pointer subtraciton on arm for 8.3p1

Sandy Patterson <xandey@xxxxxxxxx> · Thu, 11 Jun 2020 15:04:01 -0400

I use OpenSSH server on an embedded arm using GCC7 cross toolchain. I
found that spamming connection attempts sometimes causes aborts in
sshd. Upon getting this up in gdb I found that the pointer subtraction
inside openbsd-compat/{strlcat.c,strlcpy.c} (and maybe elsewhere)
causes the 32 bit pointer difference to wrap which triggers the abort
because of the -ftrapv option.

This example illustrates the problem, I get an abort when I compile
for 32 bit arm.

> #include <stdio.h>
> int main(int argc, char** argv) {
>     char* src = (char*)0x7ffffec0;
>     char* s = (char*)0x80000049;
>     printf("%ld\n",s - src);
>     return 0;
> }

inside the strlcpy.c for example we have:
> return(s - src - 1); /* count does not include NUL */

It is somewhat infrequent as the array has to straddle the 0x80000000 boundary.

I can clearly disable hardening or hack out ftrapv from my system, but
was wondering if you guys have some advice on how to fix openssh for
this platform?

Sandy Patterson

P.S. My backtrace looks like this:
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0xb6b84600 in __GI_abort () at abort.c:79
#2  0x7f715c00 in __subvsi3 (a=<optimized out>, b=<optimized out>) at
../../../gcc-7-20180201/libgcc/libgcc2.c:119
#3  0x7f713494 in strlcpy (
    dst=0x7fff2428
"ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ssh-ed25519-cert-v01@xxxxxxxxxxx,sk-ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx,rsa-sha2-256-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521",
    src=0x7ffffec0
"ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ssh-ed25519-cert-v01@xxxxxxxxxxx,sk-ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx,rsa-sha2-256-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521",
siz=393) at strlcpy.c:55
#4  0x7f6d4860 in xstrdup (
    str=0x7ffffec0
"ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ssh-ed25519-cert-v01@xxxxxxxxxxx,sk-ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx,rsa-sha2-256-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521")
at xmalloc.c:94
#5  0x7f6c6ee4 in match_list (
    client=0x7ffffec0
"ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ssh-ed25519-cert-v01@xxxxxxxxxxx,sk-ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx,rsa-sha2-256-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521",
    server=0x7fff9e90 "sk-ecdsa-sha2-nistp256@xxxxxxxxxxx", next=0x0)
at match.c:277
#6  0x7f6e9a70 in kex_names_cat (
    a=0x7ffffd30
"ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ssh-ed25519-cert-v01@xxxxxxxxxxx,sk-ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx,rsa-sha2-256-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521",
b=0x7fff15f8 "sk-ecdsa-sha2-nistp256@xxxxxxxxxxx")
    at kex.c:200
#7  0x7f6e9e08 in kex_assemble_names (listp=0x7f75b364 <options+1188>,
    def=0x7ffded88
"ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ssh-ed25519-cert-v01@xxxxxxxxxxx,sk-ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx,rsa-sha2-256-cert-v01@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@xxxxxxxxxxx,ssh-ed25519,sk-ssh-ed25519@xxxxxxxxxxx,rsa-sha2-512,rsa-sha2-256,ssh-rsa",
    all=0x7fffa470
"ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,sk-ssh-ed25519@xxxxxxxxxxx,sk-ssh-ed25519-cert-v01@xxxxxxxxxxx,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@xxxxxxxxxxx,ssh-rsa-cert-v01@xxxxxxxxxxx,rsa-sha2-256-cert-v01@xxxxxxxxxxx,rsa-sha2-512-cert-v01@xxxxxxxxxxx,ssh-dss-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,sk-ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx")
at kex.c:291
#8  0x7f663964 in assemble_algorithms (o=0x7f75aec0 <options>) at servconf.c:229
#9  0x7f66ba44 in copy_set_server_options (dst=0x7f75aec0 <options>,
src=0xbecbf3a8, preauth=0) at servconf.c:2546
#10 0x7f66a418 in parse_server_match_config (options=0x7f75aec0
<options>, includes=0x7f759050 <includes>, connectinfo=0x7f759b10
<ci>) at servconf.c:2428
#11 0x7f6721ac in getpwnamallow (ssh=0x7fff8a88, user=0x7ffeeab0
"root") at auth.c:575
#12 0x7f688d34 in mm_answer_pwnamallow (ssh=0x7fff8a88, sock=6,
m=0x7fffa1e8) at monitor.c:732
#13 0x7f687f40 in monitor_read (ssh=0x7fff8a88, pmonitor=0x7ffef670,
ent=0x7f759644 <mon_dispatch_proto20+24>, pent=0xbecc0648) at
monitor.c:522
#14 0x7f68720c in monitor_child_preauth (ssh=0x7fff8a88,
pmonitor=0x7ffef670) at monitor.c:304
#15 0x7f65a9fc in privsep_preauth (ssh=0x7fff8a88) at sshd.c:512
#16 0x7f660a4c in main (ac=3, av=0x7ffdb160) at sshd.c:2183
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev