Re: Re: Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817]

mailing list of musl libc
 help / color / mirror / code / Atom feed

From: Matt Johnston <matt@ucc.asn.au>
To: musl@lists.openwall.com
Cc: Rich Felker <dalias@libc.org>
Subject: Re: Re: Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817]
Date: Sat, 18 Apr 2015 21:32:02 +0800	[thread overview]
Message-ID: <20150418133202.GG17615@ucc.gu.uwa.edu.au> (raw)
In-Reply-To: <20150417180907.GA26856@openwall.com>

> On Fri, Apr 17, 2015 at 02:03:25PM -0400, Rich Felker wrote:
> > On Fri, Apr 17, 2015 at 01:23:27PM -0400, Rich Felker wrote:
> > > And wow, this is an utter mess. Not only does dropbear fail to drop
> > > root before processing forwards; it NEVER drops root at all. The
[snip]
> > > Is there any reason for not performing the setgroups/setgid/setuid
> > > immediately after authentication succeeds? Have you looked at whether
> > > it would be easy to patch that in?
> > 
> > Simply copying/moving the code from svr-chansession.c's execchild to
> > svr-auth.c's send_msg_userauth_success seems to fix the entire issue.
> > I had to disable the (useless on systems with proper pty support)
> > chown/chmod for the pty, but otherwise it seems to be working fine.
> 
> I guess changes like these should be upstream'ed.  Matt?

Hi Rich,

Thanks for the suggestion. When the code was originally
written quite a few systems had to use older pty methods
though that has improved now, it is worth revisiting.
Some systems still require --disable-openpty (old uClibc or
built with strange configurations, I think).

utmp/wtmp logs require privileges to write, Dropbear could
add utmp group on systems using that (not sure how
widespread it is). The server hostkey will remain in process
memory since it's required for rekeying - not as bad as root
code execution though.

Proper separation with a privileged supervisor is
on my todo list, I'll have a look how feasible a simpler
approach is.

> > musl's network-facing DNS code seems a bit precarious with
> > pointer arithmetic?
> 
> Which code are you talking about? There was a previous
> problem with
> dn_expand, which is the main function that comes to mind for
> me, and
> the code was fixed and heavily reviewed at the time.

Yes, dn_expand was what I was thinking of - at the time I
looked at the fix and it seemed like difficult code to
reason about. Overall the code style of musl seems quite
nice, I guess the parsing type code is just fairly terse.
The masking with ip[i&7]=0 in the recent fix was a bit
non-obvious without looking at the commit message - makes
sense as a safety mechanism.

Cheers,
Matt

next prev parent reply	other threads:[~2015-04-18 13:32 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-04-17 13:10 Matt Johnston
2015-04-17 17:23 ` Rich Felker
2015-04-17 18:03   ` Rich Felker
2015-04-17 18:09     ` Solar Designer
2015-04-18 13:32       ` Matt Johnston [this message]
2015-04-18 15:25         ` Rich Felker
2015-04-18 15:49           ` Harald Becker
2015-04-18 15:58             ` Rich Felker
2015-04-18 16:27               ` Harald Becker
2015-04-18 16:37                 ` Rich Felker
2015-04-18 17:07                   ` Harald Becker
2015-04-18 18:27                     ` Laurent Bercot
2015-04-18 18:47                       ` Harald Becker
2015-04-18 18:13                   ` Harald Becker
2015-04-18 19:56                     ` Rich Felker
2015-04-18 21:02                       ` Laurent Bercot
2015-04-19  3:44                         ` Rich Felker
2015-04-20 10:17                           ` Harald Becker
2015-04-20 11:20                             ` Kurt H Maier
2015-04-20 11:35                               ` Harald Becker
2015-04-20 11:50                                 ` Harald Becker
2015-04-20 14:14                                 ` Kurt H Maier
2015-04-20 14:21                                   ` Harald Becker
2015-04-18 18:25                   ` Harald Becker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150418133202.GG17615@ucc.gu.uwa.edu.au \
    --to=matt@ucc.asn.au \
    --cc=dalias@libc.org \
    --cc=musl@lists.openwall.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/musl/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).