On Thu, 11 Jun 2020, Sandy Patterson wrote: > I use OpenSSH server on an embedded arm using GCC7 cross toolchain. I > found that spamming connection attempts sometimes causes aborts in > sshd. Upon getting this up in gdb I found that the pointer subtraction > inside openbsd-compat/{strlcat.c,strlcpy.c} (and maybe elsewhere) > causes the 32 bit pointer difference to wrap which triggers the abort > because of the -ftrapv option. > > This example illustrates the problem, I get an abort when I compile > for 32 bit arm. > > > #include <stdio.h> > > int main(int argc, char** argv) { > > char* src = (char*)0x7ffffec0; > > char* s = (char*)0x80000049; > > printf("%ld\n",s - src); > > return 0; > > } > > > inside the strlcpy.c for example we have: > > return(s - src - 1); /* count does not include NUL */ > > It is somewhat infrequent as the array has to straddle the 0x80000000 boundary. > > I can clearly disable hardening or hack out ftrapv from my system, but > was wondering if you guys have some advice on how to fix openssh for > this platform? Your compiler might be broken. C11 s6.5.6/9 says that pointer subtraction should work so long as 1) the pointers are to the same array object and 2) the difference must be representable in a ptrdiff_t. In this case, AFAIK both conditions are true (the pointers relate to the same array and the difference is <2^31). Now, I'm not sure whether the compiler problem is limited to ftrapv or is actually worse. Signed over/underflow is AFAIK undefined behaviour and the compiler is allowed to do all sorts of crazy stuff when it is encountered (including optimising away checks and creating security problems, e,g, https://gcc.gnu.org/bugzilla/show_bug.cgi?id=30475) I'd suggest filing a gcc bug, and then trying a newer gcc or perhaps a recent clang, but I understand what a hassle that can be on embedded platforms. If you can't do this, then I'd recommend compiling *everything* with -fwrapv, that at least should remove the undefined behaviour element here. FWIW, OpenBSD makes -fwrapv the default in its toolchain. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev