Bug 258179 - security/sshguard: Stack Overflow on i386 (stable/13) on startup. sshg-blocker dumps core.
Summary: security/sshguard: Stack Overflow on i386 (stable/13) on startup. sshg-blocke...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: i386 Any
: --- Affects Only Me
Assignee: Philip Paeps
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-08-31 03:33 UTC by John Marshall
Modified: 2021-10-04 04:32 UTC (History)
2 users (show)

See Also:
kevinz5000: maintainer-feedback+


Attachments
Patch (1.81 KB, patch)
2021-09-01 05:16 UTC, Kevin Zheng
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description John Marshall 2021-08-31 03:33:30 UTC
security/sshguard 2.4.2
FreeBSD i386 stable/13 (last week)

sshg-blocker dumps core on startup.

auth.log shows:
  sshguard[86952]: stack overflow detected; terminated

Runs happily on amd64 with stable/13 from the same day.

I don't have lldb on the i386 system because it won't build [see bug 257954] and don't know how to drive it; but got this when I copied the core file to the amd64 system:

$ lldb -a i386 -c /tmp/sshg-blocker.core
(lldb) target create --core "/tmp/sshg-blocker.core"
Core file '/tmp/sshg-blocker.core' (i386) was loaded.

(lldb) bt all
* thread #1, name = 'sshg-blocker', stop reason = signal SIGABRT
  * frame #0: 0x20586c8f
    frame #1: 0x205886e0
  thread #2, name = 'sshg-blocker', stop reason = signal SIGABRT
    frame #0: 0x2058839f
    frame #1: 0x2046231e
(lldb)
Comment 1 Kevin Zheng 2021-08-31 03:39:55 UTC
Hi John, thanks for the report.

You say SSHGuard crashes on startup. Are you using 1) whitelisting and 2) blacklisting?

If you delete the whitelist and blacklist (after making backups), does sshg-blocker still crash on startup?

If you've determined that it's one of these files that causes the crash, would you be comfortable sending a copy of the file?
Comment 2 John Marshall 2021-08-31 05:21:41 UTC
(In reply to Kevin Zheng from comment #1)
Thank you Kevin,

Following your suggestion, I did some troubleshooting around the whitelist and blacklist.

The problem is the whitelist. The whitelist file on this server is identical to the whitelist on the 64-bit server which has no problem. I have three IPv4 address blocks and one IPv6 prefix in that whitelist file. If I comment out the IPv6 prefix the problem disappears. I have confirmed that I can reproduce the problem with a single-line whitelist file:

rwsrv04# cat sshguard.whitelist
2001:DB8::/32
rwsrv04# 

[The IPv6 prefix quoted above is the documentation prefix described in RFC3849.]

If I comment out that single line, the service runs. If I remove the comment, sshg-blocker aborts with the stack overflow message.

Again, I see no problem on the 64-bit system.
Comment 3 Kevin Zheng 2021-08-31 06:15:50 UTC
(In reply to John Marshall from comment #2)
Hi John, thanks for your help in debugging and for your steps to reproduce.

I have not been able to reproduce the issue on a 32-bit ARM machine I have, so I will be spinning up a FreeBSD i386 VM and trying again soon.
Comment 4 John Marshall 2021-08-31 06:54:56 UTC
(In reply to Kevin Zheng from comment #3)
Thanks very much Kevin.  This is what I'm running on.  I'm happy to do whatever testing might help.

FreeBSD 13.0-STABLE #1 stable/13-n246973-5e9c2a6a902: Sat Aug 28 10:55:18 AEST 2021
    john@rwsrv04.gfn.riverwillow.net.au:/build/obj/john/build/src/i386.i386/sys/RWSRV04 i386
FreeBSD clang version 12.0.1 (git@github.com:llvm/llvm-project.git llvmorg-12.0.1-0-gfed41342a82f)
VT(vga): resolution 640x480
CPU: Intel(R) Pentium(R) 4 CPU 2.80GHz (2800.53-MHz 686-class CPU)
  Origin="GenuineIntel"  Id=0xf33  Family=0xf  Model=0x3  Stepping=3
  Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>
  Features2=0x41d<SSE3,DTES64,MON,DS_CPL,CNXT-ID>
  TSC: P-state invariant
real memory  = 1879048192 (1792 MB)
avail memory = 1824153600 (1739 MB)
Event timer "LAPIC" quality 100
ACPI APIC Table: <PTLTD  	 APIC  >
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
FreeBSD/SMP: 1 package(s) x 1 core(s) x 2 hardware threads
Comment 5 Kevin Zheng 2021-09-01 05:16:06 UTC
Created attachment 227583 [details]
Patch

(In reply to John Marshall from comment #4)
I was able to reproduce by compiling the sshguard-2.4.2 from source with CFLAGS="-fstack-protector-all -g" on FreeBSD 13.0-RELEASE GENERIC/i386 running on bhyve.

