[Bug 1930286] Re: Defensics' synopsys fuzzer testing tool cause openssh to segfault
Eric Desrochers
1930286 at bugs.launchpad.net
Mon Jun 7 14:09:19 UTC 2021
** Description changed:
[Impact]
Here's what has been brought to my attention by a UA customer:
* Release:
Xenial/16.04LTS
* Openssh version:
7.2p2-4ubuntu2.10
* Fuzzer tool used:
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html (proprietary software)
As of today, I have no access to a reproducer.
* coredump:
$ gdb $(which sshd) <OBFUSCATED>.sshd.20731
...
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `sshd: [net] '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
136 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or directory.
(gdb) bt
#0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
#1 0x00007fec25b241db in memcpy (__len=<optimized out>, __src=0x0, __dest=<optimized out>)
at /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2 aes_gcm_ctrl (c=0x558a7ae19758, type=<optimized out>, arg=<optimized out>, ptr=0x0) at e_aes.c:1189
#3 0x00007fec25b20897 in EVP_CIPHER_CTX_ctrl (ctx=ctx at entry=0x558a7ae19758, type=type at entry=18, arg=arg at entry=-1, ptr=ptr at entry=0x0) at evp_enc.c:619
#4 0x0000558a7953f54c in cipher_init (cc=cc at entry=0x558a7ae19750, cipher=0x558a797b3ef0 <ciphers+720>, key=0x0, keylen=32, iv=0x0, ivlen=<optimized out>, do_encrypt=0) at ../cipher.c:336
#5 0x0000558a7954521a in ssh_set_newkeys (ssh=ssh at entry=0x558a7ae18ef0, mode=mode at entry=0)at ../packet.c:919
#6 0x0000558a7955ae92 in kex_input_newkeys (type=<optimized out>, seq=<optimized out>, ctxt=0x558a7ae18ef0)at ../kex.c:434
#7 0x0000558a7954d269 in ssh_dispatch_run (ssh=ssh at entry=0x558a7ae18ef0, mode=0, done=0x558a7ae18278, ctxt=0x558a7ae18ef0) at ../dispatch.c:119
#8 0x0000558a7954d2b9 in ssh_dispatch_run_fatal (ssh=0x558a7ae18ef0, mode=<optimized out>, done=<optimized out>, ctxt=<optimized out>) at ../dispatch.c:140
#9 0x0000558a79502770 in do_ssh2_kex () at ../sshd.c:2744
#10 main (ac=<optimized out>, av=<optimized out>) at ../sshd.c:2301
(gdb)
[Test plan]
** NOT REPRODUCIBLE ON MY SIDE **
This seems to be a corner case generated by the Defensics fuzzer test
suite (proprietary software from synopsys).
That's the only way this could have been reproduced so far.
+ Here's the details I could gather about the fuzzer test scenario:
+
+ ------
+ Test Suite: SSHv2 Server Test Suite by Synopsys
+ Test Case Description:
+ SSHv2.Key-Exchange.DH-GROUP-EXCHANGE-SHA256.message-sequence.duplicate-message:
+ Insert extra message 'message-2' before message 'client-newkeys'
+ ------
+
[Where problem could occur]
[Other information]
Upstream fix:
https://github.com/openssh/openssh-portable/commit/2adbe1e63bc313d03e8e84e652cc623af8ebb163
Only Xenial requires the fix:
# git describe --contains 2adbe1e
V_7_5_P1~7
# rmadison openssh
=> openssh | 1:7.2p2-4ubuntu2.10 | xenial-updates | source
openssh | 1:7.6p1-4 | bionic | source
openssh | 1:7.6p1-4ubuntu0.3 | bionic-security | source
openssh | 1:7.6p1-4ubuntu0.3 | bionic-updates | source
openssh | 1:7.6p1-4ubuntu0.4 | bionic-proposed | source
openssh | 1:8.2p1-4 | focal | source
openssh | 1:8.2p1-4ubuntu0.2 | focal-security | source
openssh | 1:8.2p1-4ubuntu0.2 | focal-updates | source
openssh | 1:8.3p1-1 | groovy | source
openssh | 1:8.3p1-1ubuntu0.1 | groovy-security | source
openssh | 1:8.3p1-1ubuntu0.1 | groovy-updates | source
openssh | 1:8.4p1-5ubuntu1 | hirsute | source
openssh | 1:8.4p1-5ubuntu1 | impish | source
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1930286
Title:
Defensics' synopsys fuzzer testing tool cause openssh to segfault
Status in openssh package in Ubuntu:
Fix Released
Status in openssh source package in Xenial:
In Progress
Bug description:
[Impact]
Here's what has been brought to my attention by a UA customer:
* Release:
Xenial/16.04LTS
* Openssh version:
7.2p2-4ubuntu2.10
* Fuzzer tool used:
https://www.synopsys.com/software-integrity/security-testing/fuzz-testing.html (proprietary software)
As of today, I have no access to a reproducer.
