Defensics' synopsys fuzzer testing tool cause openssh to segfault
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
In Progress
|
Medium
|
Unassigned |
Bug Description
[Impact]
Here's what has been brought to my attention by a UA customer:
* Release:
Xenial/16.04LTS
* Openssh version:
7.2p2-4ubuntu2.10
* Fuzzer tool used:
https:/
As of today, I have no access to a reproducer.
* coredump:
$ gdb $(which sshd) <OBFUSCATED>
...
Using host libthread_db library "/lib/x86_
Core was generated by `sshd: [net] '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memcpy_
136 ../sysdeps/
(gdb) bt
#0 __memcpy_
#1 0x00007fec25b241db in memcpy (__len=<optimized out>, __src=0x0, __dest=<optimized out>)
at /usr/include/
#2 aes_gcm_ctrl (c=0x558a7ae19758, type=<optimized out>, arg=<optimized out>, ptr=0x0) at e_aes.c:1189
#3 0x00007fec25b20897 in EVP_CIPHER_CTX_ctrl (ctx=ctx@
#4 0x0000558a7953f54c in cipher_init (cc=cc@
#5 0x0000558a7954521a in ssh_set_newkeys (ssh=ssh@
#6 0x0000558a7955ae92 in kex_input_newkeys (type=<optimized out>, seq=<optimized out>, ctxt=0x558a7ae1
#7 0x0000558a7954d269 in ssh_dispatch_run (ssh=ssh@
#8 0x0000558a7954d2b9 in ssh_dispatch_
#9 0x0000558a79502770 in do_ssh2_kex () at ../sshd.c:2744
#10 main (ac=<optimized out>, av=<optimized out>) at ../sshd.c:2301
(gdb)
[Test plan]
** NOT REPRODUCIBLE ON MY SIDE **
This seems to be a corner case generated by the Defensics fuzzer test suite (proprietary software from synopsys).
That's the only way this could have been reproduced so far.
Here's the details I could gather about the fuzzer test scenario:
------
Test Suite: SSHv2 Server Test Suite by Synopsys
Test Case Description:
SSHv2.Key-
Insert extra message 'message-2' before message 'client-newkeys'
------
[Where problem could occur]
[Other information]
Upstream fix:
https:/
Only Xenial requires the fix:
# git describe --contains 2adbe1e
V_7_5_P1~7
# rmadison openssh
=> openssh | 1:7.2p2-4ubuntu2.10 | xenial-updates | source
openssh | 1:7.6p1-4 | bionic | source
openssh | 1:7.6p1-4ubuntu0.3 | bionic-security | source
openssh | 1:7.6p1-4ubuntu0.3 | bionic-updates | source
openssh | 1:7.6p1-4ubuntu0.4 | bionic-proposed | source
openssh | 1:8.2p1-4 | focal | source
openssh | 1:8.2p1-4ubuntu0.2 | focal-security | source
openssh | 1:8.2p1-4ubuntu0.2 | focal-updates | source
openssh | 1:8.3p1-1 | groovy | source
openssh | 1:8.3p1-1ubuntu0.1 | groovy-security | source
openssh | 1:8.3p1-1ubuntu0.1 | groovy-updates | source
openssh | 1:8.4p1-5ubuntu1 | hirsute | source
openssh | 1:8.4p1-5ubuntu1 | impish | source
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in openssh (Ubuntu Xenial): | |
status: | New → In Progress |
description: | updated |
Changed in openssh (Ubuntu): | |
status: | New → Fix Released |
Changed in openssh (Ubuntu Xenial): | |
importance: | Undecided → Medium |
description: | updated |
description: | updated |
description: | updated |
Potential fix candidate: /github. com/openssh/ openssh- portable/ commit/ 2adbe1e63bc313d 03e8e84e652cc62 3af8ebb163
https:/