It looks like the blocker is crashing in whitelist_add_block6() due to a memset() off-by-one error. The fix is below:

diff --git a/src/blocker/sshguard_whitelist.c b/src/blocker/sshguard_whitelist.c
index 30c6717..555237a 100644
--- a/src/blocker/sshguard_whitelist.c
+++ b/src/blocker/sshguard_whitelist.c
@@ -275,7 +275,7 @@ int whitelist_add_block6(const char *restrict address, int masklen) {
     bitlen = masklen % 8;
     bitmask = 0xFF << (8 - bitlen);
     ab.address.ip6.mask.s6_addr[bytelen] = bitmask;
-    memset(& ab.address.ip6.mask.s6_addr[bytelen+1], 0x00, sizeof(ab.address.ip6.mask.s6_addr) - bytelen);
+    memset(& ab.address.ip6.mask.s6_addr[bytelen+1], 0x00, sizeof(ab.address.ip6.mask.s6_addr) - bytelen - 1);
 
     if (! list_contains(& whitelist, &ab)) {
         list_append(& whitelist, &ab);

This fix was committed upstream in 50581dba, and a patch suitable for `git am` to the ports tree is attached.

John, while this patch makes its way to the ports tree, is it convenient for you to test the patch and confirm that it fixes the crash you're seeing?
Comment 6 John Marshall 2021-09-01 07:45:07 UTC
(In reply to Kevin Zheng from comment #5)
Thank you very much Kevin,

I applied your patch to my ports tree, rebuilt sshguard, and all works fine with the test whitelist file and with my original whitelist file.

Thank you again for your work on this!
Comment 7 Kevin Zheng 2021-09-01 17:15:46 UTC
Ports committers, since I'm the maintainer, should I update maintainer-feedback to indicate that a patch is ready and implicitly approved?
Comment 8 commit-hook freebsd_committer 2021-10-04 04:17:25 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=c3381bf4d961159f4903f573c7f01fae85ad5a18

commit c3381bf4d961159f4903f573c7f01fae85ad5a18
Author:     Kevin Zheng <kevinz5000@gmail.com>
AuthorDate: 2021-09-01 05:07:43 +0000
Commit:     Philip Paeps <philip@FreeBSD.org>
CommitDate: 2021-10-04 04:15:18 +0000

    security/sshguard: Fix memset() off-by-one

    This bug causes a stack overflow (and crash due to failed stack check)
    when certain IPv6 addresses are whitelisted on i386.

    PR:             258179
    Reported by:    John Marshall <john@jmarshall.id.au>
    MFH:            2021Q4

 security/sshguard/Makefile                                    |  1 +
 .../files/patch-src_blocker_sshguard__whitelist.c (new)       | 11 +++++++++++
 2 files changed, 12 insertions(+)
Comment 9 commit-hook freebsd_committer 2021-10-04 04:31:28 UTC
A commit in branch 2021Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=371d21badc1c56e48e307eb2f0a0ccf376a03cdb

commit 371d21badc1c56e48e307eb2f0a0ccf376a03cdb
Author:     Kevin Zheng <kevinz5000@gmail.com>
AuthorDate: 2021-09-01 05:07:43 +0000
Commit:     Philip Paeps <philip@FreeBSD.org>
CommitDate: 2021-10-04 04:28:58 +0000

    security/sshguard: Fix memset() off-by-one

    This bug causes a stack overflow (and crash due to failed stack check)
    when certain IPv6 addresses are whitelisted on i386.

    PR:             258179
    Reported by:    John Marshall <john@jmarshall.id.au>
    MFH:            2021Q4

    (cherry picked from commit c3381bf4d961159f4903f573c7f01fae85ad5a18)

 security/sshguard/Makefile                                    |  1 +
 .../files/patch-src_blocker_sshguard__whitelist.c (new)       | 11 +++++++++++
 2 files changed, 12 insertions(+)
Comment 10 Philip Paeps freebsd_committer 2021-10-04 04:32:36 UTC
Committed.  Thanks!