Segfault in dynamic formats self test with OMP_NUM_THREADS=3 #825

claudioandre-br · 2014-10-24T08:51:51Z

JtR fails, but not in any machine I tried it (and only a few formats).

#0  0x00007ffff5f88bb9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff5f8bfc8 in __GI_abort () at abort.c:89
#2  0x00007ffff5fc5e14 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff60d4668 "*** Error in `%s': %s: 0x%s ***\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff5fd20ee in malloc_printerr (ptr=<optimized out>, str=0x7ffff60d4798 "double free or corruption (out)", action=1)
    at malloc.c:4996
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
#5  0x00000000006303a8 in cleanup_tiny_memory () at memory.c:53
#6  0x000000000062652e in john_done () at john.c:1451
#7  0x00000000006269cc in main (argc=3, argv=0x7fffffffde78) at john.c:1618

The text was updated successfully, but these errors were encountered:

magnumripper · 2014-10-24T09:42:31Z

What was the command line triggering this?

Using memdbg is likely to help nailing it with ease. It looks like we are calling free() on some memory that was allocated by mem_alloc_tiny(). Then at exit, all "tiny memory" is freed in cleanup_tiny_memory() and the above is a fact.

claudioandre-br · 2014-10-24T09:47:15Z

For example, a --test=0

(gdb) bt
#0  0x00007ffff5fd1baf in _int_free (av=0x7ffff6311760 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3996
#1  0x00007ffff653ed32 in ?? () from /usr/lib/x86_64-linux-gnu/libgomp.so.1
#2  0x0000000000445b96 in crypt_all (pcount=<optimized out>, salt=<optimized out>) at dynamic_fmt.c:1594
#3  0x0000000000613a49 in benchmark_format (format=format@entry=0x15f1a40, salts=1, results=results@entry=0x7fffffffd3c0) at bench.c:275
#4  0x00000000006141e8 in benchmark_all () at bench.c:537
#5  0x0000000000625e1f in john_run () at john.c:1262
#6  0x00000000006269c7 in main (argc=2, argv=0x7fffffffde88) at john.c:1617

magnumripper · 2014-10-24T09:50:34Z

Including OpenCL but not CUDA? Or does it happen with just --format=cpu too? I can't reproduce, and the build bots don't catch it either (although they only test CPU formats)

magnumripper · 2014-10-24T09:51:44Z

I just passed a full --test=0 including CUDA and OpenCL formats.

All 432 formats passed self-tests!

claudioandre-br · 2014-10-24T09:55:04Z

I know that it happens only in two machines. The problem is that both has Ubuntu LTS, nothing bad should be happening.

magnumripper · 2014-10-24T09:58:57Z

So could it be in some "optional" code? I got the following:

Configured for building John the Ripper 1.8.0.2-bleeding-jumbo:

Target CPU .................................. x86_64 AVX, 64-bit LE
AES-NI support .............................. run-time detection
Target OS ................................... darwin14.0.0
Cross compiling ............................. no
Legacy arch header .......................... x86-64.h
OpenMPI support (default disabled) .......... no
Fork support ................................ yes
OpenMP support .............................. yes
OpenCL support .............................. yes
CUDA support ................................ yes
Generic crypt(3) format ..................... yes

Optional libraries found:
Rexgen (extra cracking mode) ................ yes
GMP (performance) ........................... yes
NSS/NSPR (Mozilla format) ................... yes
Kerberos5 (krb5-18 format) .................. yes (Heimdal w/ MKShim)
PCAP (vncpcap2john and SIPdump) ............. yes
BZ2 (gpg2john extra decompression logic) .... yes

Build bot has this

Target CPU .................................. x86_64 XOP, 64-bit LE
AES-NI support .............................. run-time detection
Target OS ................................... linux-gnu
Cross compiling ............................. no
Legacy arch header .......................... x86-64.h
OpenMPI support (default disabled) .......... no
Fork support ................................ yes
OpenMP support .............................. yes    (other bot has no)
OpenCL support .............................. no
CUDA support ................................ no
Generic crypt(3) format ..................... yes
Optional libraries found:
Rexgen (extra cracking mode) ................ no
GMP (performance) ........................... yes
NSS/NSPR (Mozilla format) ................... yes
Kerberos5 (krb5-18 format) .................. yes (MIT)
PCAP (vncpcap2john and SIPdump) ............. yes
BZ2 (gpg2john extra decompression logic) .... yes

Another possibility is that something in john.conf or john.local.conf differs, that triggers the problem.

magnumripper · 2014-10-24T10:01:40Z

Again, try enabling memdbg on one of those hosts, and get its verdict.

