Title: Notes on regreSSHion on musl
Date: 2024-07-01 17:4

Today, Qualys' Threat Research Unit published another stellar paper: [RCE in OpenSSH's server, on glibc-based
Linux systems](https://www.openwall.com/lists/oss-security/2024/07/01/3),
nicknamed regreSSHion, aka [CVE-2024-6387](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6387).
Since I'm running [Alpine Linux](https://alpinelinux.org/), which is using the
[musl libc](https://musl.libc.org/), I was curious about the impact there.
Fortunately, it boils down to a deadlock at worse:

- Its [syslog implementation]( https://git.musl-libc.org/cgit/musl/tree/src/misc/syslog.c ) doesn't
  (sub)call async-signal-unsafe functions (see the callgraph [here]({static}/images/callgraph_syslog_musl.png)), nor dynamically allocates memory.
  Interestingly, string-formatting functions like `(v)snprintf` don't allocate memory by
  design, to prevent them from failing under memory pressure. 
- <s>Thanks to its small size</s> Due to [various
  factors](https://www.openwall.com/lists/oss-security/2024/07/01/13) (thanks
  to [minipli](https://x.com/_minipli) for pointing it out), it's not affected
  by [ALSRn't](https://zolutal.github.io/aslrnt/), making the exploitation
  harder, should it be possible in the first place.
- The heap allocator might be a bit more annoying to exploit, due to its
  security-oriented design.
- The `FILE`-based exploitation technique chosen by Qualys looks a tad easier on
  musl than on glibc, but given the above points and the fact that there is no
  handy `FILE` to corrupt, it's a non-issue.

This analysis was confirmed [on mastodon](https://fosstodon.org/@musl/112711796005712271):

> OpenSSH sshd on musl-based systems is not vulnerable to RCE via CVE-2024-6387 (regreSSHion).
>
> This is because we do not use localtime in log timestamps and do not use dynamic allocation (because it could fail under memory pressure) for printf formatting.
>
> While the sshd bug is UB (AS-unsafe syslog call from signal context), very deliberate decisions we made for other good reasons reduced the potential impact to deadlock taking a lock.