bugzilla-daemon at mindrot.org
2022-Mar-10 04:54 UTC
[Bug 3401] New: Illegal hardware instruction
https://bugzilla.mindrot.org/show_bug.cgi?id=3401 Bug ID: 3401 Summary: Illegal hardware instruction Product: Portable OpenSSH Version: 8.9p1 Hardware: All OS: Linux Status: NEW Severity: security Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: andres at antai-group.com Created attachment 3578 --> https://bugzilla.mindrot.org/attachment.cgi?id=3578&action=edit PoC configuration file for ssh. Usage: "sshd -t -f poc.conf" * LOW RISK/Further testing is required to understand the issue. An illegal hardware instruction that crashes sshd occurs under some circumstances when input is provided through its configuration file. The problem resides in the "RekeyLimit" configuration option, when maximum amount of time that may pass before the session key is renegotiated is provided. The biggest risk is Availability of sshd, particularly for cases where mass configuration of servers is done through automated pipelines that dynamically generate the configuration files and might generate a input value that that triggers the issue. ========================PoC Command output: ======================== valgrind sshd -t -f poc.conf Valgrind output: ... ... ==3348611== Process terminating with default action of signal 4 (SIGILL) ==3348611== Illegal opcode at address 0x1857A5 ==3348611== at 0x1857A5: UnknownInlinedFun (fmt_scaled.c:122) ==3348611== by 0x1857A5: process_server_config_line_depth (servconf.c:1682) ==3348611== by 0x185EA6: parse_server_config_depth (servconf.c:2687) ==3348611== by 0x186F39: parse_server_config (servconf.c:2704) ==3348611== by 0x1576CC: main (sshd.c:1742) ... ... zsh: illegal hardware instruction ======================== See attached file poc.conf --- Carlos Andres Ramirez -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Mar-10 05:35 UTC
[Bug 3401] Illegal hardware instruction
https://bugzilla.mindrot.org/show_bug.cgi?id=3401 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net Attachment #3578|application/octet-stream |text/plain mime type| | -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Mar-10 05:45 UTC
[Bug 3401] Illegal hardware instruction
https://bugzilla.mindrot.org/show_bug.cgi?id=3401 --- Comment #1 from Darren Tucker <dtucker at dtucker.net> --- The problematic line is: RekeyLimit -.060000000000000000E.0 Smells like either integer overflow trapped by -ftrapv or divide-by-zero somewhere. It's more easily reproduced with ssh, which takes the same keyword: $ cat poc.conf RekeyLimit -.060000000000000000E.0 $ gdb --args ./ssh -F poc.conf localhost Reading symbols from ./ssh... (gdb) run [...] Program received signal SIGABRT, Aborted. __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49 49 return ret; (gdb) bt #0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49 #1 0x00007ffff7a9c8a4 in __GI_abort () at abort.c:79 #2 0x0000555555602fc4 in __mulvdi3 () #3 0x00005555555fc5ea in scan_scaled ( scaled=scaled at entry=0x555555662ba0 "-.06", '0' <repeats 16 times>, "E.0", result=result at entry=0x7fffffffa930) at ../../../openbsd-compat/fmt_scaled.c:198 #4 0x000055555556de97 in process_config_line_depth ( options=options at entry=0x555555652360 <options>, pw=pw at entry=0x55555565d550, host=host at entry=0x55555565de10 "localhost", original_host=original_host at entry=0x555555661970 "localhost", line=<optimized out>, filename=filename at entry=0x555555656350 "poc.conf", linenum=1, activep=0x7fffffffb424, flags=2, want_final_pass=0x7fffffffc504, depth=0) at ../../readconf.c:1175 #5 0x000055555556e570 in read_config_file_depth ( filename=0x555555656350 "poc.conf", pw=0x55555565d550, host=0x55555565de10 "localhost", original_host=0x555555661970 "localhost", options=0x555555652360 <options>, flags=2, activep=0x7fffffffb424, want_final_pass=0x7fffffffc504, depth=0) at ../../readconf.c:2285 #6 0x000055555556e79d in read_config_file (filename=<optimized out>, pw=<optimized out>, host=<optimized out>, original_host=<optimized out>, options=<optimized out>, flags=<optimized out>, want_final_pass=0x7fffffffc504) at ../../readconf.c:2238 --Type <RET> for more, q to quit, c to continue without paging-- #7 0x0000555555564eb7 in process_config_files ( host_name=0x555555661970 "localhost", pw=0x55555565d550, final_pass=0, want_final_pass=0x7fffffffc504) at ../../ssh.c:555 #8 0x00005555555603cc in main (ac=<optimized out>, av=<optimized out>) at ../../ssh.c:1146 (gdb) frame 3 #3 0x00005555555fc5ea in scan_scaled ( scaled=scaled at entry=0x555555662ba0 "-.06", '0' <repeats 16 times>, "E.0", result=result at entry=0x7fffffffa930) at ../../../openbsd-compat/fmt_scaled.c:198 198 fpart *= scale_fact; (gdb) print fpart $1 = -60000000000000000 (gdb) print scale_fact $2 = 1152921504606846976 (gdb) yep, a trapped integer overflow. In the case where it's built w/out -ftrapv you'll you'll get an unexpected and possibly useless value for RekeyLimit, but otherwise I don't think it'll have any effect. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Mar-10 06:12 UTC
