[Bug 2777] New: sshd crashes when getpwnam result is returned by libnss_systemd
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Thu Sep 14 02:19:40 AEST 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2777
Bug ID: 2777
Summary: sshd crashes when getpwnam result is returned by
libnss_systemd
Product: Portable OpenSSH
Version: 7.5p1
Hardware: ix86
OS: Linux
Status: NEW
Severity: trivial
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: mindrot_bugzilla at entropy-collector.net
Downstream bug report https://bugs.archlinux.org/task/55570?project=1
https://github.com/openssh/openssh-portable/blob/d38f05dbdd291212bc95ea80648b72b7177e9f4e/sshd.c#L1643
If the result of this getpwnam called is supplied by libnss_systemd
then the structure and all strings pointed to within the structure will
be in a read only memory section.
https://github.com/openssh/openssh-portable/blob/d38f05dbdd291212bc95ea80648b72b7177e9f4e/sshd.c#L1648
explicit_bzero will then segfault attempting to write to that read only
section.
POSIX.1-2008 http://pubs.opengroup.org/onlinepubs/9699919799/ forbids
modifying the structure returned by getpwnam or the strings it points
to.
Perhaps switch the call to getpwnam_r?
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list