From 585620b0f1c4cde591c1110e1cb1e7822ee0088b Mon Sep 17 00:00:00 2001 From: Zoltan Fridrich Date: Mon, 11 Jul 2022 10:35:00 +0200 Subject: [PATCH] Fix several memory leaks Related: rhbz#2068423 Signed-off-by: Zoltan Fridrich --- openssh-6.7p1-coverity.patch | 25 ------ openssh-8.7p1-mem-leak.patch | 153 +++++++++++++++++++++++++++++++++++ openssh.spec | 9 +++ 3 files changed, 162 insertions(+), 25 deletions(-) create mode 100644 openssh-8.7p1-mem-leak.patch diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch index 3b2c36f..e372f09 100644 --- a/openssh-6.7p1-coverity.patch +++ b/openssh-6.7p1-coverity.patch @@ -101,22 +101,6 @@ diff -up openssh-7.4p1/channels.c.coverity openssh-7.4p1/channels.c return idx; } -diff -up openssh-8.5p1/compat.c.coverity openssh-8.5p1/compat.c ---- openssh-8.5p1/compat.c.coverity 2021-03-24 12:03:33.768968062 +0100 -+++ openssh-8.5p1/compat.c 2021-03-24 12:03:33.783968166 +0100 -@@ -191,10 +191,12 @@ compat_kex_proposal(struct ssh *ssh, cha - return p; - debug2_f("original KEX proposal: %s", p); - if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) -+ /* coverity[overwrite_var : FALSE] */ - if ((p = match_filter_denylist(p, - "curve25519-sha256@libssh.org")) == NULL) - fatal("match_filter_denylist failed"); - if ((ssh->compat & SSH_OLD_DHGEX) != 0) { -+ /* coverity[overwrite_var : FALSE] */ - if ((p = match_filter_denylist(p, - "diffie-hellman-group-exchange-sha256," - "diffie-hellman-group-exchange-sha1")) == NULL) diff -up openssh-8.5p1/dns.c.coverity openssh-8.5p1/dns.c --- openssh-8.5p1/dns.c.coverity 2021-03-02 11:31:47.000000000 +0100 +++ openssh-8.5p1/dns.c 2021-03-24 12:03:33.783968166 +0100 @@ -513,15 +497,6 @@ diff -up openssh-7.4p1/sshd.c.coverity openssh-7.4p1/sshd.c } /* -@@ -2474,7 +2479,7 @@ do_ssh2_kex(struct ssh *ssh) - if (options.rekey_limit || options.rekey_interval) - ssh_packet_set_rekey_limits(ssh, options.rekey_limit, - options.rekey_interval); -- -+ /* coverity[leaked_storage : FALSE]*/ - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( - ssh, list_hostkey_types()); - @@ -2519,8 +2524,11 @@ do_ssh2_kex(struct ssh *ssh) if (newstr) diff --git a/openssh-8.7p1-mem-leak.patch b/openssh-8.7p1-mem-leak.patch new file mode 100644 index 0000000..5d534f5 --- /dev/null +++ b/openssh-8.7p1-mem-leak.patch @@ -0,0 +1,153 @@ +diff --color -rup a/compat.c b/compat.c +--- a/compat.c 2021-08-20 06:03:49.000000000 +0200 ++++ b/compat.c 2022-07-11 10:00:56.661195753 +0200 +@@ -157,11 +157,12 @@ compat_banner(struct ssh *ssh, const cha + debug_f("no match: %s", version); + } + ++/* Always returns pointer to allocated memory, caller must free. */ + char * + compat_cipher_proposal(struct ssh *ssh, char *cipher_prop) + { + if (!(ssh->compat & SSH_BUG_BIGENDIANAES)) +- return cipher_prop; ++ return xstrdup(cipher_prop); + debug2_f("original cipher proposal: %s", cipher_prop); + if ((cipher_prop = match_filter_denylist(cipher_prop, "aes*")) == NULL) + fatal("match_filter_denylist failed"); +@@ -171,11 +172,12 @@ compat_cipher_proposal(struct ssh *ssh, + return cipher_prop; + } + ++/* Always returns pointer to allocated memory, caller must free. */ + char * + compat_pkalg_proposal(struct ssh *ssh, char *pkalg_prop) + { + if (!(ssh->compat & SSH_BUG_RSASIGMD5)) +- return pkalg_prop; ++ return xstrdup(pkalg_prop); + debug2_f("original public key proposal: %s", pkalg_prop); + if ((pkalg_prop = match_filter_denylist(pkalg_prop, "ssh-rsa")) == NULL) + fatal("match_filter_denylist failed"); +@@ -185,21 +187,26 @@ compat_pkalg_proposal(struct ssh *ssh, c + return pkalg_prop; + } + ++/* Always returns pointer to allocated memory, caller must free. */ + char * + compat_kex_proposal(struct ssh *ssh, char *p) + { ++ char *cp = NULL; ++ + if ((ssh->compat & (SSH_BUG_CURVE25519PAD|SSH_OLD_DHGEX)) == 0) +- return p; ++ return xstrdup(p); + debug2_f("original KEX proposal: %s", p); + if ((ssh->compat & SSH_BUG_CURVE25519PAD) != 0) + if ((p = match_filter_denylist(p, + "curve25519-sha256@libssh.org")) == NULL) + fatal("match_filter_denylist failed"); + if ((ssh->compat & SSH_OLD_DHGEX) != 0) { ++ cp = p; + if ((p = match_filter_denylist(p, + "diffie-hellman-group-exchange-sha256," + "diffie-hellman-group-exchange-sha1")) == NULL) + fatal("match_filter_denylist failed"); ++ free(cp); + } + debug2_f("compat KEX proposal: %s", p); + if (*p == '\0') +diff --color -rup a/sshconnect2.c b/sshconnect2.c +--- a/sshconnect2.c 2022-07-11 09:54:22.300523575 +0200 ++++ b/sshconnect2.c 2022-07-11 10:13:20.516655403 +0200 +@@ -218,6 +218,7 @@ ssh_kex2(struct ssh *ssh, char *host, st + { + char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT }; + char *s, *all_key; ++ char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL; + int r, use_known_hosts_order = 0; + + #if defined(GSSAPI) && defined(WITH_OPENSSL) +@@ -248,10 +249,9 @@ ssh_kex2(struct ssh *ssh, char *host, st + + if ((s = kex_names_cat(options.kex_algorithms, "ext-info-c")) == NULL) + fatal_f("kex_names_cat"); +- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, s); ++ myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, s); + myproposal[PROPOSAL_ENC_ALGS_CTOS] = +- compat_cipher_proposal(ssh, options.ciphers); +- myproposal[PROPOSAL_ENC_ALGS_STOC] = ++ myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc = + compat_cipher_proposal(ssh, options.ciphers); + myproposal[PROPOSAL_COMP_ALGS_CTOS] = + myproposal[PROPOSAL_COMP_ALGS_STOC] = +@@ -260,12 +260,12 @@ ssh_kex2(struct ssh *ssh, char *host, st + myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; + if (use_known_hosts_order) { + /* Query known_hosts and prefer algorithms that appear there */ +- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = ++ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey = + compat_pkalg_proposal(ssh, + order_hostkeyalgs(host, hostaddr, port, cinfo)); + } else { + /* Use specified HostkeyAlgorithms exactly */ +- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = ++ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey = + compat_pkalg_proposal(ssh, options.hostkeyalgorithms); + } + +@@ -379,6 +379,10 @@ ssh_kex2(struct ssh *ssh, char *host, st + (r = ssh_packet_write_wait(ssh)) != 0) + fatal_fr(r, "send packet"); + #endif ++ /* Free only parts of proposal that were dynamically allocated here. */ ++ free(prop_kex); ++ free(prop_enc); ++ free(prop_hostkey); + } + + /* +diff --color -rup a/sshd.c b/sshd.c +--- a/sshd.c 2022-07-11 09:54:22.301523594 +0200 ++++ b/sshd.c 2022-07-11 10:17:15.692209542 +0200 +@@ -2479,14 +2479,14 @@ do_ssh2_kex(struct ssh *ssh) + { + char *myproposal[PROPOSAL_MAX] = { KEX_SERVER }; + struct kex *kex; ++ char *prop_kex = NULL, *prop_enc = NULL, *prop_hostkey = NULL; + int r; + +- myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(ssh, ++ myproposal[PROPOSAL_KEX_ALGS] = prop_kex = compat_kex_proposal(ssh, + options.kex_algorithms); +- myproposal[PROPOSAL_ENC_ALGS_CTOS] = compat_cipher_proposal(ssh, +- options.ciphers); +- myproposal[PROPOSAL_ENC_ALGS_STOC] = compat_cipher_proposal(ssh, +- options.ciphers); ++ myproposal[PROPOSAL_ENC_ALGS_CTOS] = ++ myproposal[PROPOSAL_ENC_ALGS_STOC] = prop_enc = ++ compat_cipher_proposal(ssh, options.ciphers); + myproposal[PROPOSAL_MAC_ALGS_CTOS] = + myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs; + +@@ -2499,8 +2499,8 @@ do_ssh2_kex(struct ssh *ssh) + ssh_packet_set_rekey_limits(ssh, options.rekey_limit, + options.rekey_interval); + +- myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal( +- ssh, list_hostkey_types()); ++ myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = prop_hostkey = ++ compat_pkalg_proposal(ssh, list_hostkey_types()); + + #if defined(GSSAPI) && defined(WITH_OPENSSL) + { +@@ -2592,6 +2592,9 @@ do_ssh2_kex(struct ssh *ssh) + (r = ssh_packet_write_wait(ssh)) != 0) + fatal_fr(r, "send test"); + #endif ++ free(prop_kex); ++ free(prop_enc); ++ free(prop_hostkey); + debug("KEX done"); + } + diff --git a/openssh.spec b/openssh.spec index 42b08e3..61967bc 100644 --- a/openssh.spec +++ b/openssh.spec @@ -230,6 +230,12 @@ Patch1001: openssh-8.7p1-scp-clears-file.patch # upstream bug: # https://bugzilla.mindrot.org/show_bug.cgi?id=3455 Patch1002: openssh-8.7p1-ssh-manpage.patch +# Always return allocated strings from the kex filtering so that we can free them +# upstream commits: +# 486c4dc3b83b4b67d663fb0fa62bc24138ec3946 +# 6c31ba10e97b6953c4f325f526f3e846dfea647a +# 322964f8f2e9c321e77ebae1e4d2cd0ccc5c5a0b +Patch1003: openssh-8.7p1-mem-leak.patch License: BSD Requires: /sbin/nologin @@ -421,6 +427,7 @@ popd %patch1000 -p1 -b .minimize-sha1-use %patch1001 -p1 -b .scp-clears-file %patch1002 -p1 -b .ssh-manpage +%patch1003 -p1 -b .mem-leak %patch100 -p1 -b .coverity @@ -706,6 +713,8 @@ test -f %{sysconfig_anaconda} && \ Resolves: rhbz#2056884 - Add missing options from ssh_config into ssh manpage Resolves: rhbz#2033372 +- Fix several memory leaks + Related: rhbz#2068423 * Wed Jun 29 2022 Dmitry Belyavskiy - 8.7p1-10 - Set minimal value of RSA key length via configuration option