Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 27 Jun 2012 12:21:06 +0400
From: Solar Designer <solar@...nwall.com>
To: john-dev@...ts.openwall.com
Subject: Re: SSH format crashes when built using "linux-x86-clang-debug"

On Wed, Jun 27, 2012 at 12:04:24PM +0530, Dhiru Kholia wrote:
> SSH format crashes when built using "linux-x86-clang-debug".
> 
> $ ../run/john -format=ssh -t
> Benchmarking: SSH RSA/DSA (one 2048-bit RSA and one 1024-bit DSA key)
> [32/32]...
> ==5844== ERROR: AddressSanitizer global-buffer-overflow on address
> 0x0832f51f at pc 0x816a88b bp 0xbff25f58 sp 0xbff25f50

Can you provide a little bit of disassembly around this place?

> READ of size 1 at 0x0832f51f thread T0

Notice "size 1".

> $ addr2line -a 0x816a88b  -e ../run/john
> 0x0816a88b
> /home/dsk/magnum-jumbo/src/bench.c:150
> 
> bench.c line 150 ==> two_salts[index] = mem_alloc(format->params.salt_size);

I think this is wrong.  Maybe you ran addr2line on a different version
of the john binary or something.  That line should not involve any
"size 1" access.

> It seems the program is crashing when format->params.salt_size is
> accessed. Any ideas why this is happening?

I guess it does not.  Something else is happening.

I took a look at ssh_fmt.c and found an unrelated bug - patch attached.
The cracked[] array was not fully zeroized in OpenMP-enabled builds.
This shouldn't have resulted in crashes, but rather in extra calls to
cmp_one() (performance impact when cracking more than one SSH key at
once, after the first key gets cracked).

Alexander

View attachment "john-ssh-cracked-size.diff" of type "text/plain" (1088 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.