-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
External mode: asan error #1149
Comments
This is fine but what is your intention with --disable-shared? We do not have such option to configure.
|
They are not bugs?
Sorry, there should not have --disable-shared. It is recommended by AFL to fuzz. Such as below: $ CC=/path/to/afl/afl-gcc ./configure --disable-shared |
Yes they are (albeit somewhat theoretical - we have fixed similar "ASan-only problems" before). I meant your report is fine! |
I think it is really a bug, since there is the case that Is this a bug? If it is, I think it may take sometime for me to debug it, since the compiler.c is complex.
|
I think you should consult Solar too. If this is a bug it should be fixed in core john. |
Fixed in 0083c5a |
There are two bugs found by fuzzzing the options of John.
#1. Prepare
1.1 content of 7z_fmt
$7z$0$19$0$1122$8$d1f50227759415890000000000000000$1412385885$112$112$5e5b8b734adf52a64c541a5a5369023d7cccb78bd910c0092535dfb013a5df84ac692c5311d2e7bbdc580f5b867f7b5dd43830f7b4f37e41c7277e228fb92a6dd854a31646ad117654182253706dae0c069d3f4ce46121d52b6f20741a0bb39fc61113ce14d22f9184adafd6b5333fb1
1.2 compile with asan
$ export ASAN_OPTIONS='abort_on_error=1'
$ AFL_USE_ASAN=1 AFL_HARDEN=1 ./configure --enable-asan && make -sj8
#2. LanMan
$ ./john 7z_fmt --external=LanMan
==95376== ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000134c610 at pc 0x740b05 bp 0x7fffd6e93dd0 sp 0x7fffd6e93dc8
WRITE of size 4 at 0x00000134c610 thread T0
#0 0x740b04 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x740b04)
#1 0x74906a (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x74906a)
#2 0x7571ee (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x7571ee)
#3 0x759645 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x759645)
#4 0x75b188 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x75b188)
#5 0x7efde4f01ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
#6 0x406632 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x406632)
0x00000134c610 is located 16 bytes to the left of global variable 'c_stack (compiler.c)' (0x134c620) of size 8320
'c_stack (compiler.c)' is ascii string ''
0x00000134c610 is located 40 bytes to the right of global variable 'c_sp (compiler.c)' (0x134c5e0) of size 8
'c_sp (compiler.c)' is ascii string ''
Shadow bytes around the buggy address:
0x000080261870: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080261880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261890: 00 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9
0x0000802618a0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000802618b0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
=>0x0000802618c0: f9 f9[f9]f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==95376== ABORTING
Aborted
$ asan_symbolize.py
#0 0x740b04 in c_execute_fast .../src/compiler.c:1024
#1 0x74906a in ext_init .../src/external.c:190 (discriminator 1)
#2 0x7571ee in john_load .../src/john.c:886
#3 0x759645 in john_init .../src/john.c:1241
#4 0x75b188 in main .../src/john.c:1674
#5 0x7fcb6a9dcec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
#3. Filter_ASCII
$ ./john 7z_fmt --external=Filter_ASCII --make-charset=input
note: input does not exist
==95381== ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000134c610 at pc 0x740dfc bp 0x7ffe69fcd860 sp 0x7ffe69fcd858
WRITE of size 4 at 0x00000134c610 thread T0
#0 0x740dfb (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x740dfb)
#1 0x749541 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x749541)
#2 0x738bb9 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x738bb9)
#3 0x73abea (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x73abea)
#4 0x759da8 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x759da8)
#5 0x75b23e (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x75b23e)
#6 0x7fc000145ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
#7 0x406632 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x406632)
0x00000134c610 is located 16 bytes to the left of global variable 'c_stack (compiler.c)' (0x134c620) of size 8320
'c_stack (compiler.c)' is ascii string ''
0x00000134c610 is located 40 bytes to the right of global variable 'c_sp (compiler.c)' (0x134c5e0) of size 8
'c_sp (compiler.c)' is ascii string ''
Shadow bytes around the buggy address:
0x000080261870: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080261880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261890: 00 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9
0x0000802618a0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000802618b0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
=>0x0000802618c0: f9 f9[f9]f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==95381== ABORTING
Aborted
$ asan_symbolize.py
#0 0x740dfb in .../c_execute_fast src/compiler.c:1051
#1 0x749541 in .../ext_filter_body src/external.c:254
#2 0x738bb9 in .../charset_filter_plaintexts src/charset.c:74
#3 0x73abea in .../do_makechars src/charset.c:706
#4 0x759da8 in .../john_run src/john.c:1312
#5 0x75b23e in main .../src/john.c:1687
#6 0x7fc000145ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
The text was updated successfully, but these errors were encountered: