Invalid memory access / read stack overflow when reading config with zero bytes

Damien Miller djm at mindrot.org
Mon Mar 30 09:19:02 AEDT 2015


Thanks,

What version of OpenSSH is this?

Also, when reporting fuzzer-derived problems it really helps to include
the test-case.

-d

On Sun, 29 Mar 2015, Hanno B?ck wrote:

> Hi,
> 
> When ssh accesses a config file that contains a zero byte it'll expose
> a stack overflow. This can only be seen with valgrind or with compiling
> ssh with address sanitizer. I'll attach the address sanitizer and
> valgrind output.
> 
> Reproduce:
> dd if=/dev/zero of=zero bs=1 count=1
> valgrind -q ssh -F zero x
> 
> This was found while fuzzing ssh with american fuzzy lop.
> 
> (Please CC me on replies, I'm not subscribed to the list.)
> 
> cu,
> -- 
> Hanno B?ck
> http://hboeck.de/
> 
> mail/jabber: hanno at hboeck.de
> GPG: BBB51E42
> 


More information about the openssh-unix-dev mailing list