bugzilla-daemon at mindrot.org
2025-Apr-30 21:53 UTC
[Bug 3819] New: safe_path may pass overlapping source and destination pointers on some systems
https://bugzilla.mindrot.org/show_bug.cgi?id=3819
Bug ID: 3819
Summary: safe_path may pass overlapping source and destination
pointers on some systems
Product: Portable OpenSSH
Version: 10.0p1
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Miscellaneous
Assignee: unassigned-bugs at mindrot.org
Reporter: cjwatson at debian.org
Created attachment 3874
--> https://bugzilla.mindrot.org/attachment.cgi?id=3874&action=edit
Fix overlapping strlcpy with some dirname implementations
While investigating another problem (https://bugs.debian.org/1103418,
which I haven't yet managed to track down far enough to figure out how
to reproduce it or whether it's caused by Debian patches), I noticed
this in valgrind output:
sshd[22181]: ==22181== Source and destination overlap in
strlcpy(0x1ffeffd7e3, 0x1ffeffd7e3, 4096)
sshd[22181]: ==22181== at 0x484E64D: strlcpy
(vg_replace_strmem.c:667)
sshd[22181]: ==22181== by 0x189ED5: UnknownInlinedFun
(string_fortified.h:169)
sshd[22181]: ==22181== by 0x189ED5: safe_path (misc.c:2335)
sshd[22181]: ==22181== by 0x18A09D: safe_path_fd (misc.c:2376)
sshd[22181]: ==22181== by 0x138C47: auth_openfile
(auth2-pubkeyfile.c:477)
sshd[22181]: ==22181== by 0x13783A: user_key_allowed2
(auth2-pubkey.c:638)
sshd[22181]: ==22181== by 0x13783A: user_key_allowed
(auth2-pubkey.c:839)
sshd[22181]: ==22181== by 0x13B544: mm_answer_keyallowed
(monitor.c:1339)
sshd[22181]: ==22181== by 0x13D66D: monitor_read (monitor.c:550)
sshd[22181]: ==22181== by 0x140B95: monitor_child_preauth
(monitor.c:319)
sshd[22181]: ==22181== by 0x118620: privsep_preauth
(sshd-session.c:367)
sshd[22181]: ==22181== by 0x118620: main (sshd-session.c:1320)
OpenBSD's dirname(3) is documented as returning a pointer into internal
static storage (https://man.openbsd.org/dirname.3), but glibc's
(https://manpages.debian.org/testing/manpages-dev/dirname.3.en.html)
says "Alternatively, they may return a pointer to some part of
*path*".
That causes safe_path to pass overlapping source and destination
pointers to strlcpy, which is undefined behaviour according to
https://man.openbsd.org/strlcpy.3.
I think the simplest thing to do is to copy the source buffer first.
Patch attached.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Apr-30 23:18 UTC
[Bug 3819] safe_path may pass overlapping source and destination pointers on some systems
https://bugzilla.mindrot.org/show_bug.cgi?id=3819
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|10.0p1 |10.0p2
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-May-22 03:37 UTC
[Bug 3819] safe_path may pass overlapping source and destination pointers on some systems
https://bugzilla.mindrot.org/show_bug.cgi?id=3819
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
Blocks| |3808
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3808
[Bug 3808] Tracking bug for OpenSSH 10.1
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-May-22 03:54 UTC
[Bug 3819] safe_path may pass overlapping source and destination pointers on some systems
https://bugzilla.mindrot.org/show_bug.cgi?id=3819
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
Applied upstream and will be in 10.1. Thanks for the report.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.