Hanno Böck
2015-Mar-29 12:15 UTC
Invalid memory access / read stack overflow when reading config with zero bytes
Hi, When ssh accesses a config file that contains a zero byte it'll expose a stack overflow. This can only be seen with valgrind or with compiling ssh with address sanitizer. I'll attach the address sanitizer and valgrind output. Reproduce: dd if=/dev/zero of=zero bs=1 count=1 valgrind -q ssh -F zero x This was found while fuzzing ssh with american fuzzy lop. (Please CC me on replies, I'm not subscribed to the list.) cu, -- Hanno B?ck http://hboeck.de/ mail/jabber: hanno at hboeck.de GPG: BBB51E42 -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh-stackoverflow-asan.txt.gz Type: application/gzip Size: 958 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150329/44e47c50/attachment-0003.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh-stackoverflow-valgrind.txt.gz Type: application/gzip Size: 339 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150329/44e47c50/attachment-0004.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150329/44e47c50/attachment-0005.bin>
Damien Miller
2015-Mar-29 22:19 UTC
Invalid memory access / read stack overflow when reading config with zero bytes
Thanks, What version of OpenSSH is this? Also, when reporting fuzzer-derived problems it really helps to include the test-case. -d On Sun, 29 Mar 2015, Hanno B?ck wrote:> Hi, > > When ssh accesses a config file that contains a zero byte it'll expose > a stack overflow. This can only be seen with valgrind or with compiling > ssh with address sanitizer. I'll attach the address sanitizer and > valgrind output. > > Reproduce: > dd if=/dev/zero of=zero bs=1 count=1 > valgrind -q ssh -F zero x > > This was found while fuzzing ssh with american fuzzy lop. > > (Please CC me on replies, I'm not subscribed to the list.) > > cu, > -- > Hanno B?ck > http://hboeck.de/ > > mail/jabber: hanno at hboeck.de > GPG: BBB51E42 >
Hanno Böck
2015-Mar-29 22:36 UTC
Invalid memory access / read stack overflow when reading config with zero bytes
On Mon, 30 Mar 2015 09:19:02 +1100 (AEDT) Damien Miller <djm at mindrot.org> wrote:> What version of OpenSSH is this?6.8 portable on Linux.> Also, when reporting fuzzer-derived problems it really helps to > include the test-case.The "test case" is a one byte file containing a zero byte. But here it is :-) -- Hanno B?ck http://hboeck.de/ mail/jabber: hanno at hboeck.de GPG: BBB51E42 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150330/9bfa2215/attachment.bin>
Reasonably Related Threads
- Invalid memory access / read stack overflow when reading config with zero bytes
- Invalid memory access / read stack overflow when reading config with zero bytes
- Invalid memory access / read stack overflow when reading config with zero bytes
- [patch] TLS Handshake failures can crash imap-login
- [patch] TLS Handshake failures can crash imap-login