bugzilla-daemon at mindrot.org
2025-Apr-30 21:53 UTC
[Bug 3819] New: safe_path may pass overlapping source and destination pointers on some systems
https://bugzilla.mindrot.org/show_bug.cgi?id=3819 Bug ID: 3819 Summary: safe_path may pass overlapping source and destination pointers on some systems Product: Portable OpenSSH Version: 10.0p1 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P5 Component: Miscellaneous Assignee: unassigned-bugs at mindrot.org Reporter: cjwatson at debian.org Created attachment 3874 --> https://bugzilla.mindrot.org/attachment.cgi?id=3874&action=edit Fix overlapping strlcpy with some dirname implementations While investigating another problem (https://bugs.debian.org/1103418, which I haven't yet managed to track down far enough to figure out how to reproduce it or whether it's caused by Debian patches), I noticed this in valgrind output: sshd[22181]: ==22181== Source and destination overlap in strlcpy(0x1ffeffd7e3, 0x1ffeffd7e3, 4096) sshd[22181]: ==22181== at 0x484E64D: strlcpy (vg_replace_strmem.c:667) sshd[22181]: ==22181== by 0x189ED5: UnknownInlinedFun (string_fortified.h:169) sshd[22181]: ==22181== by 0x189ED5: safe_path (misc.c:2335) sshd[22181]: ==22181== by 0x18A09D: safe_path_fd (misc.c:2376) sshd[22181]: ==22181== by 0x138C47: auth_openfile (auth2-pubkeyfile.c:477) sshd[22181]: ==22181== by 0x13783A: user_key_allowed2 (auth2-pubkey.c:638) sshd[22181]: ==22181== by 0x13783A: user_key_allowed (auth2-pubkey.c:839) sshd[22181]: ==22181== by 0x13B544: mm_answer_keyallowed (monitor.c:1339) sshd[22181]: ==22181== by 0x13D66D: monitor_read (monitor.c:550) sshd[22181]: ==22181== by 0x140B95: monitor_child_preauth (monitor.c:319) sshd[22181]: ==22181== by 0x118620: privsep_preauth (sshd-session.c:367) sshd[22181]: ==22181== by 0x118620: main (sshd-session.c:1320) OpenBSD's dirname(3) is documented as returning a pointer into internal static storage (https://man.openbsd.org/dirname.3), but glibc's (https://manpages.debian.org/testing/manpages-dev/dirname.3.en.html) says "Alternatively, they may return a pointer to some part of *path*". That causes safe_path to pass overlapping source and destination pointers to strlcpy, which is undefined behaviour according to https://man.openbsd.org/strlcpy.3. I think the simplest thing to do is to copy the source buffer first. Patch attached. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Apr-30 23:18 UTC
[Bug 3819] safe_path may pass overlapping source and destination pointers on some systems
https://bugzilla.mindrot.org/show_bug.cgi?id=3819 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Version|10.0p1 |10.0p2 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-May-22 03:37 UTC
[Bug 3819] safe_path may pass overlapping source and destination pointers on some systems
https://bugzilla.mindrot.org/show_bug.cgi?id=3819 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net Blocks| |3808 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3808 [Bug 3808] Tracking bug for OpenSSH 10.1 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-May-22 03:54 UTC
[Bug 3819] safe_path may pass overlapping source and destination pointers on some systems
https://bugzilla.mindrot.org/show_bug.cgi?id=3819 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #1 from Darren Tucker <dtucker at dtucker.net> --- Applied upstream and will be in 10.1. Thanks for the report. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.