[Bug 2909] New: sshd segfaults on non-existent users when there is an NIS ngetgroup included in /etc/passwd

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Sep 26 00:25:28 AEST 2018 

https://bugzilla.mindrot.org/show_bug.cgi?id=2909

            Bug ID: 2909
           Summary: sshd segfaults on non-existent users when there is an
                    NIS ngetgroup included in /etc/passwd
           Product: Portable OpenSSH
           Version: 7.7p1
          Hardware: ix86
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: todd at xymmetrix.com

Created attachment 3181
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3181&action=edit
segfault test program

We might have a bit of an odd/old configuration, but it works
otherwise.

We get lots and lots of these. This is the only machine whose sshd is
exposed to the internet:

Sep 25 09:42:53 pluto kernel: sshd[1871]: segfault at 0 ip 005023ac sp
7f899810 error 4 in sshd[49b000+6d000]

Normal users here can log in fine, so I figured it was just trash the
password-searchers were throwing at sshd. I finally took some time to
dig in to it. It turns out that trying to ssh in as an invalid user
(ssh foo at pluto) causes sshd to segfault as soon as I enter the
password.

Once I could duplicate it at will it was pretty easy to chase down. The
pick_salt() function iterates through users with getpwent() looking for
a salt it can use. Our setup doesn't use shadow passwords, so it
doesn't find what it's looking for. When it gets to the end of the
password file, the last line is "+ at users" to add in our NIS user
netgroup.

shadow_pw() can't find a password in that line, so it returns NULL,
which pointer is them immediately dereferenced.

I extracted the relevant code into a standalone program that
demonstrates the problem, attached. (I used entire functions; I didn't
pare it down to absolute bare minimum--but there are only three
functions.) When I run it on this system, it produces the following
output:

pw = 77efacc0
pw_name = '+ at users'
  passwd = '(null)'
Segmentation fault



This small change takes care of it:

--- openssh-7.8p1/openbsd-compat/xcrypt.c.orig  2018-08-23
01:41:42.000000000 -0400
+++ openssh-7.8p1/openbsd-compat/xcrypt.c       2018-09-25
10:11:11.639816915 -0400
@@ -83,7 +83,7 @@
        setpwent();
        while ((pw = getpwent()) != NULL) {
                passwd = shadow_pw(pw);
-               if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) !=
NULL) {
+               if (passwd && passwd[0] == '$' && (p =
strrchr(passwd+1, '$')) != NULL) {
                        typelen = p - passwd + 1;
                        strlcpy(salt, passwd, MIN(typelen,
sizeof(salt)));
                        explicit_bzero(passwd, strlen(passwd));



We compile --prefix=/usr --without-shadow.

We're running 7.8p1 now. This problem predates 7.8, though; I'm not
sure how far back it goes.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list