[Bug 3401] New: Illegal hardware instruction

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Mar 10 15:54:47 AEDT 2022


            Bug ID: 3401
           Summary: Illegal hardware instruction
           Product: Portable OpenSSH
           Version: 8.9p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: security
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: andres at antai-group.com

Created attachment 3578
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3578&action=edit
PoC configuration file for ssh. Usage: "sshd -t -f poc.conf"

* LOW RISK/Further testing is required to understand the issue.

An illegal hardware instruction that crashes sshd occurs under some
circumstances when input is provided through its configuration file.
The problem resides in the "RekeyLimit" configuration option, when
maximum amount of time that may pass before the session key is
renegotiated is provided.

The biggest risk is Availability of sshd, particularly for cases where
mass configuration of servers is done through automated pipelines that
dynamically generate the configuration files and might generate a input
value that that triggers the issue.

PoC Command output:

valgrind sshd -t -f poc.conf

Valgrind output: 
==3348611== Process terminating with default action of signal 4
==3348611==  Illegal opcode at address 0x1857A5
==3348611==    at 0x1857A5: UnknownInlinedFun (fmt_scaled.c:122)
==3348611==    by 0x1857A5: process_server_config_line_depth
==3348611==    by 0x185EA6: parse_server_config_depth (servconf.c:2687)
==3348611==    by 0x186F39: parse_server_config (servconf.c:2704)
==3348611==    by 0x1576CC: main (sshd.c:1742)
zsh: illegal hardware instruction


See attached file poc.conf

Carlos Andres Ramirez

You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list