crashing with these inputs, but it is neither parsing them correctly. As this format is explicitly (without the whitespace after =) described in the manual page for ssh_config:

Configuration options may be separated by whitespace or optional whitespace and exactly one ‘=’;

and these are correctly handled in openssh, I believe we should follow the same suit in libssh. The following patch should address the parsing issue:

Anyway, I checked also the behavior of 0.9.0 branch with this input and I do not see the crash either, so it was probably some different version.