Defensics' synopsys fuzzer testing tool cause openssh to segfault

[Impact]
Here's what has been brought to my attention by a UA customer:

* Release:
Xenial/16.04LTS

* Openssh version:
7.2p2-4ubuntu2.10

* Fuzzer tool used:
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html (proprietary software)

As of today, I have no access to a reproducer.

* coredump:

$ gdb $(which sshd) <OBFUSCATED>.sshd.20731
...
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `sshd: [net] '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
136 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or directory.
(gdb) bt
#0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
#1 0x00007fec25b241db in memcpy (__len=<optimized out>, __src=0x0, __dest=<optimized out>)
at /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2 aes_gcm_ctrl (c=0x558a7ae19758, type=<optimized out>, arg=<optimized out>, ptr=0x0) at e_aes.c:1189
#3 0x00007fec25b20897 in EVP_CIPHER_CTX_ctrl (ctx=ctx@entry=0x558a7ae19758, type=type@entry=18, arg=arg@entry=-1, ptr=ptr@entry=0x0) at evp_enc.c:619
#4 0x0000558a7953f54c in cipher_init (cc=cc@entry=0x558a7ae19750, cipher=0x558a797b3ef0 <ciphers+720>, key=0x0, keylen=32, iv=0x0, ivlen=<optimized out>, do_encrypt=0) at ../cipher.c:336
#5 0x0000558a7954521a in ssh_set_newkeys (ssh=ssh@entry=0x558a7ae18ef0, mode=mode@entry=0)at ../packet.c:919
#6 0x0000558a7955ae92 in kex_input_newkeys (type=<optimized out>, seq=<optimized out>, ctxt=0x558a7ae18ef0)at ../kex.c:434
#7 0x0000558a7954d269 in ssh_dispatch_run (ssh=ssh@entry=0x558a7ae18ef0, mode=0, done=0x558a7ae18278, ctxt=0x558a7ae18ef0) at ../dispatch.c:119
#8 0x0000558a7954d2b9 in ssh_dispatch_run_fatal (ssh=0x558a7ae18ef0, mode=<optimized out>, done=<optimized out>, ctxt=<optimized out>) at ../dispatch.c:140
#9 0x0000558a79502770 in do_ssh2_kex () at ../sshd.c:2744
#10 main (ac=<optimized out>, av=<optimized out>) at ../sshd.c:2301
(gdb)

[Test plan]

** NOT REPRODUCIBLE ON MY SIDE **

This seems to be a corner case generated by the Defensics fuzzer test suite (proprietary software from synopsys).

That's the only way this could have been reproduced so far.

Here's the details I could gather about the fuzzer test scenario:

------
Test Suite: SSHv2 Server Test Suite by Synopsys
Test Case Description:
SSHv2.Key-Exchange.DH-GROUP-EXCHANGE-SHA256.message-sequence.duplicate-message:
Insert extra message 'message-2' before message 'client-newkeys'
------

[Where problem could occur]

[Other information]

Upstream fix:
https://github.com/openssh/openssh-portable/commit/2adbe1e63bc313d03e8e84e652cc623af8ebb163

Only Xenial requires the fix:

# git describe --contains 2adbe1e
V_7_5_P1~7

# rmadison openssh
 => openssh | 1:7.2p2-4ubuntu2.10 | xenial-updates | source
 openssh | 1:7.6p1-4 | bionic | source
 openssh | 1:7.6p1-4ubuntu0.3 | bionic-security | source
 openssh | 1:7.6p1-4ubuntu0.3 | bionic-updates | source
 openssh | 1:7.6p1-4ubuntu0.4 | bionic-proposed | source
 openssh | 1:8.2p1-4 | focal | source
 openssh | 1:8.2p1-4ubuntu0.2 | focal-security | source
 openssh | 1:8.2p1-4ubuntu0.2 | focal-updates | source
 openssh | 1:8.3p1-1 | groovy | source
 openssh | 1:8.3p1-1ubuntu0.1 | groovy-security | source
 openssh | 1:8.3p1-1ubuntu0.1 | groovy-updates | source
 openssh | 1:8.4p1-5ubuntu1 | hirsute | source
 openssh | 1:8.4p1-5ubuntu1 | impish | source