DNS0x20[1] can randomise the case of domain names returned by lookup
to force some more uniqueness in queries to reduce the likelihood
of spoofing attacks succeeding.
Normally this should be hidden from the user by the resolver, but
in some cases it can leak through. When it does, it can mess up
ssh's CanonicalizePermittedCNAMEs.
Fix this by forcing the name we received from the system resolver to
lowercase.
bz3966, report and fix by Martin D Kealey
[1] https://datatracker.ietf.org/doc/html/draft-vixie-dnsext-dns0x20-00
Fix two separate one-byte out-of-cound reads
1) if a server sent an empty reply to a SSH2_FXP_REALPATH request
2) if a batch command used the full 2048 byte buffer but ended in a
literal backslash character
Both reported by Zhenpeng (Leo) Lin from depthfirst
ok markus@
make the transport protocol stricter by disconnecting if the peer
sends non-KEX messages during a key re-exchange.
Previously an evil peer could continue sending non-KEX messages
without penalty, causing memory to be wasted up until the
connection terminated or the server/client hit a OOM limit.
reported by Marko Jevtic; ok markus@
stricter validation of the transport state passed from the
unprivileged preauth sshd-auth process to the user-privileged
postauth sshd-session process.
These are harmless unless an attacker had an exploit for sshd-auth
in which case they could be used for post-auth memory DoS or to
crash you own session in a new and exciting way.
Reported by bylee3 and Kayky Vinicius
ok markus
Enforce a maximum size for usernames in agent key use constraints
Along with the match_pattern() performance change that was just
committed this avoids a denial-of-service where an agent client could
waste CPU on an agent by sending user constraints with lots of
wildcards.
Reported by Huzaifa Sidhpurwala of Redhat
ok markus
flesh out match_pattern() tests, including a new comparison test of
the new NFA-based implementation against the original one for all
possible combinations of short inputs and patterns constructed from
a small dictionary of possibilities.
Replace the old recursive match_pattern() with an implementation
that uses a NFA for matching. This avoids the exponential worst-
case behaviour for the old implementation.
ok markus@
Handle sections that specify alignment as 0 when loading an ELF interpreter
(i.e. ld.so). Since the smallest possible alignment actually is a the
page size just start with that and only increase it if a larger alignment
is requested. Also reject interpreters without loadable segments, just
like we did for ld.so a few weeks ago.
Distilled from a report by Andrew Griffiths.
ok jsg@, deraadt@
Validate size of chunks copied to piglet during hibernate unpack
Ensure that the compressed size of the chunk read from the hibernate image
will fit into the reserved space in the piglet for such chunks. Prevents
chunks with invalid sizes from overrunning the piglet. Such corrupted
chunks could be present in tampered or corrupt on-disk hibernate images.
Reported by Frank Denis
Validate sizes against integer overflow when reading chunks in unhibernate
Validate that chunk sizes stored in the chunktable don't result in integer
overflow. Such invalid chunk sizes could be present in tampered or corrupt
on-disk hibernate images.
Reported by Frank Denis
Prevent overread when reading the chunktable in unhibernate
Ensure we don't read past the end of the chunktable, which could happen
with a tampered or corrupted on-disk hibernate image.
Reported by Frank Denis
Disable builtins in strlcpytest.c. Otherwise, clang w/ optimizations
enabled will treat strlcpy(NULL, ...) as undefined behavior and optimize
the invocation away.
Regression introduced after the llvm 22 upgrade.
Disable kbind() and pinsyscalls() for static binaries at the correct
time, which is inside exec_elf_makecmds(). Amusingly, it looks like
these protection mechanisms are not needed because other process state
protects against kbind use since we completed the switch to static pie.
Also any priviledged static binary (which we ship, setuid or daemon) is
not going to contain a pinsyscall or kbind slot in the loaded pinsyscalls
table, so they cannot perform those. Only synthetic binaries with their
own pinsyscalls table could play, but of course they won't run with
priviledge..
from Andrew Griffiths at Calif
ok kettenis, andrew also approves of this approach
