Bug 2777

Summary:

sshd crashes when getpwnam result is returned by libnss_systemd

Product:

Portable OpenSSH

Reporter:

loqs <mindrot_bugzilla>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

trivial

CC:

djm, dtucker

Priority:

Version:

7.5p1

Hardware:

ix86

OS:

Linux

Bug Depends on:

Bug Blocks:

2782

Attachments:

Description	Flags
keep scrubbed copy of passwd struct	dtucker: ok+

Description loqs 2017-09-14 02:19:40 AEST

Downstream bug report https://bugs.archlinux.org/task/55570?project=1
https://github.com/openssh/openssh-portable/blob/d38f05dbdd291212bc95ea80648b72b7177e9f4e/sshd.c#L1643
If the result of this getpwnam called is supplied by libnss_systemd then the structure and all strings pointed to within the structure will be in a read only memory section.
https://github.com/openssh/openssh-portable/blob/d38f05dbdd291212bc95ea80648b72b7177e9f4e/sshd.c#L1648
explicit_bzero will then segfault attempting to write to that read only section.
POSIX.1-2008 http://pubs.opengroup.org/onlinepubs/9699919799/ forbids modifying the structure returned by getpwnam or the strings it points to.
Perhaps switch the call to getpwnam_r?

Comment 1 Damien Miller 2018-01-05 14:58:27 AEDT

Created attachment 3110 [details]
keep scrubbed copy of passwd struct

We can use the existing pwcopy() function to make a local, mutable copy and hope the system endpwent() does the right thing and scrubs the last returned passwd entry from memory.

Comment 2 Damien Miller 2018-01-23 16:03:56 AEDT

Fix committed, this will be in OpenSSH 7.7.

Comment 3 Damien Miller 2018-04-06 12:26:51 AEST

Close all resolved bugs after release of OpenSSH 7.7.