* coredump:
$ gdb $(which sshd) <OBFUSCATED>.sshd.20731
...
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `sshd: [net] '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
136 ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S: No such file or directory.
(gdb) bt
#0 __memcpy_avx_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-avx-unaligned.S:136
#1 0x00007fec25b241db in memcpy (__len=<optimized out>, __src=0x0, __dest=<optimized out>)
at /usr/include/x86_64-linux-gnu/bits/string3.h:53
#2 aes_gcm_ctrl (c=0x558a7ae19758, type=<optimized out>, arg=<optimized out>, ptr=0x0) at e_aes.c:1189
#3 0x00007fec25b20897 in EVP_CIPHER_CTX_ctrl (ctx=ctx at entry=0x558a7ae19758, type=type at entry=18, arg=arg at entry=-1, ptr=ptr at entry=0x0) at evp_enc.c:619
#4 0x0000558a7953f54c in cipher_init (cc=cc at entry=0x558a7ae19750, cipher=0x558a797b3ef0 <ciphers+720>, key=0x0, keylen=32, iv=0x0, ivlen=<optimized out>, do_encrypt=0) at ../cipher.c:336
#5 0x0000558a7954521a in ssh_set_newkeys (ssh=ssh at entry=0x558a7ae18ef0, mode=mode at entry=0)at ../packet.c:919
#6 0x0000558a7955ae92 in kex_input_newkeys (type=<optimized out>, seq=<optimized out>, ctxt=0x558a7ae18ef0)at ../kex.c:434
#7 0x0000558a7954d269 in ssh_dispatch_run (ssh=ssh at entry=0x558a7ae18ef0, mode=0, done=0x558a7ae18278, ctxt=0x558a7ae18ef0) at ../dispatch.c:119
#8 0x0000558a7954d2b9 in ssh_dispatch_run_fatal (ssh=0x558a7ae18ef0, mode=<optimized out>, done=<optimized out>, ctxt=<optimized out>) at ../dispatch.c:140
#9 0x0000558a79502770 in do_ssh2_kex () at ../sshd.c:2744
#10 main (ac=<optimized out>, av=<optimized out>) at ../sshd.c:2301
(gdb)
[Test plan]
** NOT REPRODUCIBLE ON MY SIDE **
This seems to be a corner case generated by the Defensics fuzzer test
suite (proprietary software from synopsys).
That's the only way this could have been reproduced so far.
Here's the details I could gather about the fuzzer test scenario:
------
Test Suite: SSHv2 Server Test Suite by Synopsys
Test Case Description:
SSHv2.Key-Exchange.DH-GROUP-EXCHANGE-SHA256.message-sequence.duplicate-message:
Insert extra message 'message-2' before message 'client-newkeys'
------
[Where problem could occur]
[Other information]
Upstream fix:
https://github.com/openssh/openssh-portable/commit/2adbe1e63bc313d03e8e84e652cc623af8ebb163
Only Xenial requires the fix:
# git describe --contains 2adbe1e
V_7_5_P1~7
# rmadison openssh
=> openssh | 1:7.2p2-4ubuntu2.10 | xenial-updates | source
openssh | 1:7.6p1-4 | bionic | source
openssh | 1:7.6p1-4ubuntu0.3 | bionic-security | source
openssh | 1:7.6p1-4ubuntu0.3 | bionic-updates | source
openssh | 1:7.6p1-4ubuntu0.4 | bionic-proposed | source
openssh | 1:8.2p1-4 | focal | source
openssh | 1:8.2p1-4ubuntu0.2 | focal-security | source
openssh | 1:8.2p1-4ubuntu0.2 | focal-updates | source
openssh | 1:8.3p1-1 | groovy | source
openssh | 1:8.3p1-1ubuntu0.1 | groovy-security | source
openssh | 1:8.3p1-1ubuntu0.1 | groovy-updates | source
openssh | 1:8.4p1-5ubuntu1 | hirsute | source
openssh | 1:8.4p1-5ubuntu1 | impish | source
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1930286/+subscriptions
More information about the foundations-bugs
mailing list