--- a/src/memdbg_defines.h
+++ b/src/memdbg_defines.h
@@ -5,13 +5,13 @@
 #undef MEMDBG_EXTRA_CHECKS

 /* comment out the next line, to FULLY turn off memory debugging from this module, or uncomment to turn debugging on. */
-/*#define MEMDBG_ON*/
+#define MEMDBG_ON

 /* If this is uncommented (and MEMDBG_ON is also uncommented), then the memory checking will be much more through,
  * but memory will not be freed, and runtime will slow, possibly noticeably.  However, it is much more in-depth,
  * finding things like usage of freed pointers.  Some functions like
  */
-/*#define MEMDBG_EXTRA_CHECKS*/
+#define MEMDBG_EXTRA_CHECKS

 #if defined (JTR_RELEASE_BUILD)
 #undef MEMDBG_ON

then a make clean && make -s

claudioandre-br · 2014-10-24T10:09:21Z

To mem_dbg things seems ok.

I disabled OpenMP and errors gone.

claudioandre-br · 2014-10-24T10:14:32Z

The problem is that OMP_NUM_THREADS has to be multiple of 4.

If you try export OMP_NUM_THREADS=3 you can see the behavior on super.

claudioandre-br · 2014-10-24T10:16:00Z

BTW: I tested using ../run/john -te:0 -form:dynamic_0

And here the number of threads is 6.

claudioandre-br · 2014-10-24T10:45:38Z

The workaround export OMP_NUM_THREADS=4 works fine [closing].

frank-dittrich · 2014-10-24T13:05:32Z

Since the error still occurs with OMP_NUM_THREADS=3, this bug shouldn't have been closed, even if you have a workaround.

This is on well with latest bleeding-jumbo:

$ OMP_NUM_THREADS=3 ./john --test=0 --format=dynamic_0
Will run 3 OpenMP threads
Testing: dynamic_0 [md5($p) (raw-md5) 128/128 AVX 480x4x3]... (3xOMP) PASS
Segmentation fault (core dumped)
$ OMP_NUM_THREADS=3 gdb ./john
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /space/home/frank/git/fd-JtR/run/john...done.
(gdb) run --test=0 --format=dynamic_0
Starting program: /space/home/frank/git/fd-JtR/run/john --test=0 --format=dynamic_0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Will run 3 OpenMP threads
Testing: dynamic_0 [md5($p) (raw-md5) 128/128 AVX 480x4x3]... (3xOMP) [New Thread 0x7ffff4855700 (LWP 10982)]
[New Thread 0x7ffff4054700 (LWP 10983)]
PASS

Program received signal SIGSEGV, Segmentation fault.
0x0000000000942129 in MEMDBG_checkSnapshot_possible_exit_on_error (h=..., exit_on_any_leaks=0) at memdbg.c:759
759         if (p->mdbg_cnt > h.alloc_cnt && p->mdbg_fpst == MEMFPOST) {
(gdb) bt
#0  0x0000000000942129 in MEMDBG_checkSnapshot_possible_exit_on_error (h=..., exit_on_any_leaks=0) at memdbg.c:759
#1  0x00000000008faa5c in benchmark_all () at bench.c:638
#2  0x000000000090d05a in john_run () at john.c:1262
#3  0x000000000090de56 in main (argc=3, argv=0x7fffffffe568) at john.c:1617

frank-dittrich · 2014-10-24T13:08:53Z

(gdb) print  h.alloc_cnt
$1 = 45637
(gdb) print p->mdbg_fpst
Cannot access memory at address 0x74317791743177bd
(gdb) print p
$2 = (MEMDBG_HDR *) 0x7431779174317791
(gdb) print p->mdbg_cnt
Cannot access memory at address 0x74317791743177b9

frank-dittrich · 2014-10-24T13:21:51Z

On my local 64bit linux system (CPU-only), I get these problems with OMP_NUM_THREADS 3, 5, 7, 9, 10, 11, 12, 13, 14, 15, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31.
But not with OMP_NUM_THREADS 0 (translates into 8 on my system), 1, 2, 4, 6, 8, 16, 32.
I didn't try larger values.

