openssh bugs - Mar 2022 - [Bug 3409] New: ssh-keygen -Y find-principals segfaults on malformed allowed_signers_file

https://bugzilla.mindrot.org/show_bug.cgi?id=3409

            Bug ID: 3409
           Summary: ssh-keygen -Y find-principals segfaults on malformed
                    allowed_signers_file
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mateusz at adamowski.pl

Steps to reproduce:

$ ssh-keygen -Y find-principals -s nauka1.txt.sig -f /dev/urandom
/dev/urandom:1: invalid key
/dev/urandom:2: invalid line
/dev/urandom:4: invalid key
/dev/urandom:5: invalid key
Segmentation fault (core dumped)


I don't have a patch yet.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3409

--- Comment #1 from Mateusz Adamowski <mateusz at adamowski.pl> ---
I managed to identify minimal malformed input that crashes the program:

$ ssh-keygen -Y verify -n file -s ed25519.c.sig -f <( printf
"?\x00\n"
) -I a < ed25519.c

The problem is probably with strdelim_internal() function [misc.c:398] 

When it cannot find accepted separator (whitespaces, quotes), it
returns the original pointer, but also it sets value passed by pointer
(char **s) to NULL.

This value is never checked in parse_principals_key_and_options()
[sshsig.c:718] and ultimately passed to sshkey_read()

I added following check right before a call to sshkey_read():

    if (cp == NULL) {
        error("%s:%lu: invalid line", path, linenum);
        r = SSH_ERR_INVALID_FORMAT;
        goto out;
    }

And it seems to solve this problem.

However, I think that parse_principals_key_and_options() function
should have some extra pre-check, that would immediately eliminate
malformed lines, especially these containing 0x00 and other
non-printable characters.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3409

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3395
         Resolution|---                         |FIXED
                 CC|                            |djm at mindrot.org
             Status|NEW                         |RESOLVED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Thanks, I committed a similar fix. It will be in the OpenSSH 9.0
release, due very soon.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3395
[Bug 3395] Tracking bug for openssh-9.0
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3409

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing bug resolved during openssh-9.0 release cycle

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.