Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

External mode: asan error SegFault #1358

Closed
loverszhaokai opened this issue May 27, 2015 · 4 comments
Closed

External mode: asan error SegFault #1358

loverszhaokai opened this issue May 27, 2015 · 4 comments
Assignees
@loverszhaokai
Labels
bug core branch Bug or issue coming from John the Ripper core
Milestone
1.9.0-jumbo-1

Comments

@loverszhaokai
Copy link
Contributor

#1. Analysis

This bug is similar to #1149 which is fixed in 0083c5a.

In compiler.c::c_execute_fast There are not only (sp - 2) but also (sp - 3) and (sp - 4), so maybe the sp should point to c_stack[4].

/*
 * We cache the top of stack value in imm.  We initially set sp to &c_stack[2]
 * so that there's room for op_push_* to spill imm to stack even when there
 * wasn't actually a previous top of stack value to cache (since we're at the
 * top level).  It is simpler and quicker to let them do it than to treat this
 * as a special case in the code.
 */
union c_insn *sp = &c_stack[4];

#2. Reproduce

$ ./configure --enable-asan && make -sj8
$ cat test_pw

$apr1$a2Jqm...$grFrwEgiQleDr0zR4Jx1b.

$ cat local.conf

[List.External:Lanman]

int numbers[10];
int lowers[26];
int uppers[26];
int symbols[32];

int boundaries_charclass[4];
int boundaries_numbers[10];
int boundaries_letters[26];
int boundaries_symbols[12];

int seed;

int password_length;

void init()
{
        password_length = 16; /* Change this to match config */

        int c, i;

        c = '0'; i = 0; while (c <= '9') numbers[i++] = c++;
        c = 'a'; i = 0; while (c <= 'z') lowers[i++] = c++;
        c = 'A'; i = 0; while (c <= 'Z') uppers[i++] = c++;

        /* Symbols */
        i = 0;
        symbols[i++] = '!'; symbols[i++] = '@'; symbols[i++] = '#'; symbols[i++] = '$';
        symbols[i++] = '%'; symbols[i++] = '^'; symbols[i++] = '&'; symbols[i++] = '*';
        symbols[i++] = '('; symbols[i++] = ')'; symbols[i++] = '~'; symbols[i++] = '-';
        symbols[i++] = '_'; symbols[i++] = '='; symbols[i++] = '+'; symbols[i++] = '\\';
        symbols[i++] = '|'; symbols[i++] = '/'; symbols[i++] = '['; symbols[i++] = ']';
        symbols[i++] = '{'; symbols[i++] = '}'; symbols[i++] = ';'; symbols[i++] = ':';
        symbols[i++] = '`'; symbols[i++] = '\''; symbols[i++] = '"'; symbols[i++] = ',';
        symbols[i++] = '.'; symbols[i++] = '<'; symbols[i++] = '>'; symbols[i++] = '?';

        i = 0;
        boundaries_charclass[i++] = 536870912; boundaries_charclass[i++] = 1073741824;
        boundaries_charclass[i++] = 1610612736; boundaries_charclass[i++] = 2147483647;

        i = 0;
        boundaries_numbers[i++] = 214748365; boundaries_numbers[i++] = 429496730;
        boundaries_numbers[i++] = 644245095; boundaries_numbers[i++] = 858993460;
        boundaries_numbers[i++] = 1073741824; boundaries_numbers[i++] = 1288490189;
        boundaries_numbers[i++] = 1503238554; boundaries_numbers[i++] = 1717986919;
        boundaries_numbers[i++] = 1932735284; boundaries_numbers[i++] = 2147483647;

        i = 0;
        boundaries_letters[i++] = 82595525; boundaries_letters[i++] = 165191050;
        boundaries_letters[i++] = 247786575; boundaries_letters[i++] = 330382100;
        boundaries_letters[i++] = 412977625; boundaries_letters[i++] = 495573150;
        boundaries_letters[i++] = 578168675; boundaries_letters[i++] = 660764200;
        boundaries_letters[i++] = 743359725; boundaries_letters[i++] = 825955250;
        boundaries_letters[i++] = 908550775; boundaries_letters[i++] = 991146300;
        boundaries_letters[i++] = 1073741824; boundaries_letters[i++] = 1156337349;
        boundaries_letters[i++] = 1238932874; boundaries_letters[i++] = 1321528399;
        boundaries_letters[i++] = 1404123924; boundaries_letters[i++] = 1486719449;
        boundaries_letters[i++] = 1569314974; boundaries_letters[i++] = 1651910499;
        boundaries_letters[i++] = 1734506024; boundaries_letters[i++] = 1817101549;
        boundaries_letters[i++] = 1899697074; boundaries_letters[i++] = 1982292599;
        boundaries_letters[i++] = 2064888124; boundaries_letters[i++] = 2147483647;

