[Bug 2777] New: sshd crashes when getpwnam result is returned by libnss_systemd

Thu Sep 14 02:19:40 AEST 2017

https://bugzilla.mindrot.org/show_bug.cgi?id=2777

            Bug ID: 2777
           Summary: sshd crashes when getpwnam result is returned by
                    libnss_systemd
           Product: Portable OpenSSH
           Version: 7.5p1
          Hardware: ix86
                OS: Linux
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mindrot_bugzilla at entropy-collector.net

Downstream bug report https://bugs.archlinux.org/task/55570?project=1
https://github.com/openssh/openssh-portable/blob/d38f05dbdd291212bc95ea80648b72b7177e9f4e/sshd.c#L1643
If the result of this getpwnam called is supplied by libnss_systemd
then the structure and all strings pointed to within the structure will
be in a read only memory section.
https://github.com/openssh/openssh-portable/blob/d38f05dbdd291212bc95ea80648b72b7177e9f4e/sshd.c#L1648
explicit_bzero will then segfault attempting to write to that read only
section.
POSIX.1-2008 http://pubs.opengroup.org/onlinepubs/9699919799/ forbids
modifying the structure returned by getpwnam or the strings it points
to.
Perhaps switch the call to getpwnam_r?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.