#
294691 |
|
24-Jan-2016 |
sobomax |
Fix bug in the readpassphrase(3) function, which can be exposed by application closing its stdin (i.e. STDIN_FILENO) prior to calling readpassphrase WITHOUT setting RPP_STDIN. What happens then is that the readpassphrase would open /dev/tty, and since file descriptors are reused, the call would return first unused fd, which is 0 which is also STDIN_FILENO. Then due to the usage of "input != STDIN_FILENO" in the code to do its logic, that would result in noecho flags not set on that file descriptor, which was original issue I've been trying to fix.
In addition to that, the readpassphrase() would leak file descriptor on its way out, so fix that one as well.
This problem can be tested with:
$ ssh-add - < /tmp/myprivate.key
The password will not be hidden as it should and ktrace will show:
53326 ssh-add CALL open(0x80142443c,0x100002<O_RDWR|O_CLOEXEC>,<unused>0x165f030) 53326 ssh-add NAMI "/dev/tty" 53326 ssh-add RET open 0 53326 ssh-add CALL sigprocmask(SIG_SETMASK,0x802eb1324,0x7fffffffd5e0) 53326 ssh-add RET sigprocmask 0 53326 ssh-add CALL sigaction(SIGALRM,0x7fffffffd630,0x7fffffffd610)
Instead of:
57690 ssh-add CALL open(0x80142443c,0x100002<O_RDWR|O_CLOEXEC>,<unused>0x165f030) 57690 ssh-add NAMI "/dev/tty" 57690 ssh-add RET open 4 57690 ssh-add CALL ioctl(0x4,TIOCGETA,0x7fffffffd860) 57690 ssh-add RET ioctl 0 57690 ssh-add CALL ioctl(0x4,TIOCSETAF,0x7fffffffd680) 57690 ssh-add RET ioctl 0 57690 ssh-add CALL sigprocmask(SIG_SETMASK,0x802eb1324,0x7fffffffd620) 57690 ssh-add RET sigprocmask 0 57690 ssh-add CALL sigaction(SIGALRM,0x7fffffffd670,0x7fffffffd650)
For the case when the key is read from the file.
Technically this can also be workaround'ed at the application side by not closing the STDIN_FILENO in the first place, but readpassphrase(3) doesn't need to make any assumptions about that. Plus the file descriptor leak confirms that this is an oversight, rather than a deliberate behaviour.
MFC after: 1 week
|
#
287292 |
|
29-Aug-2015 |
kib |
Switch libc from using _sig{procmask,action,suspend} symbols, which are aliases for the syscall stubs and are plt-interposed, to the libc-private aliases of internally interposed sigprocmask() etc.
Since e.g. _sigaction is not interposed by libthr, calling signal() removes thr_sighandler() from the handler slot etc. The result was breaking signal semantic and rtld locking.
The added __libc_sigprocmask and other symbols are hidden, they are not exported and cannot be called through PLT. The setjmp/longjmp functions for x86 were changed to use direct calls, and since PIC_PROLOGUE only needed for functional PLT indirection on i386, it is removed as well.
The PowerPC bug of calling the syscall directly in the setjmp/longjmp implementation is kept as is.
Reported by: Pete French <petefrench@ingresso.co.uk> Tested by: Michiel Boland <boland37@xs4all.nl> Reviewed by: jilles (previous version) Sponsored by: The FreeBSD Foundation MFC after: 1 week
|
#
241046 |
|
29-Sep-2012 |
jilles |
libc: Use O_CLOEXEC for various internal file descriptors.
This fixes a race condition where another thread may fork() before CLOEXEC is set, unintentionally passing the descriptor to the child process.
This commit only adds O_CLOEXEC flags to open() or openat() calls where no fcntl(fd, F_SETFD, FD_CLOEXEC) follows. The separate fcntl() call still leaves a race window so it should be fixed later.
|
#
91922 |
|
09-Mar-2002 |
green |
Fix build. I commented out getpass() in readpassphrase.c because the implementation did not match our manpage description (i.e., it could return NULL). I mistakenly thought we were still using getpass.c because, for some reason, CVS never removed it from the tree.
Pointy hat received from: alfred Kick in the groin to: CVS
|