Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 30 Jun 2012 13:47:46 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: john-dev@...ts.openwall.com
Subject: asan doesn't like dynamic format

Hi,

I compiled JtR using "make linux-x86-64-clang-debug" target with BSDI
format disabled (problem reported in another thread)
and ran "../run/john -format=dynamic_0 -t" which resulted in a crash.

Benchmarking: dynamic_0: md5($p) (raw-md5) [128/128 SSE2 intrinsics
6x4x5]... =================================================================
==26584== ERROR: AddressSanitizer global-buffer-overflow on address
0x0000006b0240 at pc 0x451300 bp 0x7fffc99235f0 sp 0x7fffc99235e8
READ of size 4 at 0x0000006b0240 thread T0
    #0 0x451300 in set_key /home/dsk/magnum-jumbo/src/dynamic_fmt.c:1077
0x0000006b0240 is located 0 bytes inside of global variable '.str12
(formats.c)' (0x6b0240) of size 1
  '.str12 (formats.c)' is ascii string ''
==26584== ABORTING
Stats: 0M malloced (0M for red zones) by 18 calls
Stats: 0M realloced by 0 calls
Stats: 0M freed by 5 calls
Stats: 0M really freed by 0 calls
Stats: 16M (4098 full pages) mmaped in 4 calls
  mmaps   by size class: 8:16383; 10:4095; 13:512; 17:32;
  mallocs by size class: 8:6; 10:5; 13:1; 17:6;
  frees   by size class: 10:5;
  rfrees  by size class:
Stats: malloc large: 6 small slow: 3
Shadow byte and word:
  0x1000000d6048: 1
  0x1000000d6048: 01 f9 f9 f9 f9 f9 f9 f9
More shadow bytes:
  0x1000000d6028: 00 04 f9 f9 f9 f9 f9 f9
  0x1000000d6030: 00 04 f9 f9 f9 f9 f9 f9
  0x1000000d6038: 00 06 f9 f9 f9 f9 f9 f9
  0x1000000d6040: 00 04 f9 f9 f9 f9 f9 f9
=>0x1000000d6048: 01 f9 f9 f9 f9 f9 f9 f9
  0x1000000d6050: 04 f9 f9 f9 f9 f9 f9 f9
  0x1000000d6058: 05 f9 f9 f9 f9 f9 f9 f9
  0x1000000d6060: 04 f9 f9 f9 f9 f9 f9 f9
  0x1000000d6068: 00 00 00 00 00 00 00 00

while((temp = *key32++) & 0xff) { <=== problematic code
                                if (!(temp & 0xff00))
                                {
                                        *keybuf_word = (temp & 0xff) |
(0x80 << 8);
                                        ++len;
                                        goto key_cleaning;
                                }

For now, I will disable dynamic format and continue my testing.

-- 
Cheers,
Dhiru

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