[Bug 3401] Illegal hardware instruction
https://bugzilla.mindrot.org/show_bug.cgi?id=3401 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3395 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3395 [Bug 3395] Tracking bug for openssh-9.0 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Mar-10 06:36 UTC
[Bug 3401] Illegal hardware instruction
https://bugzilla.mindrot.org/show_bug.cgi?id=3401 --- Comment #2 from Darren Tucker <dtucker at dtucker.net> --- Created attachment 3579 --> https://bugzilla.mindrot.org/attachment.cgi?id=3579&action=edit Check for scaling underflow in scan_scaled. This should fix it. $ ./ssh -F poc.conf localhost poc.conf line 1: RekeyLimit too small poc.conf: terminating, 1 bad configuration options -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Mar-10 07:00 UTC
[Bug 3401] Illegal hardware instruction
https://bugzilla.mindrot.org/show_bug.cgi?id=3401 --- Comment #3 from Carlos Ramirez <andres at antai-group.com> --- Yes, I just had the time to check, it is an integer underflow. A script in the automatic config generation was subtracting bigger time values from a smaller values and then generating text configuration files - I had to manually test several systems and identify the issue and suggest/provide a fix. For the sake of case tracking, do you think this can be assigned a CVE ID to this issue? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Mar-10 08:07 UTC
[Bug 3401] Illegal hardware instruction
https://bugzilla.mindrot.org/show_bug.cgi?id=3401 --- Comment #4 from Darren Tucker <dtucker at dtucker.net> --- (In reply to Carlos Ramirez from comment #3)> For the sake of case tracking, do you think this can be assigned a > CVE ID to this issue?No, I don't think so. It's at worst a self-DoS requiring root access on the server side, and root has an infinite number of ways it can break sshd's config. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Mar-10 08:41 UTC
[Bug 3401] Illegal hardware instruction
https://bugzilla.mindrot.org/show_bug.cgi?id=3401 --- Comment #5 from Carlos Ramirez <andres at antai-group.com> --- Understood, scope is very limited and comes down to automated deployment systems not making any mistakes when generating the configuration - so this falls into a QA/bug category. Thank you Darren for the promptly action and patch! --- Carlos Andres Ramirez -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Mar-10 09:51 UTC
[Bug 3401] Illegal hardware instruction
https://bugzilla.mindrot.org/show_bug.cgi?id=3401 --- Comment #6 from Darren Tucker <dtucker at dtucker.net> --- (In reply to Carlos Ramirez from comment #5)> Understood, scope is very limited and comes down to automated > deployment systems not making any mistakes when generating the > configurationIt's also triggered in config-test mode. Any system that deploys new configs should be using this to test that they're valid: $ `pwd`/sshd -t -f poc.conf Aborted $ echo $? 134 so to be affected you'd have to implement an automated config generation and deployment system that performs no validation. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Mar-11 08:00 UTC
[Bug 3401] Illegal hardware instruction
https://bugzilla.mindrot.org/show_bug.cgi?id=3401 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #7 from Darren Tucker <dtucker at dtucker.net> --- This has been committed (both to master and V_8_9 branch) and will be in the next release. Thanks for the report. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Apr-08 02:12 UTC
[Bug 3401] Illegal hardware instruction
https://bugzilla.mindrot.org/show_bug.cgi?id=3401 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #8 from Damien Miller <djm at mindrot.org> --- closing bug resolved during openssh-9.0 release cycle -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.