[Bug 3819] New: safe_path may pass overlapping source and destination pointers on some systems

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu May 1 07:53:38 AEST 2025 

https://bugzilla.mindrot.org/show_bug.cgi?id=3819

            Bug ID: 3819
           Summary: safe_path may pass overlapping source and destination
                    pointers on some systems
           Product: Portable OpenSSH
           Version: 10.0p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: cjwatson at debian.org

Created attachment 3874
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3874&action=edit
Fix overlapping strlcpy with some dirname implementations

While investigating another problem (https://bugs.debian.org/1103418,
which I haven't yet managed to track down far enough to figure out how
to reproduce it or whether it's caused by Debian patches), I noticed
this in valgrind output:

  sshd[22181]: ==22181== Source and destination overlap in
strlcpy(0x1ffeffd7e3, 0x1ffeffd7e3, 4096)
  sshd[22181]: ==22181==    at 0x484E64D: strlcpy
(vg_replace_strmem.c:667)
  sshd[22181]: ==22181==    by 0x189ED5: UnknownInlinedFun
(string_fortified.h:169)
  sshd[22181]: ==22181==    by 0x189ED5: safe_path (misc.c:2335)
  sshd[22181]: ==22181==    by 0x18A09D: safe_path_fd (misc.c:2376)
  sshd[22181]: ==22181==    by 0x138C47: auth_openfile
(auth2-pubkeyfile.c:477)
  sshd[22181]: ==22181==    by 0x13783A: user_key_allowed2
(auth2-pubkey.c:638)
  sshd[22181]: ==22181==    by 0x13783A: user_key_allowed
(auth2-pubkey.c:839)
  sshd[22181]: ==22181==    by 0x13B544: mm_answer_keyallowed
(monitor.c:1339)
  sshd[22181]: ==22181==    by 0x13D66D: monitor_read (monitor.c:550)
  sshd[22181]: ==22181==    by 0x140B95: monitor_child_preauth
(monitor.c:319)
  sshd[22181]: ==22181==    by 0x118620: privsep_preauth
(sshd-session.c:367)
  sshd[22181]: ==22181==    by 0x118620: main (sshd-session.c:1320)

OpenBSD's dirname(3) is documented as returning a pointer into internal
static storage (https://man.openbsd.org/dirname.3), but glibc's
(https://manpages.debian.org/testing/manpages-dev/dirname.3.en.html)
says "Alternatively, they may return a pointer to some part of *path*".
 That causes safe_path to pass overlapping source and destination
pointers to strlcpy, which is undefined behaviour according to
https://man.openbsd.org/strlcpy.3.

I think the simplest thing to do is to copy the source buffer first. 
Patch attached.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list