bugzilla-daemon at mindrot.org
2022-Dec-08 18:47 UTC
[Bug 3508] New: Memory leak in auth-pam
https://bugzilla.mindrot.org/show_bug.cgi?id=3508
Bug ID: 3508
Summary: Memory leak in auth-pam
Product: Portable OpenSSH
Version: 9.1p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: PAM support
Assignee: unassigned-bugs at mindrot.org
Reporter: miazgapow at gmail.com
In auth-pam.c, in sshpam_init, where the SSH_CONNECTION environment
variable is being set, xasprintf is used. It allocates memory for the
formatted string and returns it via the global sshpam_conninfo, which
is later passed to pam_putenv, which copies the string. So memory under
sshpam_conninfo is never freed, and then a reference to it is lost on
another run of sshpam_init
--
You are receiving this mail because:
You are watching the assignee of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3508
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
Blocks| |3480
--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
I agree with your analysis. Putting on list for 9.2.
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3480
[Bug 3480] tracking bug for openssh-9.2
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3508 --- Comment #2 from Darren Tucker <dtucker at dtucker.net> --- Actually looking more closely I don't think it can leak. sshpam_conninfo is allocated at the same time as sshpam_rhost, which is also a global. On subsequent calls to sshpam_init, sshpam_rhost will already be set so sshpam_conninfo will not be re-populated, but it will get used again for pam_putenv. Freeing sshpam_conninfo would mean the during subsequent calls to sshpam_init it would not be available (either NULL if it was nulled out, or a use-after-free if not). -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3508
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
Attachment #3643| |ok?(djm at mindrot.org)
Flags| |
--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
Created attachment 3643
--> https://bugzilla.mindrot.org/attachment.cgi?id=3643&action=edit
Do not store sshpam_conninfo across calls to sshpam_init
Those things said, the content of sshpam_conninfo is constructed of
things that are guaranteed to be available (remote host and port, local
port and address) so we don't actually need to cache it across calls at
all and thus it doesn't need to be static or global. This puts all of
the conninfo bits in one place.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3508
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3643|0 |1
is obsolete| |
Attachment #3643|ok?(djm at mindrot.org) |
Flags| |
Attachment #3644| |ok?(djm at mindrot.org)
Flags| |
--- Comment #4 from Darren Tucker <dtucker at dtucker.net> ---
Created attachment 3644
--> https://bugzilla.mindrot.org/attachment.cgi?id=3644&action=edit
Do not store sshpam_conninfo across calls to sshpam_init
Damien points out that sshpam_init does get called without the ssh
context, so my first patch is not correct.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3508
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3644|ok?(djm at mindrot.org) |ok+
Flags| |
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-19 08:24 UTC
[Bug 3508] Simplify handling of SSH_CONNECTION in auth-pam
https://bugzilla.mindrot.org/show_bug.cgi?id=3508
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Summary|Memory leak in auth-pam |Simplify handling of
| |SSH_CONNECTION in auth-pam
Status|NEW |RESOLVED
--- Comment #5 from Darren Tucker <dtucker at dtucker.net> ---
Thanks for the report, we've made the SSH_CONNECTION handling hopefully
clearer.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-17 02:42 UTC
[Bug 3508] Simplify handling of SSH_CONNECTION in auth-pam
https://bugzilla.mindrot.org/show_bug.cgi?id=3508
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #6 from Damien Miller <djm at mindrot.org> ---
OpenSSH 9.3 has been released. Close resolved bugs
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.