Bug 3256

Summary: Illegal Instruction
Product: Portable OpenSSH Reporter: Carlos Ramirez <andres>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED DUPLICATE    
Severity: security CC: djm
Priority: P5    
Version: 8.4p1   
Hardware: amd64   
OS: Linux   

Description Carlos Ramirez 2021-01-25 05:34:42 AEDT 
Specially crafted input in configuration files triggers an "Illegal Instruction" from both, server and client application when supplied particular values for the RekeyLimit parameter. The issue usually impacts 
 scan_scaled() in fmt_scaled.c - Size of the supplied buffer seems to influence how the problem triggers.

scan_scaled()
// Line 198:
// scale_fact is zero, scale_fact largely varies depending on input
fpart *= scale_fact; // Illegal instruction

As RekeyLimit limits the amount of data transmitted with a single session key, there could be some security impact if the bug is triggered intentionally or unintentionally in the configuration file. Further investigation is required. Keeping this ticket as private for now.

Impact
- Availability of application
- Further impact needs to be investigated

Attached is PoC that triggers the issue.

PoC command:
/usr/sbin/sshd -f illegal-instruction.txt

NOTE: Graceful error handling should emit an error such as:
"Bad number '-4.4P1111111111111P': Invalid argument"

When the actual illegal instruction is triggered, two messages have been seen:
"Illegal instruction" or simply "Aborted"

See attached file "illegal-instruction.txt"
Comment 1 Carlos Ramirez 2021-01-25 05:37:08 AEDT 
Missing attachment in main post.
Here is the contents of PoC file, use it as config file:


RekeyLimit -4.411111111111111111111111111P
Comment 2 Damien Miller 2021-01-25 10:44:12 AEDT 
This is the convtime() integer overflow that was recently fixed, it's a SIGILL because we set -ftrapv that deliberately faults the process whenever one occurs.

*** This bug has been marked as a duplicate of bug 3250 ***
Comment 3 Damien Miller 2021-03-04 09:52:51 AEDT 
close bugs that were resolved in OpenSSH 8.5 release cycle