Possible overflow bug?
Sam James
sam at gentoo.org
Wed Jun 7 06:29:53 AEST 2023
Chris Rapier <rapier at psc.edu> writes:
> On 6/6/23 2:59 PM, Peter Stuge wrote:
>> Chris Rapier wrote:
>>> openssh 9.3p1
>> ..
>>> In function 'explicit_bzero',
>>> inlined from 'kex_free_newkeys' at kex.c:743:2:
>> kex.c in tag V_9_3_P1 doesn't call explicit_bzero() on line 743,
>>> '__explicit_bzero_chk' writing 48 bytes into a region of size 8
>> ..
>>> kex.h: In function 'kex_free_newkeys':
>>> kex.h:116:18: note: destination object 'name' of size 8
>>> 116 | char *name;
>> ... in fact kex_free_newkeys() in tag V_9_3_P1 doesn't ever call
>> explicit_bzero() with an object called 'name'.
>>
>>> Not sure if this is a real problem or not but I thought I'd pass it
>>> over just in case.
>> Could you check if you have any patch applied on top of V_9_3_P1?
>
>
> I'm using commit cb30fbdbee869f1ce11f06aa97e1cb8717a0b645 (HEAD, tag:
> V_9_3_P1, openssh-master/V_9_3) and git diff isn't reporting anything
> applied.
>
> And I just realized I grabbed that from the wrong window (which does
> have patches applied). Same thing exists in the canonical code. Here
> is the accurate one:
>
>
> In file included from /usr/include/string.h:535,
> from kex.c:34:
> In function ‘explicit_bzero’,
> inlined from ‘kex_free_newkeys’ at kex.c:742:2:
> /usr/include/bits/string_fortified.h:72:3: warning:
> ‘__explicit_bzero_chk’ writing 48 bytes into a region of size 8
> overflows the destination [-Wstringop-overflow=]
> 72 | __explicit_bzero_chk (__dest, __len, __glibc_objsize0 (__dest));
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In file included from kex.c:53:
> kex.h: In function ‘kex_free_newkeys’:
> kex.h:116:18: note: destination object ‘name’ of size 8
> 116 | char *name;
> | ^~~~
> /usr/include/bits/string_fortified.h:66:6: note: in a call to function
> ‘__explicit_bzero_chk’ declared with attribute ‘access (write_only, 1,
> 2)’
> 66 | void __explicit_bzero_chk (void *__dest, size_t __len, size_t
> __destlen)
> | ^~~~~~~~~~~~~~~~~~~~
>
> Sorry about the confusion before. I always have too many terminals open.
Not a comment on this particular bug, but as an FYI, sanitizers are
known to sometimes cause false-positive *compile*-time warnings (not runtime
failures, which are pretty much always legitimate).
>
> Chris
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 377 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230606/bb0fe13e/attachment.asc>
More information about the openssh-unix-dev
mailing list