[Bug 3443] New: A NULL pointer problem occurs during the fuzzing test in the agent.
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Jun 6 01:17:23 AEST 2022
https://bugzilla.mindrot.org/show_bug.cgi?id=3443
Bug ID: 3443
Summary: A NULL pointer problem occurs during the fuzzing test
in the agent.
Product: Portable OpenSSH
Version: v9.0p1
Hardware: ARM64
OS: Linux
Status: NEW
Severity: critical
Priority: P5
Component: ssh-agent
Assignee: unassigned-bugs at mindrot.org
Reporter: kircherlike at outlook.com
I had a null pointer reference issue on my system while running the
fuzz use case for regress/misc/fuzz-harness/agent_fuzz.cc.
It displays the following output.
=================================================================
PROBLEM:
[root at localhost fuzz-harness]# ./agent_fuzz
./crash-5803aeaf222af886155db2caeac4589d790a7cc9
INFO: Seed: 1818191925
INFO: Loaded 1 modules (461 inline 8-bit counters): 461 [0x63d7f0,
0x63d9bd),
INFO: Loaded 1 PC tables (461 PCs): 461 [0x5fa9f0,0x5fc6c0),
./agent_fuzz: Running 1 inputs 1 time(s) each.
Running: ./crash-5803aeaf222af886155db2caeac4589d790a7cc9
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 0 (fd=4) type 13
debug1: process_sign_request2: entering
Confirm user presence for key ED25519-SK
SHA256:eto3cpL3YD1cvjDiwR9JxKVInjd+f84quOOvVckxepw
debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x01
internal security key support not enabled
AddressSanitizer:DEADLYSIGNAL
==44044==ERROR: AddressSanitizer: SEGV on unknown address
0x000000000000 (pc 0x000000000000 bp 0x000000000001 sp 0x7ffead714ec8
T0)
==44044==Hint: pc points to the zero page.
==44044==The signal is caused by a READ memory access.
==44044==Hint: address points to the zero page.
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (<unknown module>)
==44044==ABORTING
=================================================================
DEBUGGING:
[root at localhost fuzz-harness]# gdb ./agent_fuzz
Reading symbols from ./agent_fuzz...
(gdb) start crash-5803aeaf222af886155db2caeac4589d790a7cc9
Temporary breakpoint 1, 0x0000000000427c34 in main ()
(gdb) n
Single stepping until exit from function main,
which has no line number information.
INFO: Seed: 2126387299
INFO: Loaded 1 modules (461 inline 8-bit counters): 461 [0x63d7f0,
0x63d9bd),
INFO: Loaded 1 PC tables (461 PCs): 461 [0x5fa9f0,0x5fc6c0),
[New LWP 44389]
/root/rpmbuild/BUILD/openssh-8.8p1/regress/misc/fuzz-harness/agent_fuzz:
Running 1 inputs 1 time(s) each.
Running: crash-5803aeaf222af886155db2caeac4589d790a7cc9
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 0 (fd=4) type 13
debug1: process_sign_request2: entering
Confirm user presence for key ED25519-SK
SHA256:eto3cpL3YD1cvjDiwR9JxKVInjd+f84quOOvVckxepw
debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x01
internal security key support not enabled
Thread 1 "agent_fuzz" received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0 0x0000000000000000 in ?? ()
#1 0x0000000000581cb2 in sshsk_sign (
provider_path=provider_path at entry=0x6020000057f0 "internal",
key=key at entry=0x60f000003880, sigp=sigp at entry=0x7fffffffcf20,
lenp=lenp at entry=0x7fffffffcf40,
data=data at entry=0x619000006980
"s\223\067\331ũ\243\n\260\024h\254\322\027\066\344kKi$(\34
2\034\060\235\300\365\271\302w\325`ID\331\335Jm\255[*\337*\265\071Y\377\327m\244Y'\005\257\36
0`\031\067\"\247k\f\372\037<\277;\021U\341\272BUȟ\220}\354I\365\275\220\366\064&\234\002\201<
A\372\347\023\364\244@\243\270\237\362d|\001\320\032\300ܓ\343\352\070\266K\027}\221\366\252D\315(S\220\304\001",
datalen=datalen at entry=1024, compat=0, pin=0x0) at ssh-sk.c:671
#2 0x000000000058d487 in sshkey_sign (key=0x60f000003880,
sigp=<optimized out>,
lenp=<optimized out>, data=<optimized out>, datalen=<optimized
out>, alg=0x0,
sk_provider=0x6020000057f0 "internal", sk_pin=0x0, compat=0) at
sshkey.c:2924
#3 0x000000000057b949 in process_sign_request2 (e=<optimized out>)
at ./../../../ssh-agent.c:474
#4 process_message (socknum=29264) at ./../../../ssh-agent.c:1087
#5 0x00000000005775cc in test_one (s=<optimized out>, slen=<optimized
out>)
at agent_fuzz_helper.c:170
#6 0x0000000000573b31 in LLVMFuzzerTestOneInput (
s=0x1 <error: Cannot access memory at address 0x1>,
slen=107271103211904)
at agent_fuzz.cc:11
#7 0x000000000043e2ce in fuzzer::Fuzzer::ExecuteCallback(unsigned char
const*, unsigned long) ()
#8 0x0000000000429b2b in fuzzer::RunOneTest(fuzzer::Fuzzer*, char
const*, unsigned long) ()
#9 0x00000000004344e6 in fuzzer::FuzzerDriver(int*, char***, int
(*)(unsigned char const*, unsigned long)) ()
#10 0x0000000000427c53 in main ()
(gdb) q
A debugging session is active.
=================================================================
ANALYSIS:
In the sshsk_open function of ssh-sk.c, if ENABLE_SK_INTERNAL is not
defined at build time, this function prints "internal security key
support not enabled" and returns a calloc request 'ret'.
The 'ret' is non-empty and therefore will not be included in the 'skp =
sshsk_open(provider_path)) == NULL' verification. Next, the 'if ((r =
skp->sk_sign(alg, data, datalen, key->sk_application statement'
accesses 'skp->sk_sign' resulting in a null pointer reference.
==================================================================
PATCH:
diff --git a/ssh-sk.c b/ssh-sk.c
index d254e77..79bc682 100644
--- a/ssh-sk.c
+++ b/ssh-sk.c
@@ -118,10 +118,11 @@ sshsk_open(const char *path)
ret->sk_enroll = ssh_sk_enroll;
ret->sk_sign = ssh_sk_sign;
ret->sk_load_resident_keys = ssh_sk_load_resident_keys;
+ return ret;
#else
error("internal security key support not enabled");
+ goto fail;
#endif
- return ret;
}
if ((ret->dlhandle = dlopen(path, RTLD_NOW)) == NULL) {
error("Provider \"%s\" dlopen failed: %s", path,
dlerror());
--
2.23.0
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list