        i = 0;
        boundaries_symbols[i++] = 67108864; boundaries_symbols[i++] = 134217728;
        boundaries_symbols[i++] = 201326592; boundaries_symbols[i++] = 268435456;
        boundaries_symbols[i++] = 335544320; boundaries_symbols[i++] = 402653184;
        boundaries_symbols[i++] = 469762048; boundaries_symbols[i++] = 536870912;
        boundaries_symbols[i++] = 603979776; boundaries_symbols[i++] = 671088640;
        boundaries_symbols[i++] = 738197504; boundaries_symbols[i++] = 805306368;
        boundaries_symbols[i++] = 872415232; boundaries_symbols[i++] = 939524096;
        boundaries_symbols[i++] = 1006632960; boundaries_symbols[i++] = 1073741824;
        boundaries_symbols[i++] = 1140850688; boundaries_symbols[i++] = 1207959552;
        boundaries_symbols[i++] = 1275068416; boundaries_symbols[i++] = 1342177280;
        boundaries_symbols[i++] = 1409286144; boundaries_symbols[i++] = 1476395008;
        boundaries_symbols[i++] = 1543503872; boundaries_symbols[i++] = 1610612736;
        boundaries_symbols[i++] = 1677721600; boundaries_symbols[i++] = 1744830464;
        boundaries_symbols[i++] = 1811939328; boundaries_symbols[i++] = 1879048192;
        boundaries_symbols[i++] = 1946157056; boundaries_symbols[i++] = 2013265920;
        boundaries_symbols[i++] = 2080374784; boundaries_symbols[i++] = 2147483647;

        seed = 0;
}

void generate()
{
}

$ ../john test_pw --format=md5crypt --external=lanman --config=local.conf

ASAN:SIGSEGV
=================================================================
==93562==ERROR: AddressSanitizer: SEGV on unknown address 0x61610000fb98 (pc 0x00000072749d sp 0x7ffdf242d520 bp 0x7ffdf242d520 T0)
    #0 0x72749c in c_execute_fast /home/zhaokai/WorkSpace/open_wall/JohnTheRipper_kai/src/compiler.c:1107
    #1 0x72f5d9 in ext_init /home/zhaokai/WorkSpace/open_wall/JohnTheRipper_kai/src/external.c:190
    #2 0x73f024 in john_load /home/zhaokai/WorkSpace/open_wall/JohnTheRipper_kai/src/john.c:922
    #3 0x741149 in john_init /home/zhaokai/WorkSpace/open_wall/JohnTheRipper_kai/src/john.c:1280
    #4 0x742ca5 in main /home/zhaokai/WorkSpace/open_wall/JohnTheRipper_kai/src/john.c:1707
    #5 0x7f1db1159ec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #6 0x406c72 (/home/zhaokai/WorkSpace/open_wall/JohnTheRipper_kai/run/john+0x406c72)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zhaokai/WorkSpace/open_wall/JohnTheRipper_kai/src/compiler.c:1107 c_execute_fast
==93562==ABORTING
Aborted
This was referenced May 27, 2015
Closed
Closed
Closed
@loverszhaokai loverszhaokai added the core branch Bug or issue coming from John the Ripper core label May 27, 2015
@magnumripper
Copy link
Member

So we should bump that initial offset? Please report this to john-dev as well.

@loverszhaokai
Copy link
Contributor Author

@magnumripper

Yes, I am writing the email now. :)

@jfoug jfoug added this to the 1.8.0-jumbo2 milestone Jun 25, 2015
@magnumripper
Copy link
Member

http://www.openwall.com/lists/john-dev/2015/05/27/4

@magnumripper
Copy link
Member

http://www.openwall.com/lists/john-dev/2015/05/30/12

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@loverszhaokai loverszhaokai

Labels
bug core branch Bug or issue coming from John the Ripper core
Projects
None yet
Milestone
1.9.0-jumbo-1
Development

No branches or pull requests
3 participants
@magnumripper @jfoug @loverszhaokai