openssh bugs - Apr 2017 - [Bug 2704] New: Avoid passing pointers between processes

https://bugzilla.mindrot.org/show_bug.cgi?id=2704

            Bug ID: 2704
           Summary: Avoid passing pointers between processes
           Product: Portable OpenSSH
           Version: -current
          Hardware: Other
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: brooks at freebsd.org

Created attachment 2972
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2972&action=edit
Patch to pass ciphers by name rather than by virtual address

The newkeys_(from|to)_blob() functions currently pass a pointer to the
static cipher structure between processes.  This works as long as
pointers are opaque integer data.  With upcoming pointer integrity
schemes such as CHERI (which ensures pointer derivations are valid with
hardware tags) this no longer works and the pointer is instantiated out
of thin air from the perspective of the receiving process.  Given the
current structure of the cipher code, it's trivial to pass the name
instead as is done in the attached patch.

This change appears to be sufficient to run OpenSSH with hardware
enforced memory bounds on CHERI.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2704

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #2972|0                           |1
        is obsolete|                            |
                 CC|                            |djm at mindrot.org
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
             Status|NEW                         |ASSIGNED

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 2997
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2997&action=edit
revised diff

enc->name already contains the cipher name, so I don't think it's
necessary to pass it again. It probably was on the version that you
based your patch on, but we've since removed SSHv1 support and with it
all ciphers that were not explicitly identified by name.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2704

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2698


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2698
[Bug 2698] Tracking bug for OpenSSH 7.6 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2704

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au
   Attachment #2997|                            |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2704

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Patch applied. This will be in openssh-7.6

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2704

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.