Mercurial > dropbear
annotate fuzz/fuzzer-kexcurve25519.c @ 1930:299f4f19ba19
Add /usr/sbin and /sbin to default root PATH
When dropbear is used in a very restricted environment (such as in a
initrd), the default user shell is often also very restricted
and doesn't take care of setting the PATH so the user ends up
with the PATH set by dropbear. Unfortunately, dropbear always
sets "/usr/bin:/bin" as default PATH even for the root user
which should have /usr/sbin and /sbin too.
For a concrete instance of this problem, see the "Remote Unlocking"
section in this tutorial: https://paxswill.com/blog/2013/11/04/encrypted-raspberry-pi/
It speaks of a bug in the initramfs script because it's written "blkid"
instead of "/sbin/blkid"... this is just because the scripts from the
initramfs do not expect to have a PATH without the sbin directories and
because dropbear is not setting the PATH appropriately for the root user.
I'm thus suggesting to use the attached patch to fix this misbehaviour (I
did not test it, but it's easy enough). It might seem anecdotic but
multiple Kali users have been bitten by this.
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403
| author | Raphael Hertzog <hertzog@debian.org> |
|---|---|
| date | Mon, 09 Jul 2018 16:27:53 +0200 |
| parents | 0cc85b4a4abb |
| children |
| rev | line source |
|---|---|
|
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
1 #include "fuzz.h" |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
2 #include "session.h" |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
3 #include "fuzz-wrapfd.h" |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
4 #include "debug.h" |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
5 #include "runopts.h" |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
6 #include "algo.h" |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
7 #include "bignum.h" |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
8 |
|
1772
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
9 static struct key_context* keep_newkeys = NULL; |
|
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
10 /* An arbitrary limit */ |
|
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
11 #define NUM_PARAMS 80 |
|
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
12 static struct kex_curve25519_param *curve25519_params[NUM_PARAMS]; |
|
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
13 |
|
1772
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
14 static void setup() __attribute__((constructor)); |
|
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
15 // Perform initial setup here to avoid hitting timeouts on first run |
|
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
16 static void setup() { |
|
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
17 fuzz_common_setup(); |
|
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
18 fuzz_svr_setup(); |
|
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
19 |
|
1772
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
20 keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context)); |
|
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
21 keep_newkeys->algo_kex = fuzz_get_algo(sshkex, "curve25519-sha256"); |
|
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
22 keep_newkeys->algo_hostkey = DROPBEAR_SIGNKEY_ED25519; |
|
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
23 ses.newkeys = keep_newkeys; |
|
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
24 |
|
1772
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
25 /* Pre-generate parameters */ |
|
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
26 int i; |
|
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
27 for (i = 0; i < NUM_PARAMS; i++) { |
|
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
28 curve25519_params[i] = gen_kexcurve25519_param(); |
|
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
29 } |
|
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
30 } |
|
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
31 |
|
1772
0cc85b4a4abb
Move fuzzer-kex initialisation into a constructor function
Matt Johnston <matt@ucc.asn.au>
parents:
1756
diff
changeset
|
32 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { |
|
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
33 if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) { |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
34 return 0; |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
35 } |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
36 |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
37 m_malloc_set_epoch(1); |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
38 |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
39 if (setjmp(fuzz.jmp) == 0) { |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
40 /* Based on recv_msg_kexdh_init()/send_msg_kexdh_reply() |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
41 with DROPBEAR_KEX_CURVE25519 */ |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
42 ses.newkeys = keep_newkeys; |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
43 |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
44 /* Choose from the collection of curve25519 params */ |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
45 unsigned int e = buf_getint(fuzz.input); |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
46 struct kex_curve25519_param *curve25519_param = curve25519_params[e % NUM_PARAMS]; |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
47 |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
48 buffer * ecdh_qs = buf_getstringbuf(fuzz.input); |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
49 |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
50 ses.kexhashbuf = buf_new(KEXHASHBUF_MAX_INTS); |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
51 kexcurve25519_comb_key(curve25519_param, ecdh_qs, svr_opts.hostkey); |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
52 |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
53 mp_clear(ses.dh_K); |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
54 m_free(ses.dh_K); |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
55 buf_free(ecdh_qs); |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
56 |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
57 buf_free(ses.hash); |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
58 buf_free(ses.session_id); |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
59 /* kexhashbuf is freed in kexdh_comb_key */ |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
60 |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
61 m_malloc_free_epoch(1, 0); |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
62 } else { |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
63 m_malloc_free_epoch(1, 1); |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
64 TRACE(("dropbear_exit longjmped")) |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
65 /* dropbear_exit jumped here */ |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
66 } |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
67 |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
68 return 0; |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
diff
changeset
|
69 } |