[Bug 3256] New: Illegal Instruction

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=3256

            Bug ID: 3256
           Summary: Illegal Instruction
           Product: Portable OpenSSH
           Version: 8.4p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: security
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: andres at antai-group.com

Specially crafted input in configuration files triggers an "Illegal
Instruction" from both, server and client application when supplied
particular values for the RekeyLimit parameter. The issue usually
impacts 
 scan_scaled() in fmt_scaled.c - Size of the supplied buffer seems to
influence how the problem triggers.

scan_scaled()
// Line 198:
// scale_fact is zero, scale_fact largely varies depending on input
fpart *= scale_fact; // Illegal instruction

As RekeyLimit limits the amount of data transmitted with a single
session key, there could be some security impact if the bug is
triggered intentionally or unintentionally in the configuration file.
Further investigation is required. Keeping this ticket as private for
now.

Impact
- Availability of application
- Further impact needs to be investigated

Attached is PoC that triggers the issue.

PoC command:
/usr/sbin/sshd -f illegal-instruction.txt

NOTE: Graceful error handling should emit an error such as:
"Bad number '-4.4P1111111111111P': Invalid argument"

When the actual illegal instruction is triggered, two messages have
been seen:
"Illegal instruction" or simply "Aborted"

See attached file "illegal-instruction.txt"

-- 
You are receiving this mail because:
You are watching the assignee of the bug.