diff --git a/openssh-7.1p2-audit-race-condition.patch b/openssh-7.1p2-audit-race-condition.patch index 0a58fb4..aa82e52 100644 --- a/openssh-7.1p2-audit-race-condition.patch +++ b/openssh-7.1p2-audit-race-condition.patch @@ -1,8 +1,7 @@ -diff --git a/monitor_wrap.c b/monitor_wrap.c -index 89a1762..fe98e08 100644 ---- a/monitor_wrap.c -+++ b/monitor_wrap.c -@@ -1251,4 +1251,48 @@ mm_audit_destroy_sensitive_data(const char *fp, pid_t pid, uid_t uid) +diff -up openssh-7.3p1/monitor_wrap.c.audit-race openssh-7.3p1/monitor_wrap.c +--- openssh-7.3p1/monitor_wrap.c.audit-race 2016-12-15 14:27:22.376603747 +0100 ++++ openssh-7.3p1/monitor_wrap.c 2016-12-15 14:27:22.381603742 +0100 +@@ -1256,4 +1256,48 @@ mm_audit_destroy_sensitive_data(const ch mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, &m); buffer_free(&m); } @@ -32,13 +31,13 @@ index 89a1762..fe98e08 100644 + buffer_clear(&m); + buffer_append_space(&m, msg_len); + if (atomicio(read, fdin, buffer_ptr(&m), msg_len) != msg_len) { -+ error("%s: Failed to read the the buffer conent from the child", __func__); ++ error("%s: Failed to read the the buffer content from the child", __func__); + ret = -1; + break; + } + if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen || + atomicio(vwrite, pmonitor->m_recvfd, buffer_ptr(&m), msg_len) != msg_len) { -+ error("%s: Failed to write the messag to the monitor", __func__); ++ error("%s: Failed to write the message to the monitor", __func__); + ret = -1; + break; + } @@ -51,11 +50,10 @@ index 89a1762..fe98e08 100644 + pmonitor->m_recvfd = fd; +} #endif /* SSH_AUDIT_EVENTS */ -diff --git a/monitor_wrap.h b/monitor_wrap.h -index e73134e..fbfe395 100644 ---- a/monitor_wrap.h -+++ b/monitor_wrap.h -@@ -86,6 +86,8 @@ void mm_audit_unsupported_body(int); +diff -up openssh-7.3p1/monitor_wrap.h.audit-race openssh-7.3p1/monitor_wrap.h +--- openssh-7.3p1/monitor_wrap.h.audit-race 2016-12-15 14:27:22.376603747 +0100 ++++ openssh-7.3p1/monitor_wrap.h 2016-12-15 14:27:22.381603742 +0100 +@@ -88,6 +88,8 @@ void mm_audit_unsupported_body(int); void mm_audit_kex_body(int, char *, char *, char *, char *, pid_t, uid_t); void mm_audit_session_key_free_body(int, pid_t, uid_t); void mm_audit_destroy_sensitive_data(const char *, pid_t, uid_t); @@ -64,11 +62,10 @@ index e73134e..fbfe395 100644 #endif struct Session; -diff --git a/session.c b/session.c -index 8949fd1..9afb764 100644 ---- a/session.c -+++ b/session.c -@@ -159,6 +159,10 @@ static Session *sessions = NULL; +diff -up openssh-7.3p1/session.c.audit-race openssh-7.3p1/session.c +--- openssh-7.3p1/session.c.audit-race 2016-12-15 14:27:22.378603745 +0100 ++++ openssh-7.3p1/session.c 2016-12-15 14:27:22.382603741 +0100 +@@ -164,6 +164,10 @@ static Session *sessions = NULL; login_cap_t *lc; #endif @@ -79,7 +76,35 @@ index 8949fd1..9afb764 100644 static int is_child = 0; static int in_chroot = 0; static int have_dev_log = 1; -@@ -875,6 +879,8 @@ do_exec(Session *s, const char *command) +@@ -457,6 +457,8 @@ do_authenticated1(Authctxt *authctxt) + } + } + ++void child_destory_sensitive_data(); ++ + #define USE_PIPES 1 + /* + * This is called to fork and execute a command when we have no tty. This +@@ -588,6 +592,8 @@ do_exec_no_pty(Session *s, const char *c + cray_init_job(s->pw); /* set up cray jid and tmpdir */ + #endif + ++ child_destory_sensitive_data(); ++ + /* Do processing for the child (exec command etc). */ + do_child(s, command); + /* NOTREACHED */ +@@ -722,6 +728,9 @@ do_exec_pty(Session *s, const char *comm + /* Close the extra descriptor for the pseudo tty. */ + close(ttyfd); + ++ /* Do this early, so we will not block large MOTDs */ ++ child_destory_sensitive_data(); ++ + /* record login, etc. similar to login(1) */ + #ifndef HAVE_OSF_SIA + if (!(options.use_login && command == NULL)) { +@@ -903,6 +912,8 @@ do_exec(Session *s, const char *command) } if (s->command != NULL && s->ptyfd == -1) s->command_handle = PRIVSEP(audit_run_command(s->command)); @@ -88,7 +113,7 @@ index 8949fd1..9afb764 100644 #endif if (s->ttyfd != -1) ret = do_exec_pty(s, command); -@@ -890,6 +896,20 @@ do_exec(Session *s, const char *command) +@@ -918,6 +929,20 @@ do_exec(Session *s, const char *command) */ buffer_clear(&loginmsg); @@ -109,10 +134,13 @@ index 8949fd1..9afb764 100644 return ret; } -@@ -1707,12 +1727,28 @@ do_child(Session *s, const char *command) - struct passwd *pw = s->pw; - int r = 0; +@@ -1751,6 +1776,33 @@ child_close_fds(void) + endpwent(); + } ++void ++child_destory_sensitive_data() ++{ +#ifdef SSH_AUDIT_EVENTS + int pparent = paudit[1]; + close(paudit[0]); @@ -121,23 +149,35 @@ index 8949fd1..9afb764 100644 + mm_set_monitor_pipe(pparent); +#endif + - /* remove hostkey from the child's memory */ -- destroy_sensitive_data(1); -- /* Don't audit this - both us and the parent would be talking to the -- monitor over a single socket, with no synchronization. */ ++ /* remove hostkey from the child's memory */ + destroy_sensitive_data(use_privsep); + /* -+ * We can audit this, because wer hacked the pipe to direct the ++ * We can audit this, because we hacked the pipe to direct the + * messages over postauth child. But this message requires answer + * which we can't do using one-way pipe. + */ - packet_destroy_all(0, 1); - ++ packet_destroy_all(0, 1); ++ +#ifdef SSH_AUDIT_EVENTS + /* Notify parent that we are done */ + close(pparent); +#endif + ++} ++ + /* + * Performs common processing for the child, such as setting up the + * environment, closing extra file descriptors, setting the user and group +@@ -1768,12 +1820,6 @@ do_child(Session *s, const char *command + struct passwd *pw = s->pw; + int r = 0; + +- /* remove hostkey from the child's memory */ +- destroy_sensitive_data(1); +- /* Don't audit this - both us and the parent would be talking to the +- monitor over a single socket, with no synchronization. */ +- packet_destroy_all(0, 1); +- /* Force a password change */ if (s->authctxt->force_pwchange) { do_setusercontext(pw);