[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANO7a6wiLObZ0-mXj5X_KL1GRnXW92i4DTN15g1iS_FVObjqbQ@mail.gmail.com>
Date: Sat, 30 Jun 2012 14:23:47 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: john-dev@...ts.openwall.com
Subject: asan report
Hi,
So far, I have found out that asan doesn't work with the following formats:
Target : linux-x86-64-clang-debug
$ clang --version
clang version 3.1 (branches/release_31)
Target: x86_64-unknown-linux-gnu
Thread model: posix
1. xsha
Benchmarking: Mac OS X 10.4 - 10.6 salted SHA-1 [128/128 SSE2
intrinsics 8x]...
=================================================================
==28010== ERROR: AddressSanitizer global-buffer-overflow on address
0x0000006b0240 at pc 0x4da4f4 bp 0x7fff9f71ff10 sp 0x7fff9f71ff08
READ of size 4 at 0x0000006b0240 thread T0
#0 0x4da4f4 in set_key /home/dsk/magnum-jumbo/src/XSHA_fmt_plug.c:304
0x0000006b0240 is located 0 bytes inside of global variable '.str12
(formats.c)' (0x6b0240) of size 1
'.str12 (formats.c)' is ascii string ''
while((temp = *wkey++) & 0xff) { <== problematic code
if (!(temp & 0xff00))
{
*keybuf_word = JOHNSWAP((temp & 0xff) | (0x80 << 8));
len++;
goto key_cleaning;
}
2. trip
Benchmarking: Tripcode DES [128/128 BS SSE2-16]...
=================================================================
==28647== ERROR: AddressSanitizer global-buffer-overflow on address
0x0000006b0240 at pc 0x4414c9 bp 0x7fff45bf30c0 sp 0x7fff45bf30b8
READ of size 8 at 0x0000006b0240 thread T0
#0 0x4414c9 in set_key /home/dsk/magnum-jumbo/src/trip_fmt.c:547
0x0000006b0240 is located 0 bytes inside of global variable '.str12
(formats.c)' (0x6b0240) of size 1
'.str12 (formats.c)' is ascii string ''
static void set_key(char *key, int index)
{
memcpy(buffer[index].key, key, PLAINTEXT_LENGTH);
}
This code doesn't seem to check key's length.
3. BSDI (reported in another thread)
4. dynamic format (reported in another thread)
5. sapb
Benchmarking: SAP CODVN B (BCODE) [128/128 SSE2 intrinsics 20x]...
=================================================================
==29216== ERROR: AddressSanitizer global-buffer-overflow on address
0x0000006779e0 at pc 0x4d514f bp 0x7fff67fff8a0 sp 0x7fff67fff898
READ of size 8 at 0x0000006779e0 thread T0
#0 0x4d514f in set_key /home/dsk/magnum-jumbo/src/sapB_fmt_plug.c:191
0x0000006779e0 is located 0 bytes inside of global variable '.str6
(sapB_fmt_plug.c)' (0x6779e0) of size 2
'.str6 (sapB_fmt_plug.c)' is ascii string 'X'
static void set_key(char *key, int index)
{
memcpy(saved_plain[index], key, PLAINTEXT_LENGTH);
keyLen[index] = -1;
}
6. sapg
Benchmarking: SAP CODVN F/G (PASSCODE) [128/128 SSE2 intrinsics 8x]...
=================================================================
==29453== ERROR: AddressSanitizer global-buffer-overflow on address
0x0000006b0292 at pc 0x4ef363 bp 0x7fff69397f50 sp 0x7fff69397f48
READ of size 1 at 0x0000006b0292 thread T0
#0 0x4ef363 in set_key /home/dsk/magnum-jumbo/src/sapG_fmt_plug.c:205
0x0000006b0292 is located 14 bytes to the right of global variable
'.str13 (formats.c)' (0x6b0280) of size 4
'.str13 (formats.c)' is ascii string 'des'
static void set_key(char *key, int index)
{
memcpy((char*)saved_plain[index], key, PLAINTEXT_LENGTH);
keyLen[index] = -1;
}
7. salted-sha1
Benchmarking: Salted SHA-1 [128/128 SSE2 intrinsics 8x]...
=================================================================
==29737== ERROR: AddressSanitizer global-buffer-overflow on address
0x000000683844 at pc 0x4f2c5e bp 0x7ffff61eb420 sp 0x7ffff61eb418
READ of size 4 at 0x000000683844 thread T0
#0 0x4f2c5e in set_key /home/dsk/magnum-jumbo/src/salted_sha1_fmt_plug.c:163
0x000000683844 is located 4 bytes inside of global variable '.str6
(salted_sha1_fmt_plug.c)' (0x683840) of size 7
'.str6 (salted_sha1_fmt_plug.c)' is ascii string 'thales'
while((temp = *wkey++) & 0xff) { <== have seen such a loop mutiple times now :-)
if (!(temp & 0xff00))
{
*keybuf_word = JOHNSWAP((temp & 0xff) | (0x80 << 8));
len++;
goto key_cleaning;
}
8. raw-sha1-ng
Benchmarking: Raw SHA-1 (pwlen <= 15) [128/128 SSE2 intrinsics 4x]...
=================================================================
==30079== ERROR: AddressSanitizer global-buffer-overflow on address
0x0000006a9020 at pc 0x537f2e bp 0x7fff53cb89e0 sp 0x7fff53cb89d8
READ of size 16 at 0x0000006a9020 thread T0
#0 0x537f2e in sha1_fmt_set_key
/home/dsk/magnum-jumbo/src/rawSHA1_ng_fmt.c:363
9. raw-sha1-linkedin
Benchmarking: Raw SHA-1 LinkedIn [128/128 SSE2 intrinsics 8x]...
=================================================================
==30895== ERROR: AddressSanitizer global-buffer-overflow on address
0x000000696d8c at pc 0x5100f4 bp 0x7fff9d8f92e0 sp 0x7fff9d8f92d8
READ of size 4 at 0x000000696d8c thread T0
#0 0x5100f4 in rawsha1_set_key
/home/dsk/magnum-jumbo/src/rawSHA1_linkedIn_fmt_plug.c:141
while((unsigned char)(temp = *wkey++)) {
if (!(temp & 0xff00))
{
*keybuf_word = JOHNSWAP((temp & 0xff) | (0x80 << 8));
len++;
goto key_cleaning;
}
10. Other formats which don't work with asan are raw-sha1, raw-md5,
raw-md4, oracle11, nsldap, netntlm, netlm, nethalflm, mysql-sha1,
hmac-md5, hmac-sha1, and ipb2
Lets start fixing these formats.
--
Cheers,
Dhiru
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
