Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 13 Sep 2015 17:12:51 +0200
From: Hanno Böck <hanno@...eck.de>
To: john-dev@...ts.openwall.com
Subject: Invalid memory our of bounds read in DES_std_set_key

Hi,

When compiling john-1.8.0 with address sanitizer it will expose an out
of bounds read in the function DES_std_set_key.

The error happens in line 664:
	DES_key[1] = key[1] & 0x7F;

The variable "key" is a parameter to the function and the value comes
indirectly from a function call in formats.c, line 168:
			format->methods.set_key("", index);

As you can see an empty string is passed. Therefore accessing key[1]
won't work.

I'm not entirely sure what was the intention of that code, so I'm not
sure how to fix it. The full address sanitizer error is pasted below.
To get it / reproduce:
make OMPFLAGS="-fsanitize=address -g -ggdb -fno-omit-frame-pointer"
LDFLAGS="-fsanitize=address" CC="clang" generic


Hanno

-------------------

==4322==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000052bd01 at pc 0x0000004dd9c4 bp 0x7ffdb8867230 sp 0x7ffdb8867228
READ of size 1 at 0x00000052bd01 thread T0
    #0 0x4dd9c3 in DES_std_set_key /tmp/john-1.8.0/src/DES_std.c:664:15
    #1 0x4da280 in set_key /tmp/john-1.8.0/src/DES_fmt.c:328:2
    #2 0x5102e7 in fmt_self_test_body /tmp/john-1.8.0/src/formats.c:168:4
    #3 0x5102e7 in fmt_self_test /tmp/john-1.8.0/src/formats.c:232
    #4 0x50b282 in benchmark_format /tmp/john-1.8.0/src/bench.c:114:15
    #5 0x50ce9c in main /tmp/john-1.8.0/src/best.c:79:6
    #6 0x7fcb3462b7af in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/csu/libc-start.c:289
    #7 0x4180e8 in _start (/tmp/john-1.8.0/src/bench+0x4180e8)

0x00000052bd01 is located 63 bytes to the left of global variable '<string literal>' defined in 'formats.c:185:9' (0x52bd40) of size 5
  '<string literal>' is ascii string 'bsdi'
0x00000052bd01 is located 0 bytes to the right of global variable '<string literal>' defined in 'formats.c:168:28' (0x52bd00) of size 1
  '<string literal>' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow /tmp/john-1.8.0/src/DES_std.c:664:15 in DES_std_set_key
Shadow bytes around the buggy address:
  0x00008009d750: f9 f9 f9 f9 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9
  0x00008009d760: 07 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
  0x00008009d770: 00 02 f9 f9 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9
  0x00008009d780: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x00008009d790: 00 02 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
=>0x00008009d7a0:[01]f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
  0x00008009d7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008009d7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008009d7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00008009d7e0: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
  0x00008009d7f0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4322==ABORTING

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.