[Bug 3256] New: Illegal Instruction
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Jan 25 05:34:42 AEDT 2021
https://bugzilla.mindrot.org/show_bug.cgi?id=3256
Bug ID: 3256
Summary: Illegal Instruction
Product: Portable OpenSSH
Version: 8.4p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: security
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: andres at antai-group.com
Specially crafted input in configuration files triggers an "Illegal
Instruction" from both, server and client application when supplied
particular values for the RekeyLimit parameter. The issue usually
impacts
scan_scaled() in fmt_scaled.c - Size of the supplied buffer seems to
influence how the problem triggers.
scan_scaled()
// Line 198:
// scale_fact is zero, scale_fact largely varies depending on input
fpart *= scale_fact; // Illegal instruction
As RekeyLimit limits the amount of data transmitted with a single
session key, there could be some security impact if the bug is
triggered intentionally or unintentionally in the configuration file.
Further investigation is required. Keeping this ticket as private for
now.
Impact
- Availability of application
- Further impact needs to be investigated
Attached is PoC that triggers the issue.
PoC command:
/usr/sbin/sshd -f illegal-instruction.txt
NOTE: Graceful error handling should emit an error such as:
"Bad number '-4.4P1111111111111P': Invalid argument"
When the actual illegal instruction is triggered, two messages have
been seen:
"Illegal instruction" or simply "Aborted"
See attached file "illegal-instruction.txt"
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list