Invalid memory access / read stack overflow when reading config with zero bytes
Damien Miller
djm at mindrot.org
Mon Mar 30 09:19:02 AEDT 2015
Thanks,
What version of OpenSSH is this?
Also, when reporting fuzzer-derived problems it really helps to include
the test-case.
-d
On Sun, 29 Mar 2015, Hanno B?ck wrote:
> Hi,
>
> When ssh accesses a config file that contains a zero byte it'll expose
> a stack overflow. This can only be seen with valgrind or with compiling
> ssh with address sanitizer. I'll attach the address sanitizer and
> valgrind output.
>
> Reproduce:
> dd if=/dev/zero of=zero bs=1 count=1
> valgrind -q ssh -F zero x
>
> This was found while fuzzing ssh with american fuzzy lop.
>
> (Please CC me on replies, I'm not subscribed to the list.)
>
> cu,
> --
> Hanno B?ck
> http://hboeck.de/
>
> mail/jabber: hanno at hboeck.de
> GPG: BBB51E42
>
More information about the openssh-unix-dev
mailing list