Damien Miller
2015-Mar-29 23:43 UTC
Invalid memory access / read stack overflow when reading config with zero bytes
On Mon, 30 Mar 2015, Damien Miller wrote:> On Mon, 30 Mar 2015, Hanno B?ck wrote: > > > On Mon, 30 Mar 2015 09:19:02 +1100 (AEDT) > > Damien Miller <djm at mindrot.org> wrote: > > > > > What version of OpenSSH is this? > > > > 6.8 portable on Linux. > > That's strange - the line numbers in the valgrind stack trace don't > match. E.g. > > ==5578== at 0x4C2CFCA: __GI_strchr (in > /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) > ==5578== by 0x117B6B: process_config_line (readconf.c:785) > ==5578== by 0x119DED: read_config_file (readconf.c:1633)reproduced; the line numbers were wrong. diff --git a/readconf.c b/readconf.c index 42a2961..5130407 100644 --- a/readconf.c +++ b/readconf.c @@ -763,7 +763,9 @@ process_config_line(Options *options, struct passwd *pw, const char *host, } /* Strip trailing whitespace */ - for (len = strlen(line) - 1; len > 0; len--) { + if ((len = strlen(line)) == 0) + return 0; + for (len--; len > 0; len--) { if (strchr(WHITESPACE, line[len]) == NULL) break; line[len] = '\0';
Hanno Böck
2015-Mar-30 00:17 UTC
Invalid memory access / read stack overflow when reading config with zero bytes
On Mon, 30 Mar 2015 10:43:18 +1100 (AEDT) Damien Miller <djm at mindrot.org> wrote:> reproduced; the line numbers were wrong.Sorry for the line numbers, should've thought of that. I used the standard Gentoo package and it seems it does patching on that file. I can confirm your patch fixes the issue, thanks. Will now run another fuzzing job with the patch applied, will inform you if it finds anything. -- Hanno B?ck http://hboeck.de/ mail/jabber: hanno at hboeck.de GPG: BBB51E42 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150330/b5429a57/attachment-0001.bin>
Damien Miller
2015-Mar-30 00:30 UTC
Invalid memory access / read stack overflow when reading config with zero bytes
On Mon, 30 Mar 2015, Hanno B?ck wrote:> On Mon, 30 Mar 2015 10:43:18 +1100 (AEDT) > Damien Miller <djm at mindrot.org> wrote: > > > reproduced; the line numbers were wrong. > > Sorry for the line numbers, should've thought of that. I used the > standard Gentoo package and it seems it does patching on that file. > > I can confirm your patch fixes the issue, thanks. Will now run another > fuzzing job with the patch applied, will inform you if it finds > anything.Thanks - we'll certainly fix bugs in config parsing, but they aren't that interesting from a security perspective. Someone who can write to ~/.ssh/config already has arbitrary code execution via ProxyCommand, etc. authorized_keys is a good thing to fuzz if you can set up a good test enviornment. I've spent about a CPU-month fuzzing key parsing and KRLs, so I have some confidence that they are clean. cf. https://anongit.mindrot.org/openssh-fuzz-cases.git/ -d