Date: Wed, 8 Aug 2007 02:04:49 +0200 (CEST) From: Michiel Boland <michiel@boland.org> To: Poul-Henning Kamp <phk@phk.freebsd.dk> Cc: freebsd-current@freebsd.org Subject: Re: sshd broken with UsePrivilegeSeparation=yes on sparc64 Message-ID: <20070808013905.P78031-100000@xs6.xs4all.nl> In-Reply-To: <58735.1184519830@critter.freebsd.dk>
index | next in thread | previous in thread | raw e-mail
On Sun, 15 Jul 2007, Poul-Henning Kamp wrote:
>> fd = (*(int *)CMSG_DATA(cmsg));
>>
>> So, obviously a gcc bug. I will try to generate a smaller test-case for
>> this.
>
> I'm not convinced that CMSG_DATA is entirely kosher.
The problem with the openssh code appears to be the following.
In /usr/src/crypto/openssh/monitor_fdpass.c, there are two functions,
mm_receive_fd and mm_send_fd that do roughly the following
int mm_receive_fd(int sock)
{
struct msghdr msg;
char tmp[CMSG_SPACE(sizeof(int))];
[...]
msg.msg_control = tmp;
msg.msg_controllen = sizeof(tmp);
recvmsg(sock, &msg, 0);
etc.
Now, there is no guarantee that the 'tmp' array is aligned on a word
boundary. Perhaps on i386/amd64, but not on sparc64.
As a hack-bandaid, you can more or less fix alignment with this patch
--- monitor_fdpass.c.orig 2006-11-10 17:38:34.000000000 +0100
+++ monitor_fdpass.c 2007-08-08 01:37:44.000000000 +0200
@@ -91,7 +91,7 @@
struct msghdr msg;
struct iovec vec;
ssize_t n;
- char ch;
+ int ch;
int fd;
#ifndef HAVE_ACCRIGHTS_IN_MSGHDR
char tmp[CMSG_SPACE(sizeof(int))];
then recompile /usr/src/secure/lib/libssh
A better solution would probably be something like using
tmp = malloc(CMSG_SPACE(sizeof(int))])
to really guarantee alignment.
But I don't really understand why the original code did not crash with
SIGBUS or something, but just returned bogus values for fd.
Cheers
Michiel
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070808013905.P78031-100000>