[Bug 3401] Illegal hardware instruction

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Mar 10 16:45:35 AEDT 2022 

https://bugzilla.mindrot.org/show_bug.cgi?id=3401

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
The problematic line is:

RekeyLimit -.060000000000000000E.0

Smells like either integer overflow trapped by -ftrapv or
divide-by-zero somewhere.

It's more easily reproduced with ssh, which takes the same keyword:

$ cat poc.conf 
RekeyLimit -.060000000000000000E.0

$ gdb --args ./ssh -F poc.conf localhost
Reading symbols from ./ssh...
(gdb) run
[...]
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
49        return ret;
(gdb) bt
#0  __GI_raise (sig=sig at entry=6) at
../sysdeps/unix/sysv/linux/raise.c:49
#1  0x00007ffff7a9c8a4 in __GI_abort () at abort.c:79
#2  0x0000555555602fc4 in __mulvdi3 ()
#3  0x00005555555fc5ea in scan_scaled (
    scaled=scaled at entry=0x555555662ba0 "-.06", '0' <repeats 16 times>,
"E.0", 
    result=result at entry=0x7fffffffa930)
    at ../../../openbsd-compat/fmt_scaled.c:198
#4  0x000055555556de97 in process_config_line_depth (
    options=options at entry=0x555555652360 <options>, 
    pw=pw at entry=0x55555565d550, host=host at entry=0x55555565de10
"localhost", 
    original_host=original_host at entry=0x555555661970 "localhost", 
    line=<optimized out>, filename=filename at entry=0x555555656350
"poc.conf", 
    linenum=1, activep=0x7fffffffb424, flags=2, 
    want_final_pass=0x7fffffffc504, depth=0) at ../../readconf.c:1175
#5  0x000055555556e570 in read_config_file_depth (
    filename=0x555555656350 "poc.conf", pw=0x55555565d550, 
    host=0x55555565de10 "localhost", original_host=0x555555661970
"localhost", 
    options=0x555555652360 <options>, flags=2, activep=0x7fffffffb424, 
    want_final_pass=0x7fffffffc504, depth=0) at ../../readconf.c:2285
#6  0x000055555556e79d in read_config_file (filename=<optimized out>, 
    pw=<optimized out>, host=<optimized out>, original_host=<optimized
out>, 
    options=<optimized out>, flags=<optimized out>, 
    want_final_pass=0x7fffffffc504) at ../../readconf.c:2238
--Type <RET> for more, q to quit, c to continue without paging--
#7  0x0000555555564eb7 in process_config_files (
    host_name=0x555555661970 "localhost", pw=0x55555565d550,
final_pass=0, 
    want_final_pass=0x7fffffffc504) at ../../ssh.c:555
#8  0x00005555555603cc in main (ac=<optimized out>, av=<optimized out>)
    at ../../ssh.c:1146
(gdb) frame 3
#3  0x00005555555fc5ea in scan_scaled (
    scaled=scaled at entry=0x555555662ba0 "-.06", '0' <repeats 16 times>,
"E.0", 
    result=result at entry=0x7fffffffa930)
    at ../../../openbsd-compat/fmt_scaled.c:198
198                             fpart *= scale_fact;
(gdb) print fpart
$1 = -60000000000000000
(gdb) print scale_fact
$2 = 1152921504606846976
(gdb) 

yep, a trapped integer overflow.  In the case where it's built w/out
-ftrapv you'll you'll get an unexpected and possibly useless value for
RekeyLimit, but otherwise I don't think it'll have any effect.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list