From 73d45fa321783bf7dabeefbc0c993588a4b9fc79 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Tue, 2 Jun 2015 13:28:54 +0200 Subject: [PATCH] Correct handle pam_ssh_agent_auth memory, buffers and variable sizes, which caused segfaults (#1225106) --- openssh-6.7p1-coverity.patch | 13 --- ...ssh_agent_auth-0.9.3-agent_structure.patch | 80 +++++++++++++------ 2 files changed, 57 insertions(+), 36 deletions(-) diff --git a/openssh-6.7p1-coverity.patch b/openssh-6.7p1-coverity.patch index 67d0a0c..35d6eb9 100644 --- a/openssh-6.7p1-coverity.patch +++ b/openssh-6.7p1-coverity.patch @@ -167,19 +167,6 @@ diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/pam_user_key_allowed2.c.coverity for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { if (*cp == '\\' && cp[1] == '"') cp++; /* Skip both */ -diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.coverity openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c ---- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.coverity 2015-03-18 17:21:51.786265063 +0100 -+++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c 2015-03-18 17:21:51.898264829 +0100 -@@ -89,8 +89,7 @@ userauth_pubkey_from_id(Identity * id) - authenticated = 1; - - user_auth_clean_exit: -- if(&b != NULL) -- buffer_free(&b); -+ buffer_free(&b); - if(sig != NULL) - free(sig); - if(pkblob != NULL) diff -up openssh-6.8p1/scp.c.coverity openssh-6.8p1/scp.c --- openssh-6.8p1/scp.c.coverity 2015-03-18 17:21:51.868264891 +0100 +++ openssh-6.8p1/scp.c 2015-03-18 17:21:58.281251460 +0100 diff --git a/pam_ssh_agent_auth-0.9.3-agent_structure.patch b/pam_ssh_agent_auth-0.9.3-agent_structure.patch index 67ab394..66e9908 100644 --- a/pam_ssh_agent_auth-0.9.3-agent_structure.patch +++ b/pam_ssh_agent_auth-0.9.3-agent_structure.patch @@ -1,7 +1,6 @@ -diff --git a/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c b/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c -index 9555e7e..c17aae6 100644 ---- a/iterate_ssh_agent_keys.c 2015-05-27 14:09:13.591407306 +0200 -+++ b/iterate_ssh_agent_keys.c 2015-05-27 14:10:33.216267826 +0200 +diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c +--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c.psaa-agent 2015-06-02 16:43:09.231902255 +0200 ++++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/iterate_ssh_agent_keys.c 2015-06-02 16:43:09.235902253 +0200 @@ -37,6 +37,7 @@ #include "buffer.h" #include "key.h" @@ -10,7 +9,7 @@ index 9555e7e..c17aae6 100644 #include "ssh.h" #include #include -@@ -177,22 +177,28 @@ int +@@ -177,34 +178,40 @@ int find_authorized_keys(uid_t uid) { Identity *id; @@ -18,8 +17,8 @@ index 9555e7e..c17aae6 100644 AuthenticationConnection *ac; - char *comment; uint8_t retval = 0; -+ struct ssh_identitylist *idlist; -+ int r, i; ++ struct ssh_identitylist *idlist; ++ int r, i; OpenSSL_add_all_digests(); session_id2 = session_id2_gen(); @@ -32,7 +31,7 @@ index 9555e7e..c17aae6 100644 + if (r != SSH_ERR_AGENT_NO_IDENTITIES) + fprintf(stderr, "error fetching identities for " + "protocol %d: %s\n", 2, ssh_err(r)); -+ } ++ } else + for (i = 0; i < idlist->nkeys; i++) { - if(key != NULL) { @@ -45,22 +44,24 @@ index 9555e7e..c17aae6 100644 id->ac = ac; if(userauth_pubkey_from_id(id)) { retval = 1; -@@ -204,7 +211,10 @@ find_authorized_keys(uid_t uid) + } +- free(id->filename); +- key_free(id->key); + free(id); + if(retval == 1) break; } } -+ ssh_free_identitylist(idlist); -+ ssh_close_authentication_socket(ac->fd); -+ buffer_free(&ac->identities); -+ free(ac); - ssh_close_authentication_connection(ac); ++ ssh_free_identitylist(idlist); ++ ssh_close_authentication_socket(ac->fd); ++ free(ac); } else { verbose("No ssh-agent could be contacted"); -diff --git a/pam_ssh_agent_auth-0.9.3/identity.h b/pam_ssh_agent_auth-0.9.3/identity.h -index eb21320..c00da34 100644 ---- a/pam_ssh_agent_auth-0.9.3/identity.h -+++ b/pam_ssh_agent_auth-0.9.3/identity.h +diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h +--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h.psaa-agent 2009-08-09 02:54:21.000000000 +0200 ++++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/identity.h 2015-06-02 16:43:09.235902253 +0200 @@ -14,6 +14,12 @@ typedef struct identity Identity; typedef struct idlist Idlist; @@ -74,11 +75,37 @@ index eb21320..c00da34 100644 struct identity { TAILQ_ENTRY(identity) next; AuthenticationConnection *ac; /* set if agent supports key */ -diff --git a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c -index 323817a..93b928f 100644 ---- a/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c -+++ b/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c -@@ -81,7 +81,7 @@ userauth_pubkey_from_id(Identity * id) +diff -up openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-agent openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c +--- openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c.psaa-agent 2015-06-02 16:43:09.232902254 +0200 ++++ openssh-6.8p1/pam_ssh_agent_auth-0.9.3/userauth_pubkey_from_id.c 2015-06-02 16:45:07.699822094 +0200 +@@ -54,10 +54,11 @@ extern uint8_t session_id_len; + int + userauth_pubkey_from_id(Identity * id) + { +- Buffer b = { 0 }; ++ Buffer b; + char *pkalg = NULL; + u_char *pkblob = NULL, *sig = NULL; +- u_int blen = 0, slen = 0; ++ u_int blen = 0; ++ size_t slen = 0; + int authenticated = 0; + + pkalg = (char *) key_ssh_name(id->key); +@@ -65,10 +65,10 @@ userauth_pubkey_from_id(Identity * id) + + /* first test if this key is even allowed */ + if(! pam_user_key_allowed(id->key)) +- goto user_auth_clean_exit; ++ goto user_auth_clean_exit_without_buffer; + + if(key_to_blob(id->key, &pkblob, &blen) == 0) +- goto user_auth_clean_exit; ++ goto user_auth_clean_exit_without_buffer; + + /* construct packet to sign and test */ + buffer_init(&b); +@@ -70,7 +70,7 @@ userauth_pubkey_from_id(Identity * id) buffer_put_cstring(&b, pkalg); buffer_put_string(&b, pkblob, blen); @@ -87,4 +114,11 @@ index 323817a..93b928f 100644 goto user_auth_clean_exit; /* test for correct signature */ - +@@ -92,6 +92,7 @@ userauth_pubkey_from_id(Identity * id) + user_auth_clean_exit: + if(&b != NULL) + buffer_free(&b); ++ user_auth_clean_exit_without_buffer: + if(sig != NULL) + free(sig); + if(pkblob != NULL)