fix: guard sshd chroot steps after a failure#1088
Open
MarkAtwood wants to merge 1 commit into
Open
Conversation
SetupChroot() in wolfsshd ran chdir(chrootPath), chroot(chrootPath) and
chdir("/") in three independent if-blocks with a single return at the end.
Each ran unconditionally, so chroot() executed even when the preceding
chdir() into the target failed. That can leave the process chrooted with a
working directory still outside the new root.
Short-circuit the later steps on the ret>0 (no-failure) state so chroot()
runs only after the chdir() into the target succeeds, and chdir("/") only
after chroot() succeeds. WS_FATAL_ERROR is negative, so ret>0 is true only
while no step has failed.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the wolfsshd chroot setup sequence by ensuring later chroot steps only execute when earlier prerequisite steps succeeded, avoiding unsafe partial-chroot states.
Changes:
- Adds explicit short-circuit guards so
chroot()only runs after a successfulchdir(chrootPath). - Ensures
chdir("/")only runs after a successfulchroot(). - Adds an explanatory in-code comment documenting why the sequencing guard matters.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| * chdir("/") once inside the new root. Running a later step after an | ||
| * earlier failure could leave the process chrooted with a working | ||
| * directory outside the new root. */ | ||
| if (ret > 0 && chroot(chrootPath) != 0) { |
| ret = WS_FATAL_ERROR; | ||
| } | ||
| if (chdir("/") != 0) { | ||
| if (ret > 0 && chdir("/") != 0) { |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
SetupChroot()inapps/wolfsshd/wolfsshd.cperforms the chroot sequence in three independentifblocks with a singlereturnat the end:Every step runs unconditionally, so
chroot()executes even when the precedingchdir(chrootPath)failed. The secure idiom requires being inside the target directory before/at chroot; runningchroot()after a failedchdircan leave the process chrooted with a working directory outside the new root. The caller does abort on the negative return, butchroot()has already run by then, so this is a defense-in-depth gap.Fix
Short-circuit the later steps on
ret > 0(the no-failure state) sochroot()runs only after thechdir()into the target succeeds, andchdir("/")only afterchroot()succeeds.WS_FATAL_ERRORis-1001, soret > 0holds only while no step has failed.Verified: wolfsshd builds cleanly (
--enable-sshd) against wolfSSL--enable-sshwith the change. No behavioral change on the success path (all three steps still run andretstays1); on failure the chain now stops at the first failed step.Note: no automated test is added —
SetupChrootis a static function whose failure path requiresrootplus a specifically failingchdir, which isn't exercisable in the wolfSSH test harness.Reported by static analysis (Fenrir finding 58).