openssh bugs - Jan 2022 - [Bug 3382] New: Software vulnerabilities detected using ESBMC-WR tool

https://bugzilla.mindrot.org/show_bug.cgi?id=3382

            Bug ID: 3382
           Summary: Software vulnerabilities detected using ESBMC-WR tool
           Product: Portable OpenSSH
           Version: 8.8p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: security
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: janislley at gmail.com

Hello,

2 potential software vulnerabilities were found in code.
To identify this kind of vulnerabilities I used tool ESBMC-WR:
https://github.com/thalestas/esbmc-wr

Please, check the logs of analysis:

Issue #1
--------

State 2 file syserr.c line 4 function strerror thread 0
----------------------------------------------------
errnum = -2147483648 (10000000 00000000 00000000 00000000)

State 3 file syserr.c line 108 function strerror thread 0
----------------------------------------------------
Violated property:
file syserr.c line 108 function strerror
array bounds violated: array `sys_errlist' lower bound
(signed long int)errnum >= 0

Issue #2
--------

State 3 file utimensattest.c line 46 function fail thread 0
----------------------------------------------------
saved_errno = -2147483648 (10000000 00000000 00000000 00000000)

State 4 file syserr.c line 4 function strerror thread 0
----------------------------------------------------
errnum = -2147483648 (10000000 00000000 00000000 00000000)

State 5 file syserr.c line 108 function strerror thread 0
----------------------------------------------------
Violated property:
file syserr.c line 108 function strerror
array bounds violated: array `sys_errlist' lower bound
(signed long int)errnum >= 0

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3382

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
I think these are both false positives.

(In reply to janislley from comment #0)
[...]
> State 2 file syserr.c
There is no file with that name in OpenSSH.  There is (potentially, if
depending on autoconf) a strerror, however a) it's in bsd-misc.c and b)
Linuxes usually have a native strerror.
> line 4 function strerror thread 0
Line 4 in bsd-misc.c is in the middle of a comment block.

[...]
> State 3 file syserr.c line 108 function strerror thread 0
Line 108 in bsd-misc.c is a blank line after the strerror function.

In addition, the strerror replacement explicitly checks for errno<0:

const char *strerror(int e)
{
        extern int sys_nerr;
        extern char *sys_errlist[];

        if ((e >= 0) && (e < sys_nerr))
                return (sys_errlist[e]);
        return ("unlisted error");
}

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3382

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED
         Resolution|---                         |INVALID

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Closing for lack of followup. Please reopen after addressing Darren's
concerns in comment #1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3382

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing bug resolved during openssh-9.0 release cycle

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.