Open mkj opened 2 years ago
The attached oss-fuzz case for Dropbear SSH reports uninitialised memory. It appears that explicit_bzero() isn't handled correctly by msan, replacing it with plain memset() in dbhelpers.c m_burn() resolves the sanitizer error.
explicit_bzero()
memset()
m_burn()
The call in the testcase is coming from ecc_ansi_x963_export() -> zeromem() -> m_burn() -> explicit_bzero().
ecc_ansi_x963_export()
zeromem()
14630_crash_info_dropbear_Use-of-uninitialized-value.txt
Uninitialized value was created by an allocation of 'buf' in the stack frame of function 'ecc_ansi_x963_export'
Base64 testcase: AgAAAfEAAACFBAHqNMmoriKZ+LgWqFtiHuKXnW+pQTQEZJMbVZogafvfwq/5uWgu7t2uhzzq/WOINVoScyhoWmZgemjurp6R01di+gGRkC0EirjG5EtweiiNIua4hMdoQdR36go+Sr7sDFdHgh0XsNwPIHMCVy8n90AdCH6l/+rSBZDrQf4OUN2gYcnsAQ==
AgAAAfEAAACFBAHqNMmoriKZ+LgWqFtiHuKXnW+pQTQEZJMbVZogafvfwq/5uWgu7t2uhzzq/WOINVoScyhoWmZgemjurp6R01di+gGRkC0EirjG5EtweiiNIua4hMdoQdR36go+Sr7sDFdHgh0XsNwPIHMCVy8n90AdCH6l/+rSBZDrQf4OUN2gYcnsAQ==
FYI I came across the same issue. I have solved that by https://github.com/CZ-NIC/knot/commit/564f616162494a63e4e61b64ff8cefd20fe1bddc
The attached oss-fuzz case for Dropbear SSH reports uninitialised memory. It appears that
explicit_bzero()
isn't handled correctly by msan, replacing it with plainmemset()
in dbhelpers.cm_burn()
resolves the sanitizer error.The call in the testcase is coming from
ecc_ansi_x963_export()
->zeromem()
->m_burn()
->explicit_bzero()
.14630_crash_info_dropbear_Use-of-uninitialized-value.txt
Uninitialized value was created by an allocation of 'buf' in the stack frame of function 'ecc_ansi_x963_export'
Base64 testcase:
AgAAAfEAAACFBAHqNMmoriKZ+LgWqFtiHuKXnW+pQTQEZJMbVZogafvfwq/5uWgu7t2uhzzq/WOINVoScyhoWmZgemjurp6R01di+gGRkC0EirjG5EtweiiNIua4hMdoQdR36go+Sr7sDFdHgh0XsNwPIHMCVy8n90AdCH6l/+rSBZDrQf4OUN2gYcnsAQ==