[Bug 3401] Illegal hardware instruction
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Mar 10 16:45:35 AEDT 2022
https://bugzilla.mindrot.org/show_bug.cgi?id=3401
--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
The problematic line is:
RekeyLimit -.060000000000000000E.0
Smells like either integer overflow trapped by -ftrapv or
divide-by-zero somewhere.
It's more easily reproduced with ssh, which takes the same keyword:
$ cat poc.conf
RekeyLimit -.060000000000000000E.0
$ gdb --args ./ssh -F poc.conf localhost
Reading symbols from ./ssh...
(gdb) run
[...]
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
49 return ret;
(gdb) bt
#0 __GI_raise (sig=sig at entry=6) at
../sysdeps/unix/sysv/linux/raise.c:49
#1 0x00007ffff7a9c8a4 in __GI_abort () at abort.c:79
#2 0x0000555555602fc4 in __mulvdi3 ()
#3 0x00005555555fc5ea in scan_scaled (
scaled=scaled at entry=0x555555662ba0 "-.06", '0' <repeats 16 times>,
"E.0",
result=result at entry=0x7fffffffa930)
at ../../../openbsd-compat/fmt_scaled.c:198
#4 0x000055555556de97 in process_config_line_depth (
options=options at entry=0x555555652360 <options>,
pw=pw at entry=0x55555565d550, host=host at entry=0x55555565de10
"localhost",
original_host=original_host at entry=0x555555661970 "localhost",
line=<optimized out>, filename=filename at entry=0x555555656350
"poc.conf",
linenum=1, activep=0x7fffffffb424, flags=2,
want_final_pass=0x7fffffffc504, depth=0) at ../../readconf.c:1175
#5 0x000055555556e570 in read_config_file_depth (
filename=0x555555656350 "poc.conf", pw=0x55555565d550,
host=0x55555565de10 "localhost", original_host=0x555555661970
"localhost",
options=0x555555652360 <options>, flags=2, activep=0x7fffffffb424,
want_final_pass=0x7fffffffc504, depth=0) at ../../readconf.c:2285
#6 0x000055555556e79d in read_config_file (filename=<optimized out>,
pw=<optimized out>, host=<optimized out>, original_host=<optimized
out>,
options=<optimized out>, flags=<optimized out>,
want_final_pass=0x7fffffffc504) at ../../readconf.c:2238
--Type <RET> for more, q to quit, c to continue without paging--
#7 0x0000555555564eb7 in process_config_files (
host_name=0x555555661970 "localhost", pw=0x55555565d550,
final_pass=0,
want_final_pass=0x7fffffffc504) at ../../ssh.c:555
#8 0x00005555555603cc in main (ac=<optimized out>, av=<optimized out>)
at ../../ssh.c:1146
(gdb) frame 3
#3 0x00005555555fc5ea in scan_scaled (
scaled=scaled at entry=0x555555662ba0 "-.06", '0' <repeats 16 times>,
"E.0",
result=result at entry=0x7fffffffa930)
at ../../../openbsd-compat/fmt_scaled.c:198
198 fpart *= scale_fact;
(gdb) print fpart
$1 = -60000000000000000
(gdb) print scale_fact
$2 = 1152921504606846976
(gdb)
yep, a trapped integer overflow. In the case where it's built w/out
-ftrapv you'll you'll get an unexpected and possibly useless value for
RekeyLimit, but otherwise I don't think it'll have any effect.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list