bugzilla-daemon at mindrot.org
2022-Jun-05 15:17 UTC
[Bug 3443] New: A NULL pointer problem occurs during the fuzzing test in the agent.
https://bugzilla.mindrot.org/show_bug.cgi?id=3443 Bug ID: 3443 Summary: A NULL pointer problem occurs during the fuzzing test in the agent. Product: Portable OpenSSH Version: v9.0p1 Hardware: ARM64 OS: Linux Status: NEW Severity: critical Priority: P5 Component: ssh-agent Assignee: unassigned-bugs at mindrot.org Reporter: kircherlike at outlook.com I had a null pointer reference issue on my system while running the fuzz use case for regress/misc/fuzz-harness/agent_fuzz.cc. It displays the following output. ================================================================ PROBLEM: [root at localhost fuzz-harness]# ./agent_fuzz ./crash-5803aeaf222af886155db2caeac4589d790a7cc9 INFO: Seed: 1818191925 INFO: Loaded 1 modules (461 inline 8-bit counters): 461 [0x63d7f0, 0x63d9bd), INFO: Loaded 1 PC tables (461 PCs): 461 [0x5fa9f0,0x5fc6c0), ./agent_fuzz: Running 1 inputs 1 time(s) each. Running: ./crash-5803aeaf222af886155db2caeac4589d790a7cc9 debug1: new_socket: type = CONNECTION debug2: fd 4 setting O_NONBLOCK debug1: process_message: socket 0 (fd=4) type 13 debug1: process_sign_request2: entering Confirm user presence for key ED25519-SK SHA256:eto3cpL3YD1cvjDiwR9JxKVInjd+f84quOOvVckxepw debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x01 internal security key support not enabled AddressSanitizer:DEADLYSIGNAL ==44044==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000000000 bp 0x000000000001 sp 0x7ffead714ec8 T0) ==44044==Hint: pc points to the zero page. ==44044==The signal is caused by a READ memory access. ==44044==Hint: address points to the zero page. AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (<unknown module>) ==44044==ABORTING ================================================================ DEBUGGING: [root at localhost fuzz-harness]# gdb ./agent_fuzz Reading symbols from ./agent_fuzz... (gdb) start crash-5803aeaf222af886155db2caeac4589d790a7cc9 Temporary breakpoint 1, 0x0000000000427c34 in main () (gdb) n Single stepping until exit from function main, which has no line number information. INFO: Seed: 2126387299 INFO: Loaded 1 modules (461 inline 8-bit counters): 461 [0x63d7f0, 0x63d9bd), INFO: Loaded 1 PC tables (461 PCs): 461 [0x5fa9f0,0x5fc6c0), [New LWP 44389] /root/rpmbuild/BUILD/openssh-8.8p1/regress/misc/fuzz-harness/agent_fuzz: Running 1 inputs 1 time(s) each. Running: crash-5803aeaf222af886155db2caeac4589d790a7cc9 debug1: new_socket: type = CONNECTION debug2: fd 4 setting O_NONBLOCK debug1: process_message: socket 0 (fd=4) type 13 debug1: process_sign_request2: entering Confirm user presence for key ED25519-SK SHA256:eto3cpL3YD1cvjDiwR9JxKVInjd+f84quOOvVckxepw debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x01 internal security key support not enabled Thread 1 "agent_fuzz" received signal SIGSEGV, Segmentation fault. 0x0000000000000000 in ?? () (gdb) bt #0 0x0000000000000000 in ?? () #1 0x0000000000581cb2 in sshsk_sign ( provider_path=provider_path at entry=0x6020000057f0 "internal", key=key at entry=0x60f000003880, sigp=sigp at entry=0x7fffffffcf20, lenp=lenp at entry=0x7fffffffcf40, data=data at entry=0x619000006980 "s\223\067\331?\243\n\260\024h\254\322\027\066\344kKi$(\34 2\034\060\235\300\365\271\302w\325`ID\331\335Jm\255[*\337*\265\071Y\377\327m\244Y'\005\257\36 0`\031\067\"\247k\f\372\037<\277;\021U\341\272BU?\220}\354I\365\275\220\366\064&\234\002\201< A\372\347\023\364\244@\243\270\237\362d|\001\320\032\300?\343\352\070\266K\027}\221\366\252D\315(S\220\304\001", datalen=datalen at entry=1024, compat=0, pin=0x0) at ssh-sk.c:671 #2 0x000000000058d487 in sshkey_sign (key=0x60f000003880, sigp=<optimized out>, lenp=<optimized out>, data=<optimized out>, datalen=<optimized out>, alg=0x0, sk_provider=0x6020000057f0 "internal", sk_pin=0x0, compat=0) at sshkey.c:2924 #3 0x000000000057b949 in process_sign_request2 (e=<optimized out>) at ./../../../ssh-agent.c:474 #4 process_message (socknum=29264) at ./../../../ssh-agent.c:1087 #5 0x00000000005775cc in test_one (s=<optimized out>, slen=<optimized out>) at agent_fuzz_helper.c:170 #6 0x0000000000573b31 in LLVMFuzzerTestOneInput ( s=0x1 <error: Cannot access memory at address 0x1>, slen=107271103211904) at agent_fuzz.cc:11 #7 0x000000000043e2ce in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) () #8 0x0000000000429b2b in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) () #9 0x00000000004344e6 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) () #10 0x0000000000427c53 in main () (gdb) q A debugging session is active. ================================================================ ANALYSIS: In the sshsk_open function of ssh-sk.c, if ENABLE_SK_INTERNAL is not defined at build time, this function prints "internal security key support not enabled" and returns a calloc request 'ret'. The 'ret' is non-empty and therefore will not be included in the 'skp sshsk_open(provider_path)) == NULL' verification. Next, the 'if ((r skp->sk_sign(alg, data, datalen, key->sk_application statement' accesses 'skp->sk_sign' resulting in a null pointer reference. ================================================================= PATCH: diff --git a/ssh-sk.c b/ssh-sk.c index d254e77..79bc682 100644 --- a/ssh-sk.c +++ b/ssh-sk.c @@ -118,10 +118,11 @@ sshsk_open(const char *path) ret->sk_enroll = ssh_sk_enroll; ret->sk_sign = ssh_sk_sign; ret->sk_load_resident_keys = ssh_sk_load_resident_keys; + return ret; #else error("internal security key support not enabled"); + goto fail; #endif - return ret; } if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) { error("Provider \"%s\" dlopen failed: %s", path, dlerror()); -- 2.23.0 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-Jun-24 04:18 UTC
[Bug 3443] A NULL pointer problem occurs during the fuzzing test in the agent.
https://bugzilla.mindrot.org/show_bug.cgi?id=3443 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Blocks| |3418 Status|NEW |RESOLVED CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- Fixed in 7d25b37fb2a5ff4da - thanks Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3418 [Bug 3418] tracking bug for openssh-9.1 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-Oct-04 10:58 UTC
[Bug 3443] A NULL pointer problem occurs during the fuzzing test in the agent.
https://bugzilla.mindrot.org/show_bug.cgi?id=3443 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> --- Closing bugs from OpenSSH 9.1 release cycle -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.