Bug 3382 - Software vulnerabilities detected using ESBMC-WR tool
Summary: Software vulnerabilities detected using ESBMC-WR tool
Status: CLOSED INVALID
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 8.8p1
Hardware: amd64 Linux
: P5 security
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-01-20 14:38 AEDT by janislley
Modified: 2022-04-08 12:12 AEST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description janislley 2022-01-20 14:38:12 AEDT 
Hello,

2 potential software vulnerabilities were found in code.
To identify this kind of vulnerabilities I used tool ESBMC-WR: https://github.com/thalestas/esbmc-wr

Please, check the logs of analysis:

Issue #1
--------

State 2 file syserr.c line 4 function strerror thread 0
----------------------------------------------------
errnum = -2147483648 (10000000 00000000 00000000 00000000)

State 3 file syserr.c line 108 function strerror thread 0
----------------------------------------------------
Violated property:
file syserr.c line 108 function strerror
array bounds violated: array `sys_errlist' lower bound
(signed long int)errnum >= 0

Issue #2
--------

State 3 file utimensattest.c line 46 function fail thread 0
----------------------------------------------------
saved_errno = -2147483648 (10000000 00000000 00000000 00000000)

State 4 file syserr.c line 4 function strerror thread 0
----------------------------------------------------
errnum = -2147483648 (10000000 00000000 00000000 00000000)

State 5 file syserr.c line 108 function strerror thread 0
----------------------------------------------------
Violated property:
file syserr.c line 108 function strerror
array bounds violated: array `sys_errlist' lower bound
(signed long int)errnum >= 0
Comment 1 Darren Tucker 2022-01-20 15:01:03 AEDT 
I think these are both false positives.

(In reply to janislley from comment #0)
[...]
> State 2 file syserr.c

There is no file with that name in OpenSSH.  There is (potentially, if depending on autoconf) a strerror, however a) it's in bsd-misc.c and b) Linuxes usually have a native strerror.

> line 4 function strerror thread 0

Line 4 in bsd-misc.c is in the middle of a comment block.

[...]
> State 3 file syserr.c line 108 function strerror thread 0

Line 108 in bsd-misc.c is a blank line after the strerror function.

In addition, the strerror replacement explicitly checks for errno<0:

const char *strerror(int e)
{
        extern int sys_nerr;
        extern char *sys_errlist[];

        if ((e >= 0) && (e < sys_nerr))
                return (sys_errlist[e]);
        return ("unlisted error");
}
Comment 2 Damien Miller 2022-03-18 14:22:01 AEDT 
Closing for lack of followup. Please reopen after addressing Darren's concerns in comment #1
Comment 3 Damien Miller 2022-04-08 12:12:53 AEST 
closing bug resolved during openssh-9.0 release cycle