bugzilla-daemon at bugzilla.mindrot.org
2018-Sep-25 14:25 UTC
[Bug 2909] New: sshd segfaults on non-existent users when there is an NIS ngetgroup included in /etc/passwd
https://bugzilla.mindrot.org/show_bug.cgi?id=2909 Bug ID: 2909 Summary: sshd segfaults on non-existent users when there is an NIS ngetgroup included in /etc/passwd Product: Portable OpenSSH Version: 7.7p1 Hardware: ix86 OS: Linux Status: NEW Severity: normal Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: todd at xymmetrix.com Created attachment 3181 --> https://bugzilla.mindrot.org/attachment.cgi?id=3181&action=edit segfault test program We might have a bit of an odd/old configuration, but it works otherwise. We get lots and lots of these. This is the only machine whose sshd is exposed to the internet: Sep 25 09:42:53 pluto kernel: sshd[1871]: segfault at 0 ip 005023ac sp 7f899810 error 4 in sshd[49b000+6d000] Normal users here can log in fine, so I figured it was just trash the password-searchers were throwing at sshd. I finally took some time to dig in to it. It turns out that trying to ssh in as an invalid user (ssh foo at pluto) causes sshd to segfault as soon as I enter the password. Once I could duplicate it at will it was pretty easy to chase down. The pick_salt() function iterates through users with getpwent() looking for a salt it can use. Our setup doesn't use shadow passwords, so it doesn't find what it's looking for. When it gets to the end of the password file, the last line is "+ at users" to add in our NIS user netgroup. shadow_pw() can't find a password in that line, so it returns NULL, which pointer is them immediately dereferenced. I extracted the relevant code into a standalone program that demonstrates the problem, attached. (I used entire functions; I didn't pare it down to absolute bare minimum--but there are only three functions.) When I run it on this system, it produces the following output: pw = 77efacc0 pw_name = '+ at users' passwd = '(null)' Segmentation fault This small change takes care of it: --- openssh-7.8p1/openbsd-compat/xcrypt.c.orig 2018-08-23 01:41:42.000000000 -0400 +++ openssh-7.8p1/openbsd-compat/xcrypt.c 2018-09-25 10:11:11.639816915 -0400 @@ -83,7 +83,7 @@ setpwent(); while ((pw = getpwent()) != NULL) { passwd = shadow_pw(pw); - if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) !NULL) { + if (passwd && passwd[0] == '$' && (p strrchr(passwd+1, '$')) != NULL) { typelen = p - passwd + 1; strlcpy(salt, passwd, MIN(typelen, sizeof(salt))); explicit_bzero(passwd, strlen(passwd)); We compile --prefix=/usr --without-shadow. We're running 7.8p1 now. This problem predates 7.8, though; I'm not sure how far back it goes. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Oct-10 03:59 UTC
[Bug 2909] sshd segfaults on non-existent users when there is an NIS ngetgroup included in /etc/passwd
https://bugzilla.mindrot.org/show_bug.cgi?id=2909 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2893 CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- Thanks - i've committed a similar fix. commit d1d301a1dd5d6cc3a9ed93ab7ab09dda4cb456e0 (HEAD -> master, origin/master, origin/HEAD) Author: Damien Miller <djm at mindrot.org> Date: Wed Oct 10 14:57:00 2018 +1100 in pick_salt() avoid dereference of NULL passwords Apparently some NIS implementations can leave pw->pw_passwd (or the shadow equivalent) NULL. bz#2909; based on patch from Todd Eigenschink Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2893 [Bug 2893] Tracking bug for 7.9 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Oct-19 06:13 UTC
[Bug 2909] sshd segfaults on non-existent users when there is an NIS ngetgroup included in /etc/passwd
https://bugzilla.mindrot.org/show_bug.cgi?id=2909 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2915 --- Comment #2 from Damien Miller <djm at mindrot.org> --- Retarget unfinished bugs to OpenSSH 8.0 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2915 [Bug 2915] Tracking bug for 8.0 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Oct-19 06:14 UTC
[Bug 2909] sshd segfaults on non-existent users when there is an NIS ngetgroup included in /etc/passwd
https://bugzilla.mindrot.org/show_bug.cgi?id=2909 --- Comment #3 from Damien Miller <djm at mindrot.org> --- Retarget unfinished bugs to OpenSSH 8.0 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Oct-19 06:15 UTC
[Bug 2909] sshd segfaults on non-existent users when there is an NIS ngetgroup included in /etc/passwd
https://bugzilla.mindrot.org/show_bug.cgi?id=2909 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2893 | --- Comment #4 from Damien Miller <djm at mindrot.org> --- Retarget unfinished bugs to OpenSSH 8.0 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2893 [Bug 2893] Tracking bug for 7.9 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-08 04:01 UTC
[Bug 2909] sshd segfaults on non-existent users when there is an NIS ngetgroup included in /etc/passwd
https://bugzilla.mindrot.org/show_bug.cgi?id=2909 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #5 from Damien Miller <djm at mindrot.org> --- this was fixed a while back -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:54 UTC
[Bug 2909] sshd segfaults on non-existent users when there is an NIS ngetgroup included in /etc/passwd
https://bugzilla.mindrot.org/show_bug.cgi?id=2909 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #6 from Damien Miller <djm at mindrot.org> --- close bugs that were resolved in OpenSSH 8.5 release cycle -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.