External mode: asan error

[loverszhaokai]

There are two bugs found by fuzzzing the options of John.
#1. Prepare

1.1 content of 7z_fmt

$7z$0$19$0$1122$8$d1f50227759415890000000000000000$1412385885$112$112$5e5b8b734adf52a64c541a5a5369023d7cccb78bd910c0092535dfb013a5df84ac692c5311d2e7bbdc580f5b867f7b5dd43830f7b4f37e41c7277e228fb92a6dd854a31646ad117654182253706dae0c069d3f4ce46121d52b6f20741a0bb39fc61113ce14d22f9184adafd6b5333fb1

1.2 compile with asan

$ export ASAN_OPTIONS='abort_on_error=1'
$ AFL_USE_ASAN=1 AFL_HARDEN=1 ./configure --enable-asan && make -sj8
#2. LanMan

$ ./john 7z_fmt --external=LanMan

==95376== ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000134c610 at pc 0x740b05 bp 0x7fffd6e93dd0 sp 0x7fffd6e93dc8
WRITE of size 4 at 0x00000134c610 thread T0
#0 0x740b04 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x740b04)
#1 0x74906a (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x74906a)
#2 0x7571ee (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x7571ee)
#3 0x759645 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x759645)
#4 0x75b188 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x75b188)
#5 0x7efde4f01ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
#6 0x406632 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x406632)
0x00000134c610 is located 16 bytes to the left of global variable 'c_stack (compiler.c)' (0x134c620) of size 8320
'c_stack (compiler.c)' is ascii string ''
0x00000134c610 is located 40 bytes to the right of global variable 'c_sp (compiler.c)' (0x134c5e0) of size 8
'c_sp (compiler.c)' is ascii string ''
Shadow bytes around the buggy address:
0x000080261870: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080261880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261890: 00 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9
0x0000802618a0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000802618b0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
=>0x0000802618c0: f9 f9[f9]f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==95376== ABORTING
Aborted

$ asan_symbolize.py
#0 0x740b04 in c_execute_fast .../src/compiler.c:1024
#1 0x74906a in ext_init .../src/external.c:190 (discriminator 1)
#2 0x7571ee in john_load .../src/john.c:886
#3 0x759645 in john_init .../src/john.c:1241
#4 0x75b188 in main .../src/john.c:1674
#5 0x7fcb6a9dcec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
#3. Filter_ASCII

$ ./john 7z_fmt --external=Filter_ASCII --make-charset=input
note: input does not exist

==95381== ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000134c610 at pc 0x740dfc bp 0x7ffe69fcd860 sp 0x7ffe69fcd858
WRITE of size 4 at 0x00000134c610 thread T0
#0 0x740dfb (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x740dfb)
#1 0x749541 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x749541)
#2 0x738bb9 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x738bb9)
#3 0x73abea (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x73abea)
#4 0x759da8 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x759da8)
#5 0x75b23e (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x75b23e)
#6 0x7fc000145ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
#7 0x406632 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x406632)
0x00000134c610 is located 16 bytes to the left of global variable 'c_stack (compiler.c)' (0x134c620) of size 8320
'c_stack (compiler.c)' is ascii string ''
0x00000134c610 is located 40 bytes to the right of global variable 'c_sp (compiler.c)' (0x134c5e0) of size 8
'c_sp (compiler.c)' is ascii string ''
Shadow bytes around the buggy address:
0x000080261870: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080261880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261890: 00 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9
0x0000802618a0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000802618b0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
=>0x0000802618c0: f9 f9[f9]f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==95381== ABORTING
Aborted

$ asan_symbolize.py
#0 0x740dfb in .../c_execute_fast src/compiler.c:1051
#1 0x749541 in .../ext_filter_body src/external.c:254
#2 0x738bb9 in .../charset_filter_plaintexts src/charset.c:74
#3 0x73abea in .../do_makechars src/charset.c:706
#4 0x759da8 in .../john_run src/john.c:1312
#5 0x75b23e in main .../src/john.c:1687
#6 0x7fc000145ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

[magnumripper]

This is fine but what is your intention with --disable-shared? We do not have such option to configure.

$ ./configure --disable-shared
configure: WARNING: unrecognized options: --disable-shared
checking build system type... x86_64-apple-darwin14.1.0
(...)

[loverszhaokai]

@magnumripper

This is fine

They are not bugs?

what is your intention with --disable-shared?

Sorry, there should not have --disable-shared. It is recommended by AFL to fuzz. Such as below:

$ CC=/path/to/afl/afl-gcc ./configure --disable-shared

[magnumripper]

This is fine

They are not bugs?

Yes they are (albeit somewhat theoretical - we have fixed similar "ASan-only problems" before). I meant your report is fine!

[loverszhaokai]

@magnumripper

I think it is really a bug, since there is the case that sp == c_stack[0] and it tries to visit (sp-2).

Is this a bug?

If it is, I think it may take sometime for me to debug it, since the compiler.c is complex.

void c_execute_fast(void *addr)
{
        union c_insn *pc = addr;
        union c_insn *sp = c_stack;
        c_int imm = 0;
    ...
op_push_mem:
        (sp - 2)->imm = imm;
        imm = *((sp + 1)->mem = pc->mem);
        pc += 2;
        sp += 2;
        goto *(pc - 1)->op;
    ...
}

[magnumripper]

I think you should consult Solar too. If this is a bug it should be fixed in core john.

[magnumripper]

Fixed in 0083c5a