Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 Mar 2015 04:21:23 +0300
From: Alexander Cherepanov <>
Subject: Re: Extend AFL to fuzz as you want

On 2015-03-18 15:35, Frank Dittrich wrote:
> On 03/18/2015 01:12 PM, Alexander Cherepanov wrote:
>> I think this is a general question to be discussed in john-dev, not
>> limited by the needs of fuzzing or security in general. Talking
>> specifically about fuzzing, when you want to fuzz functions behind the
>> valid() it's easier to patch this specific check out of valid() for now.
> But isn't the purpose of valid() to make sure all the other format
> methods only have to work with sane/sanitized input?
> Why should we care about segfaults etc. that would only occur after you
> removed some of the sanity checks in valid?

That's an interesting question. Short answer: we should care about it 
because such a crash could be due to a genuine bug. But it very much 
depends on a particular hash/valid()/get_salt()/etc. Surely, there are 
not many chances that removing random parts of valid() function will 
lead to interesting crashes. But this particular check ("strlen(p) != 
len * 2") is quite interesting. If we remove it we should hit a bug that 
the value of len is not bound. At least I think it's a bug. With this 
check in place the hash itself have to be very long to overflow array 
data[BIG_ENOUGH]. BIG_ENOUGH is defined as (8192 * 32) which is greater 
than max line size accepted by john. It's not documented how big should 
be BIG_ENOUGH and that it depends on max line size. Changing one of them 
in future could lead to a condition for buffer overflow.

There are other strange things in 7z format, e.g. salt field is not used.

Alexander Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.