[Bug 3776] New: Fuzzing harness agent_fuzz fails to initialize websafe_allowlist
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Jan 16 02:27:10 AEDT 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3776
Bug ID: 3776
Summary: Fuzzing harness agent_fuzz fails to initialize
websafe_allowlist
Product: Portable OpenSSH
Version: 9.9p1
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Regression tests
Assignee: unassigned-bugs at mindrot.org
Reporter: leon.weiss at rub.de
Created attachment 3852
--> https://bugzilla.mindrot.org/attachment.cgi?id=3852&action=edit
Patch suggestion
The `main` function of ssh_agent makes sure to initialize
`websafe_allowlist`, which is used in `process_sign_request2`. The
fuzzer for this component does not use the main function, but calls
`process_sign_request2` directly, leaving the value uninitialized.
Fuzzing inputs reaching this code cause a NULL ptr dereference.
This seems to be an issue only present in the fuzzing code, but leads
to false positives and untested code beyond this point.
I attached a potential patch for this bug, mimicking the default for
ssh_agent.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list