Bug 3409

Summary: ssh-keygen -Y find-principals segfaults on malformed allowed_signers_file
Product: Portable OpenSSH Reporter: Mateusz Adamowski <mateusz>
Component: ssh-keygenAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: normal CC: djm
Priority: P5    
Version: -current   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 3395    

Description Mateusz Adamowski 2022-03-18 22:08:53 AEDT 
Steps to reproduce:

$ ssh-keygen -Y find-principals -s nauka1.txt.sig -f /dev/urandom
/dev/urandom:1: invalid key
/dev/urandom:2: invalid line
/dev/urandom:4: invalid key
/dev/urandom:5: invalid key
Segmentation fault (core dumped)


I don't have a patch yet.
Comment 1 Mateusz Adamowski 2022-03-19 13:20:46 AEDT 
I managed to identify minimal malformed input that crashes the program:

$ ssh-keygen -Y verify -n file -s ed25519.c.sig -f <( printf "?\x00\n" ) -I a < ed25519.c

The problem is probably with strdelim_internal() function [misc.c:398] 

When it cannot find accepted separator (whitespaces, quotes), it returns the original pointer, but also it sets value passed by pointer (char **s) to NULL.

This value is never checked in parse_principals_key_and_options() [sshsig.c:718] and ultimately passed to sshkey_read()

I added following check right before a call to sshkey_read():

    if (cp == NULL) {
        error("%s:%lu: invalid line", path, linenum);
        r = SSH_ERR_INVALID_FORMAT;
        goto out;
    }

And it seems to solve this problem.

However, I think that parse_principals_key_and_options() function should have some extra pre-check, that would immediately eliminate malformed lines, especially these containing 0x00 and other non-printable characters.
Comment 2 Damien Miller 2022-03-30 15:30:12 AEDT 
Thanks, I committed a similar fix. It will be in the OpenSSH 9.0 release, due very soon.
Comment 3 Damien Miller 2022-04-08 12:12:52 AEST 
closing bug resolved during openssh-9.0 release cycle