bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-24 03:58 UTC
[Bug 2608] New: Signed overflow in openbsd-compat/strlcpy.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2608
Bug ID: 2608
Summary: Signed overflow in openbsd-compat/strlcpy.c
Product: Portable OpenSSH
Version: 7.3p1
Hardware: All
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Miscellaneous
Assignee: unassigned-bugs at mindrot.org
Reporter: yuanjie.huang at windriver.com
Created attachment 2866
--> https://bugzilla.mindrot.org/attachment.cgi?id=2866&action=edit
test driver of strlcpy to demo the bug.
Pointer arithmatic results in implementation defined signed integer
type, so that 's - src' in strlcpy and others may trigger signed
overflow.
When the code is compiled by gcc or clang with -ftrapv option, the
overflow would lead to program abort.
$ gcc test.c strlcpy.c -o test -m32 -ftrapv
$ ./test
Allocating src starting from 0x7fffff40
Trying to copy 0x400 from 0x7fffff40 to 0x9630008
Aborted (core dumped)
The proposed fix is also attached.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Aug-24 03:59 UTC
[Bug 2608] Signed overflow in openbsd-compat/strlcpy.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2608 --- Comment #1 from Yuanjie Huang <yuanjie.huang at windriver.com> --- Created attachment 2867 --> https://bugzilla.mindrot.org/attachment.cgi?id=2867&action=edit proposed fix. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Oct-14 17:29 UTC
[Bug 2608] Signed overflow in openbsd-compat/strlcpy.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2608
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |2594
CC| |dtucker at zip.com.au
--- Comment #2 from Darren Tucker <dtucker at zip.com.au> ---
Thanks. Looking (these files are sourced from OpenBSD, so any changes
will need to go upstream first).
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2594
[Bug 2594] Tracking bug for OpenSSH 7.4 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Oct-16 17:48 UTC
[Bug 2608] Signed overflow in openbsd-compat/strlcpy.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2608
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks|2594 |
--- Comment #3 from Darren Tucker <dtucker at zip.com.au> ---
I applied then, after some discussion with some folks, reverted your
change.
The rationale is that C11 6.5.6.9 says:
"""
When two pointers are subtracted, both shall point to elements of the
same array object, or one past the last element of the array object;
the
result is the difference of the subscripts of the two array elements.
"""
In these cases the objects are arrays of char so the result is defined,
and we believe that the compiler incorrectly trapping on defined
behaviour.
I also found https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63303
("Pointer subtraction is broken when using -fsanitize=undefined")
which
seems to support this position.
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=2594
[Bug 2594] Tracking bug for OpenSSH 7.4 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jun-17 05:58 UTC
[Bug 2608] Signed overflow in openbsd-compat/strlcpy.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2608
Hongxu Jia <hongxu.jia at windriver.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hongxu.jia at windriver.com
--- Comment #4 from Hongxu Jia <hongxu.jia at windriver.com> ---
Created attachment 3293
--> https://bugzilla.mindrot.org/attachment.cgi?id=3293&action=edit
proposed fix v2
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Jan-25 11:17 UTC
[Bug 2608] Signed overflow in openbsd-compat/strlcpy.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2608
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
CC| |djm at mindrot.org
Status|NEW |RESOLVED
--- Comment #5 from Damien Miller <djm at mindrot.org> ---
I agree with Darren's analysis - the existing implementation is
compliant with ISO C.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:02 UTC
[Bug 2608] Signed overflow in openbsd-compat/strlcpy.c
https://bugzilla.mindrot.org/show_bug.cgi?id=2608
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #6 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
Reasonably Related Threads
- [PATCH] configure.ac/cipher.c: Check for OpenSSL with EVP_des_ede3_cbc
- [LLVMdev] Missing libclang_rt.san-x86_64.a file for Compiler-rt
- [LLVMdev] In llvm, how can I delete a whole branch elegantly?
- [LLVMdev] internal compiler error when compiling llvm-gcc-4.2-2.9
- [PATCH] tftp-hpa: add error check for disk filled up