bugzilla-daemon at mindrot.org
2022-Dec-08 18:47 UTC
[Bug 3508] New: Memory leak in auth-pam
https://bugzilla.mindrot.org/show_bug.cgi?id=3508 Bug ID: 3508 Summary: Memory leak in auth-pam Product: Portable OpenSSH Version: 9.1p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: PAM support Assignee: unassigned-bugs at mindrot.org Reporter: miazgapow at gmail.com In auth-pam.c, in sshpam_init, where the SSH_CONNECTION environment variable is being set, xasprintf is used. It allocates memory for the formatted string and returns it via the global sshpam_conninfo, which is later passed to pam_putenv, which copies the string. So memory under sshpam_conninfo is never freed, and then a reference to it is lost on another run of sshpam_init -- You are receiving this mail because: You are watching the assignee of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3508 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net Blocks| |3480 --- Comment #1 from Darren Tucker <dtucker at dtucker.net> --- I agree with your analysis. Putting on list for 9.2. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3480 [Bug 3480] tracking bug for openssh-9.2 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3508 --- Comment #2 from Darren Tucker <dtucker at dtucker.net> --- Actually looking more closely I don't think it can leak. sshpam_conninfo is allocated at the same time as sshpam_rhost, which is also a global. On subsequent calls to sshpam_init, sshpam_rhost will already be set so sshpam_conninfo will not be re-populated, but it will get used again for pam_putenv. Freeing sshpam_conninfo would mean the during subsequent calls to sshpam_init it would not be available (either NULL if it was nulled out, or a use-after-free if not). -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3508 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Attachment #3643| |ok?(djm at mindrot.org) Flags| | --- Comment #3 from Darren Tucker <dtucker at dtucker.net> --- Created attachment 3643 --> https://bugzilla.mindrot.org/attachment.cgi?id=3643&action=edit Do not store sshpam_conninfo across calls to sshpam_init Those things said, the content of sshpam_conninfo is constructed of things that are guaranteed to be available (remote host and port, local port and address) so we don't actually need to cache it across calls at all and thus it doesn't need to be static or global. This puts all of the conninfo bits in one place. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3508 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3643|0 |1 is obsolete| | Attachment #3643|ok?(djm at mindrot.org) | Flags| | Attachment #3644| |ok?(djm at mindrot.org) Flags| | --- Comment #4 from Darren Tucker <dtucker at dtucker.net> --- Created attachment 3644 --> https://bugzilla.mindrot.org/attachment.cgi?id=3644&action=edit Do not store sshpam_conninfo across calls to sshpam_init Damien points out that sshpam_init does get called without the ssh context, so my first patch is not correct. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3508 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3644|ok?(djm at mindrot.org) |ok+ Flags| | -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Dec-19 08:24 UTC
[Bug 3508] Simplify handling of SSH_CONNECTION in auth-pam
https://bugzilla.mindrot.org/show_bug.cgi?id=3508 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Summary|Memory leak in auth-pam |Simplify handling of | |SSH_CONNECTION in auth-pam Status|NEW |RESOLVED --- Comment #5 from Darren Tucker <dtucker at dtucker.net> --- Thanks for the report, we've made the SSH_CONNECTION handling hopefully clearer. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2023-Mar-17 02:42 UTC
[Bug 3508] Simplify handling of SSH_CONNECTION in auth-pam
https://bugzilla.mindrot.org/show_bug.cgi?id=3508 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #6 from Damien Miller <djm at mindrot.org> --- OpenSSH 9.3 has been released. Close resolved bugs -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.