frank-dittrich · 2014-10-24T14:26:45Z

git bisect points to this commit as causing the breakage:

 339052e621cf1d89b07061a7b48d26e95d3d249c is the first bad commit
commit 339052e621cf1d89b07061a7b48d26e95d3d249c
Author: jfoug <jfoug@cox.net>
Date:   Wed Jul 2 15:49:22 2014 -0500

    Fixed long standing memory buffer overflow issue, listed in bug #690

frank-dittrich · 2014-10-24T15:13:37Z

Indeed, reverting 339052e fixes the issue.
But I'm not sure whether 339052e is the culprit.
May be 339052e merely uncovers another bug that was hidden.

frank-dittrich · 2014-10-24T15:33:05Z

Apparently, 339052e just exposed the bug for dynamic_0 self test.
With that commit reverted, I still get this (or a similar) bug with

$ OMP_NUM_THREADS=3 ./jtrts.pl -noprelims
-------------------------------------------------------------------------------
- JtR-TestSuite (jtrts). Version 1.12.16, Sept 24, 2014.  By, Jim Fougeron & others
- Testing:  John the Ripper password cracker, version 1.8.0.2-bleeding-jumbo_omp [linux-gnu 64-bit AVX-autoconf]
--------------------------------------------------------------------------------

John Jumbo build detected.

form=dynamic_0                    guesses: 1500 0:00:00:00 DONE  [PASSED]
.pot CHK:dynamic_0                guesses: 1500 0:00:00:00 DONE  [PASSED]

[...]

