Possible overflow bug?

Chris Rapier rapier at psc.edu
Wed Jun 7 06:18:26 AEST 2023



On 6/6/23 2:59 PM, Peter Stuge wrote:
> Chris Rapier wrote:
>> openssh 9.3p1
> ..
>> In function 'explicit_bzero',
>>       inlined from 'kex_free_newkeys' at kex.c:743:2:
> 
> kex.c in tag V_9_3_P1 doesn't call explicit_bzero() on line 743,
>> '__explicit_bzero_chk' writing 48 bytes into a region of size 8
> ..
>> kex.h: In function 'kex_free_newkeys':
>> kex.h:116:18: note: destination object 'name' of size 8
>>     116 |         char    *name;
> 
> ... in fact kex_free_newkeys() in tag V_9_3_P1 doesn't ever call
> explicit_bzero() with an object called 'name'.
> 
> 
>> Not sure if this is a real problem or not but I thought I'd pass it
>> over just in case.
> 
> Could you check if you have any patch applied on top of V_9_3_P1?


I'm using commit cb30fbdbee869f1ce11f06aa97e1cb8717a0b645 (HEAD, tag: 
V_9_3_P1, openssh-master/V_9_3) and git diff isn't reporting anything 
applied.

And I just realized I grabbed that from the wrong window (which does 
have patches applied). Same thing exists in the canonical code. Here is 
the accurate one:


In file included from /usr/include/string.h:535,
                  from kex.c:34:
In function ‘explicit_bzero’,
     inlined from ‘kex_free_newkeys’ at kex.c:742:2:
/usr/include/bits/string_fortified.h:72:3: warning: 
‘__explicit_bzero_chk’ writing 48 bytes into a region of size 8 
overflows the destination [-Wstringop-overflow=]
    72 |   __explicit_bzero_chk (__dest, __len, __glibc_objsize0 (__dest));
       |   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from kex.c:53:
kex.h: In function ‘kex_free_newkeys’:
kex.h:116:18: note: destination object ‘name’ of size 8
   116 |         char    *name;
       |                  ^~~~
/usr/include/bits/string_fortified.h:66:6: note: in a call to function 
‘__explicit_bzero_chk’ declared with attribute ‘access (write_only, 1, 2)’
    66 | void __explicit_bzero_chk (void *__dest, size_t __len, size_t 
__destlen)
       |      ^~~~~~~~~~~~~~~~~~~~

Sorry about the confusion before. I always have too many terminals open.

Chris


More information about the openssh-unix-dev mailing list