Re: libssh2 Base64 Encoding Heap Overflow in Known Hosts SHA1 Hash Processing

[Solar Designer <solar () openwall com>]

Hi,

Thank you for finding this, getting it fixed, and bringing it in here.

Just one minor detail:

On Tue, Aug 26, 2025 at 09:56:06PM +0400, Dhiraj Mishra wrote:
> I've successfully created a libFuzzer harness targeting the
> libssh2_knownhost_readline() API, used for parsing SSH known_hosts files.
> The fuzzer discovered a heap buffer overflow vulnerability in the
> _libssh2_base64_encode() function when processing malformed hashed hostname
> entries.

> ==41411==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x6020000000d5 at pc 0x00010728cb0f bp 0x7ff7b9a37f90 sp 0x7ff7b9a37758
> READ of size 6 at 0x6020000000d5 thread T0

> SUMMARY: AddressSanitizer: heap-buffer-overflow misc.c:463 in
> _libssh2_base64_encode

This looks like yet another case of ASan mislabeling over-reads as
overflows (which it does all the time).

Can someone in particular please volunteer for getting this wording
fixed in ASan, I guess separately in clang and gcc?

Meanwhile, we should be careful to recognize and re-label such findings,
so e.g. this message's Subject and first paragraph should correctly say
"over-read" and not "overflow".  Of course, until ASan's wording is
fixed, realistically many if not most vulnerability reports based on
fuzzing+ASan will continue to be mislabeled like that, probably also
leading to wrong CVSS vectors and thus wrong scores (likely
exaggerated).  But at least the few of us reading this message may try
and do better, please.

Thanks,

Alexander