Invalid memory access / read stack overflow when reading config with zero bytes

Hanno Böck hanno at hboeck.de
Sun Mar 29 23:15:07 AEDT 2015


Hi,

When ssh accesses a config file that contains a zero byte it'll expose
a stack overflow. This can only be seen with valgrind or with compiling
ssh with address sanitizer. I'll attach the address sanitizer and
valgrind output.

Reproduce:
dd if=/dev/zero of=zero bs=1 count=1
valgrind -q ssh -F zero x

This was found while fuzzing ssh with american fuzzy lop.

(Please CC me on replies, I'm not subscribed to the list.)

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno at hboeck.de
GPG: BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssh-stackoverflow-asan.txt.gz
Type: application/gzip
Size: 958 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150329/44e47c50/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssh-stackoverflow-valgrind.txt.gz
Type: application/gzip
Size: 339 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150329/44e47c50/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150329/44e47c50/attachment-0005.bin>


More information about the openssh-unix-dev mailing list