Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 15 Aug 2015 16:39:04 +0800
From: Kai Zhao <loverszhao@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: --test-full=0 crashes the Bitcoin format

On Fri, Aug 7, 2015 at 12:38 AM, Solar Designer <solar@...nwall.com> wrote:
> Kai, magnum -
>
> Flag bugs aside, this feature as committed to magnum's jumbo triggers
> memory corruption:
>
> [solar@...er run]$ ./john --test-full=0
> [...]
> Testing: asa-md5, Cisco ASA [Cisco ASA (MD5 salted) 128/128 AVX 4x3]... PASS
> Testing: bfegg, Eggdrop [Blowfish 32/64]... (32xOMP) PASS
> Testing: Bitcoin [SHA512 AES 128/128 AVX 2x]... (32xOMP) *** glibc detected *** ./john: double free or corruption (!prev): 0x000000000224a770 ***
> ======= Backtrace: =========
> /lib64/libc.so.6(+0x75e66)[0x7f80c1a4ce66]
> /lib64/libc.so.6(+0x789b3)[0x7f80c1a4f9b3]
> /lib64/libc.so.6(+0x7b880)[0x7f80c1a52880]
> /lib64/libc.so.6(realloc+0xe5)[0x7f80c1a52af5]
> /usr/lib64/libcrypto.so.10(CRYPTO_realloc+0x5f)[0x7f80c2f3dccf]
> /usr/lib64/libcrypto.so.10(lh_insert+0xee)[0x7f80c2fb858e]
> /usr/lib64/libcrypto.so.10(+0xe7c71)[0x7f80c2fbac71]
> /usr/lib64/libcrypto.so.10(ERR_get_state+0xce)[0x7f80c2fbb10e]
> /usr/lib64/libcrypto.so.10(ERR_put_error+0x2f)[0x7f80c2fbb8df]
> /usr/lib64/libcrypto.so.10(EVP_DecryptFinal_ex+0x1c1)[0x7f80c2fbd841]
> ./john[0x52d66e]
> /usr/lib64/libgomp.so.1(+0xe0c5)[0x7f80c1f960c5]
> /lib64/libpthread.so.0(+0x79d1)[0x7f80c1d729d1]
> /lib64/libc.so.6(clone+0x6d)[0x7f80c1abf8fd]
>
> This is for today's jumbo built on super after "scl enable devtoolset-3
> bash" (so with gcc 4.9.1).  ./configure was run without options (so
> OpenMP and OpenCL are enabled, CUDA is disabled).
>
> Would you debug this, please?
>
> It's probably some bug unrelated to flags, which merely happened to be
> triggered in this run.  I'd start by testing if it's triggerable
> reliably or not, and whether it's triggerable without OpenMP at all.
> Also, whether it's triggerable when the Bitcoin format is test-full'ed
> on its own (rather than after lots of other formats).  Then try to
> trigger it in an --enable-asan build (hopefully, it'd crash on the
> actual memory corruption, not on its aftermath as this run did).
>
> ... After writing the above, I ran the command a few more times.  Most
> of the time, there's no crash.  But I was able to trigger the crash
> once more (so 2 times total so far), with GOMP_CPU_AFFINITY=0-31.  ASan
> should help detect it reliably.
>

There maybe at least 1 crash when you run 100 times. As to asan, I think
it does not help. I have not see any asan error.

It can be reproduced separately almost 1~2 crash with 200 times. I create
an issue:

https://github.com/magnumripper/JohnTheRipper/issues/1667

To my surprise, sometimes it reports other errors, such as:

Using default input encoding: UTF-8
Loaded 1 password hash (Bitcoin [SHA512 AES 128/128 AVX 2x])
Will run 32 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
crypt_all(*pcount=64)
openwall         (?)
*** glibc detected *** ./john: malloc(): memory corruption:
0x0000000002b04060 ***
*** glibc detected *** ./john: malloc(): memory corruption:
0x0000000002b04060 ***



Thanks,

Kai

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