https://bugzilla.mindrot.org/show_bug.cgi?id=3256
Bug ID: 3256
Summary: Illegal Instruction
Product: Portable OpenSSH
Version: 8.4p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: security
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: andres at antai-group.com
Specially crafted input in configuration files triggers an "Illegal
Instruction" from both, server and client application when supplied
particular values for the RekeyLimit parameter. The issue usually
impacts
scan_scaled() in fmt_scaled.c - Size of the supplied buffer seems to
influence how the problem triggers.
scan_scaled()
// Line 198:
// scale_fact is zero, scale_fact largely varies depending on input
fpart *= scale_fact; // Illegal instruction
As RekeyLimit limits the amount of data transmitted with a single
session key, there could be some security impact if the bug is
triggered intentionally or unintentionally in the configuration file.
Further investigation is required. Keeping this ticket as private for
now.
Impact
- Availability of application
- Further impact needs to be investigated
Attached is PoC that triggers the issue.
PoC command:
/usr/sbin/sshd -f illegal-instruction.txt
NOTE: Graceful error handling should emit an error such as:
"Bad number '-4.4P1111111111111P': Invalid argument"
When the actual illegal instruction is triggered, two messages have
been seen:
"Illegal instruction" or simply "Aborted"
See attached file "illegal-instruction.txt"
--
You are receiving this mail because:
You are watching the assignee of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3256 --- Comment #1 from Carlos Ramirez <andres at antai-group.com> --- Missing attachment in main post. Here is the contents of PoC file, use it as config file: RekeyLimit -4.411111111111111111111111111P -- You are receiving this mail because: You are watching the assignee of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3256
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |DUPLICATE
CC| |djm at mindrot.org
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
This is the convtime() integer overflow that was recently fixed, it's a
SIGILL because we set -ftrapv that deliberately faults the process
whenever one occurs.
*** This bug has been marked as a duplicate of bug 3250 ***
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
https://bugzilla.mindrot.org/show_bug.cgi?id=3256
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.