Possible overflow bug?
Chris Rapier
rapier at psc.edu
Wed Jun 7 02:02:11 AEST 2023
While doing some related work I built openssh 9.3p1 with
-fsanitize=address and this came up during compilation.
In file included from /usr/include/string.h:535,
from kex.c:34:
In function 'explicit_bzero',
inlined from 'kex_free_newkeys' at kex.c:743:2:
/usr/include/bits/string_fortified.h:72:3: warning:
'__explicit_bzero_chk' writing 48 bytes into a region of size 8
overflows the destination [-Wstringop-overflow=]
72 | __explicit_bzero_chk (__dest, __len, __glibc_objsize0 (__dest));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from kex.c:53:
kex.h: In function 'kex_free_newkeys':
kex.h:116:18: note: destination object 'name' of size 8
116 | char *name;
| ^~~~
/usr/include/bits/string_fortified.h:66:6: note: in a call to function
'__explicit_bzero_chk' declared with attribute 'access (write_only, 1, 2)'
66 | void __explicit_bzero_chk (void *__dest, size_t __len, size_t
__destlen)
Not sure if this is a real problem or not but I thought I'd pass it over
just in case.
Chris
More information about the openssh-unix-dev
mailing list