Specially crafted input in configuration files triggers an "Illegal Instruction" from both, server and client application when supplied particular values for the RekeyLimit parameter. The issue usually impacts scan_scaled() in fmt_scaled.c - Size of the supplied buffer seems to influence how the problem triggers. scan_scaled() // Line 198: // scale_fact is zero, scale_fact largely varies depending on input fpart *= scale_fact; // Illegal instruction As RekeyLimit limits the amount of data transmitted with a single session key, there could be some security impact if the bug is triggered intentionally or unintentionally in the configuration file. Further investigation is required. Keeping this ticket as private for now. Impact - Availability of application - Further impact needs to be investigated Attached is PoC that triggers the issue. PoC command: /usr/sbin/sshd -f illegal-instruction.txt NOTE: Graceful error handling should emit an error such as: "Bad number '-4.4P1111111111111P': Invalid argument" When the actual illegal instruction is triggered, two messages have been seen: "Illegal instruction" or simply "Aborted" See attached file "illegal-instruction.txt"
Missing attachment in main post. Here is the contents of PoC file, use it as config file: RekeyLimit -4.411111111111111111111111111P
This is the convtime() integer overflow that was recently fixed, it's a SIGILL because we set -ftrapv that deliberately faults the process whenever one occurs. *** This bug has been marked as a duplicate of bug 3250 ***
close bugs that were resolved in OpenSSH 8.5 release cycle