Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

External mode: asan error #1149

Closed
loverszhaokai opened this issue Mar 26, 2015 · 6 comments
Closed

External mode: asan error #1149

loverszhaokai opened this issue Mar 26, 2015 · 6 comments
Assignees
Labels
bug core branch Bug or issue coming from John the Ripper core

Comments

@loverszhaokai
Copy link
Contributor

There are two bugs found by fuzzzing the options of John.
#1. Prepare

1.1 content of 7z_fmt

$7z$0$19$0$1122$8$d1f50227759415890000000000000000$1412385885$112$112$5e5b8b734adf52a64c541a5a5369023d7cccb78bd910c0092535dfb013a5df84ac692c5311d2e7bbdc580f5b867f7b5dd43830f7b4f37e41c7277e228fb92a6dd854a31646ad117654182253706dae0c069d3f4ce46121d52b6f20741a0bb39fc61113ce14d22f9184adafd6b5333fb1

1.2 compile with asan

$ export ASAN_OPTIONS='abort_on_error=1'
$ AFL_USE_ASAN=1 AFL_HARDEN=1 ./configure --enable-asan && make -sj8
#2. LanMan

$ ./john 7z_fmt --external=LanMan

==95376== ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000134c610 at pc 0x740b05 bp 0x7fffd6e93dd0 sp 0x7fffd6e93dc8
WRITE of size 4 at 0x00000134c610 thread T0
#0 0x740b04 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x740b04)
#1 0x74906a (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x74906a)
#2 0x7571ee (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x7571ee)
#3 0x759645 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x759645)
#4 0x75b188 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x75b188)
#5 0x7efde4f01ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
#6 0x406632 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x406632)
0x00000134c610 is located 16 bytes to the left of global variable 'c_stack (compiler.c)' (0x134c620) of size 8320
'c_stack (compiler.c)' is ascii string ''
0x00000134c610 is located 40 bytes to the right of global variable 'c_sp (compiler.c)' (0x134c5e0) of size 8
'c_sp (compiler.c)' is ascii string ''
Shadow bytes around the buggy address:
0x000080261870: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080261880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261890: 00 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9
0x0000802618a0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000802618b0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
=>0x0000802618c0: f9 f9[f9]f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==95376== ABORTING
Aborted

$ asan_symbolize.py
#0 0x740b04 in c_execute_fast .../src/compiler.c:1024
#1 0x74906a in ext_init .../src/external.c:190 (discriminator 1)
#2 0x7571ee in john_load .../src/john.c:886
#3 0x759645 in john_init .../src/john.c:1241
#4 0x75b188 in main .../src/john.c:1674
#5 0x7fcb6a9dcec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
#3. Filter_ASCII

$ ./john 7z_fmt --external=Filter_ASCII --make-charset=input
note: input does not exist

==95381== ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000134c610 at pc 0x740dfc bp 0x7ffe69fcd860 sp 0x7ffe69fcd858
WRITE of size 4 at 0x00000134c610 thread T0
#0 0x740dfb (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x740dfb)
#1 0x749541 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x749541)
#2 0x738bb9 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x738bb9)
#3 0x73abea (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x73abea)
#4 0x759da8 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x759da8)
#5 0x75b23e (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x75b23e)
#6 0x7fc000145ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
#7 0x406632 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_test_options_new/run/john+0x406632)
0x00000134c610 is located 16 bytes to the left of global variable 'c_stack (compiler.c)' (0x134c620) of size 8320
'c_stack (compiler.c)' is ascii string ''
0x00000134c610 is located 40 bytes to the right of global variable 'c_sp (compiler.c)' (0x134c5e0) of size 8
'c_sp (compiler.c)' is ascii string ''
Shadow bytes around the buggy address:
0x000080261870: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080261880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261890: 00 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9
0x0000802618a0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000802618b0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
=>0x0000802618c0: f9 f9[f9]f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000802618f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080261910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==95381== ABORTING
Aborted

$ asan_symbolize.py
#0 0x740dfb in .../c_execute_fast src/compiler.c:1051
#1 0x749541 in .../ext_filter_body src/external.c:254
#2 0x738bb9 in .../charset_filter_plaintexts src/charset.c:74
#3 0x73abea in .../do_makechars src/charset.c:706
#4 0x759da8 in .../john_run src/john.c:1312
#5 0x75b23e in main .../src/john.c:1687
#6 0x7fc000145ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

@magnumripper
Copy link
Member

This is fine but what is your intention with --disable-shared? We do not have such option to configure.

$ ./configure --disable-shared
configure: WARNING: unrecognized options: --disable-shared
checking build system type... x86_64-apple-darwin14.1.0
(...)

@loverszhaokai
Copy link
Contributor Author

@magnumripper

This is fine

They are not bugs?

what is your intention with --disable-shared?

Sorry, there should not have --disable-shared. It is recommended by AFL to fuzz. Such as below:

$ CC=/path/to/afl/afl-gcc ./configure --disable-shared

@magnumripper
Copy link
Member

This is fine

They are not bugs?

Yes they are (albeit somewhat theoretical - we have fixed similar "ASan-only problems" before). I meant your report is fine!

@magnumripper magnumripper added the core branch Bug or issue coming from John the Ripper core label Mar 27, 2015
@loverszhaokai
Copy link
Contributor Author

@magnumripper

I think it is really a bug, since there is the case that sp == c_stack[0] and it tries to visit (sp-2).

Is this a bug?

If it is, I think it may take sometime for me to debug it, since the compiler.c is complex.

void c_execute_fast(void *addr)
{
        union c_insn *pc = addr;
        union c_insn *sp = c_stack;
        c_int imm = 0;
    ...
op_push_mem:
        (sp - 2)->imm = imm;
        imm = *((sp + 1)->mem = pc->mem);
        pc += 2;
        sp += 2;
        goto *(pc - 1)->op;
    ...
}

@magnumripper
Copy link
Member

I think you should consult Solar too. If this is a bug it should be fixed in core john.

@magnumripper
Copy link
Member

Fixed in 0083c5a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug core branch Bug or issue coming from John the Ripper core
Projects
None yet
Development

No branches or pull requests

2 participants