If you think this [0] is quality workmanship, I never want to work on your team.
I haven't even exhaustively looked through this code, only took a quick glance at clientloop.c [1] and was curious about how the channels were integrated into the poll loop.
This is a mess, and I'm pretty sure I already see a bug.
Edit: I'm not looking at a future CVE, but I've definitely found a bug. For those of you tossing up low-effort straw men, actually go grok the code. The way they've integrated the poll loop into all the actual handling of the returned events is a sprawling mess, and the bug I've found is a direct result of that.
Have you created a new issue ticket for it on GitHub? If I'd spotted a bug, and felt strongly enough to comment on HN about it, opening a new ticket would be my next move.
So I cloned the repo to start looking more closely at the code in a real editor with an eye towards making a PR.
Fortunately the nature of the bug I've found seems unlikely to be a security issue, it's a busy-loop CPU-burning bug in clientloop.c's poll() integration.
Good point on the /issues redirect. They have a separate bug tracker it seems [0]. Thanks for taking the time to look into it. This sort of thing is what makes open source software great.
P.S. I'm not Greg (added it to my profile->about section to clarify).
Out of curiosity, can you explain what's wrong with that code? I dabbled in C a few years back but I'm nowhere near competent enough to find anything wrong with it.
If p is < 0 or >= npfd (the number of elements in pfds), this should read out of bounds of the pfds array, and the check happens too late.
This is similar to a famous Linux kernel bug from ages ago, where a !NULL check was optimized away in such a situation, leading to an exploit: https://lwn.net/Articles/342330/
In this case I'm not aware if something like that happens, or if it happens to be harmless.
The first line is not actually dereferencing anything - it's taking the address of the pointer, and returning another pointer with offset p from the original one.
As far as I know, C allows arbitrary pointer arithmetic (including pointing to an out-of-bounds address) as long as you don't read/write into the invalid memory. If the p check fails, nothing will be done with pfd.
Unfortunately you are not correct. Pointer arithmetic is only valid if the resulting calculated address is within the bounds of the same array as the original pointer, or calculates an address that is just past the end of the array. Otherwise it is our old friend undefined behavior. See section 6.5.6 of the C11 spec.
Given that the function fd_ready is static, it is limited to calls within this translation unit. It looks like the function which calls fd_ready has already confirmed that p is a valid index.
`pfds + p` is only defined if both the original pointer and the result pointer are pointing at elements of the same array or one past the end of that array. Note that executing `pfds - 1` when `pfds` points at the first element of an array is undefined behaviour and may fail on some platforms.
It's not undefined behavior, but it is implementation-defined behavior [0]:
Indirection through an invalid pointer value and passing an invalid pointer value to a deallocation function have undefined behavior. Any other use of an invalid pointer value has implementation-defined behavior.
cppreference.com hosts references for both the C and C++ languages. My quote is from the C language part of the site.
Furthermore, we are not discussing operations on an invalid pointer value. We are talking about the addition operator operating with a pointer value and when its behaviour is defined.
Lastly, it is your reference here that is to a C++ language draft, not the C language.
What is the difference between "operations with an invalid pointer value" and "addition operator operating with a pointer value"?
EDIT (since I can't reply yet):
Official C standard documents are surprisingly hard to come by. The only place I've found one was genesis. Here's a direct quote about pointer arithmetic from ISO/IEC 9899: 1990, page 47:
---
When an expression that has integral type is added to or subtracted from a pointer, the result has the type of the pointer operand.
If the pointer operand points to an element of an array object, and the array is large enough, the result points to an element offset from the original element such that the difference of the subscripts of the resulting and original array elements equals the integral expression. In other words, if the expression P points to the i-th element of an array object, the expressions (P)+N (equivalently. N+(P) ) and (P)-N (where N has the value n) point to, respectively, the i+n-th and i-n-th elements of the array object, provided they exist.
Moreover, if the expression P points to the last element of an array object, the expression (P)+1 points one past the last element of the array object, and if the expression Q points one past the last element of an array object, the expression (Q)-1 points to the last element of the array object.
If both the pointer operand and the result point to elements of the same array object, or one past the last element of the array object, the evaluation shall not produce an overflow; otherwise, the behavior is undefined.
Unless both the pointer operand and the result point to elements of the same array object, or the pointer operand points one past the last element of an array object and the result points to an element of the same array object, the behavior is undefined if the result is used as an operand of the unary * operator.
---
Maybe I just suck at reading technical documents, but I can't figure out which part says that storing an invalid pointer is undefined behavior. Would you care to point it out for me?
If both the pointer operand and the result point to elements of the same array object, or one past the last element of the array object, the evaluation shall not produce an overflow; otherwise, the behavior is undefined.
This is that part that says the result of addition is undefined unless both the original pointer and the result point to the same array object (or one past the last element).
In case it's not obvious how this can happen, it's because the promotion rules can turn them into signed ints, and if they're big enough the product can overflow that. For more details, see https://cryptoservices.github.io/fde/2018/11/30/undefined-be...
In our example here the argument `pfds` to the addition operator in the expression `pfds + p` is (presumably) a perfectly valid pointer. And `p` is a perfectly valid `int`. So there are no invalid pointers passed as arguments to the addition operation. You might think the result of the addition expression is an invalid pointer, but the result is simply undefined behaviour.
Typically an invalid pointer is created by deallocating some memory, which transforms previously valid pointers to the memory into invalid pointers without the pointer values themselves changing their value.
Personally I'd still want to do the check before, because someone could still be adding something in-between the assignment and the check, but if that's the order it's resolved in it seems to be working now.
(I'm guessing they declare and assign the variable first because of C version constraints - wasn't that something that changed in C99?)
This is how I would have written it (I exclusively write C99), but the OpenSSH developers target a lot more platforms that may not have reliable C99 compilers, and are understandably reticent to rely upon the GNU extensions to C89 that would also let them do this.
It's perfectly valid C89 to declare a variable at the start of a nested compound statement no matter where it appears in the outer block, so in practice you can declare variables wherever you want so long as you don't mind the extra clutter.
For consideration, "declare variable" is just that; one could still choose to only assign to it after having done the validation (assuming fatal_f causes control flow termination)
> I am no security guru, but as I understand it, all three have a well deserved security reputation, and the core maintainers run a tight ship.
Among us security gurus, OpenSSL has a really bad reputation. It's a giant pile of spaghetti code with a huge history of critical system vulnerabilities stemming from trying to be everything to everybody. Bitcoin is in the process of writing replacement functionality in order to remove OpenSSL entirely from its dependency tree because they got burned by major bugs multiple times in the past. A lot of modern alternatives like libsodium list "not OpenSSL" as a selling point. The situation is so bad that multiple organizations have forked OpenSSL to create stripped down alternatives (BoringSSL, LibreSSL) that are more likely to be secure.
I know less about the OpenSSH code base specifically, except that it came out of the same culture and the same developers. I wouldn't use it in new projects unless I had no other choice.
Yeah, I too find it a really bizarre comment to make, especially as it is not substantiated with any detail whatsoever.
OpenSSH comes from the house of OpenBSD and LibreSSL.
I am no security guru, but as I understand it, all three have a well deserved security reputation, and the core maintainers run a tight ship.
We've already covered in recent weeks on HN how OpenSSH has maintained its robustness in the face of an increasingly hostile cyber world.[1]
So, if you are going to imply that OpenSSH code is shit, back it up with hard facts.
[1] https://news.ycombinator.com/item?id=30830749