form=dynamic_55                   guesses: 1500 0:00:00:01 DONE  [PASSED]
.pot CHK:dynamic_55               guesses: 1500 0:00:00:00 DONE  [PASSED]
*** Error in `../run/john': munmap_chunk(): invalid pointer: 0x00007fc84399f010 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3bc2675a4f]
/lib64/libc.so.6[0x3bc267b8a7]
../run/john[0x5d8b88]
../run/john[0x5cf2d8]
../run/john[0x5cf7a3]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x3bc2621d65]
../run/john[0x4062dd]
======= Memory map: ========
00400000-00708000 r-xp 00000000 fd:03 2378910                            /home/fd/git/JtR/run/john
00907000-00908000 r-xp 00307000 fd:03 2378910                            /home/fd/git/JtR/run/john
00908000-00954000 rwxp 00308000 fd:03 2378910                            /home/fd/git/JtR/run/john
00954000-0114b000 rwxp 00000000 00:00 0 
02e8f000-031ac000 rwxp 00000000 00:00 0                                  [heap]
324a600000-324a71e000 r-xp 00000000 fd:02 1724407                        /usr/lib64/libnss3.so
324a71e000-324a91e000 ---p 0011e000 fd:02 1724407                        /usr/lib64/libnss3.so
324a91e000-324a923000 r-xp 0011e000 fd:02 1724407                        /usr/lib64/libnss3.so
324a923000-324a925000 rwxp 00123000 fd:02 1724407                        /usr/lib64/libnss3.so
324a925000-324a927000 rwxp 00000000 00:00 0 
324aa00000-324aa25000 r-xp 00000000 fd:02 1711826                        /usr/lib64/libnssutil3.so
324aa25000-324ac25000 ---p 00025000 fd:02 1711826                        /usr/lib64/libnssutil3.so
324ac25000-324ac2b000 r-xp 00025000 fd:02 1711826                        /usr/lib64/libnssutil3.so
324ac2b000-324ac2c000 rwxp 0002b000 fd:02 1711826                        /usr/lib64/libnssutil3.so
324ae00000-324afbd000 r-xp 00000000 fd:02 1707754                        /usr/lib64/libcrypto.so.1.0.1e
324afbd000-324b1bc000 ---p 001bd000 fd:02 1707754                        /usr/lib64/libcrypto.so.1.0.1e
324b1bc000-324b1d7000 r-xp 001bc000 fd:02 1707754                        /usr/lib64/libcrypto.so.1.0.1e
324b1d7000-324b1e3000 rwxp 001d7000 fd:02 1707754                        /usr/lib64/libcrypto.so.1.0.1e
324b1e3000-324b1e7000 rwxp 00000000 00:00 0 
324b200000-324b277000 r-xp 00000000 fd:02 1722808                        /usr/lib64/libfreebl3.so
324b277000-324b476000 ---p 00077000 fd:02 1722808                        /usr/lib64/libfreebl3.so
324b476000-324b478000 r-xp 00076000 fd:02 1722808                        /usr/lib64/libfreebl3.so
324b478000-324b479000 rwxp 00078000 fd:02 1722808                        /usr/lib64/libfreebl3.so
324b479000-324b47d000 rwxp 00000000 00:00 0 
324b600000-324b624000 r-xp 00000000 fd:02 1724409                        /usr/lib64/libsmime3.so
324b624000-324b823000 ---p 00024000 fd:02 1724409                        /usr/lib64/libsmime3.so
324b823000-324b826000 r-xp 00023000 fd:02 1724409                        /usr/lib64/libsmime3.so
324b826000-324b827000 rwxp 00026000 fd:02 1724409                        /usr/lib64/libsmime3.so
324ba00000-324ba3a000 r-xp 00000000 fd:02 1724408                        /usr/lib64/libssl3.so
324ba3a000-324bc3a000 ---p 0003a000 fd:02 1724408                        /usr/lib64/libssl3.so
324bc3a000-324bc3d000 r-xp 0003a000 fd:02 1724408                        /usr/lib64/libssl3.so
324bc3d000-324bc3e000 rwxp 0003d000 fd:02 1724408                        /usr/lib64/libssl3.so
324bc3e000-324bc3f000 rwxp 00000000 00:00 0 
324be00000-324be08000 r-xp 00000000 fd:02 1723054                        /usr/lib64/libcrypt-2.18.so
324be08000-324c007000 ---p 00008000 fd:02 1723054                        /usr/lib64/libcrypt-2.18.so
324c007000-324c008000 r-xp 00007000 fd:02 1723054                        /usr/lib64/libcrypt-2.18.so
324c008000-324c009000 rwxp 00008000 fd:02 1723054                        /usr/lib64/libcrypt-2.18.so
324c009000-324c037000 rwxp 00000000 00:00 0 
324c200000-324c262000 r-xp 00000000 fd:02 1712376                        /usr/lib64/libssl.so.1.0.1e
324c262000-324c461000 ---p 00062000 fd:02 1712376                        /usr/lib64/libssl.so.1.0.1e
324c461000-324c465000 r-xp 00061000 fd:02 1712376                        /usr/lib64/libssl.so.1.0.1e
324c465000-324c46c000 rwxp 00065000 fd:02 1712376                        /usr/lib64/libssl.so.1.0.1e
3bc2200000-3bc2220000 r-xp 00000000 fd:02 1705513                        /usr/lib64/ld-2.18.so
3bc241f000-3bc2420000 r-xp 0001f000 fd:02 1705513                        /usr/lib64/ld-2.18.so
3bc2420000-3bc2421000 rwxp 00020000 fd:02 1705513                        /usr/lib64/ld-2.18.so
3bc2421000-3bc2422000 rwxp 00000000 00:00 0 
3bc2600000-3bc27b4000 r-xp 00000000 fd:02 1705541                        /usr/lib64/libc-2.18.so
3bc27b4000-3bc29b3000 ---p 001b4000 fd:02 1705541                        /usr/lib64/libc-2.18.so
3bc29b3000-3bc29b7000 r-xp 001b3000 fd:02 1705541                        /usr/lib64/libc-2.18.so
3bc29b7000-3bc29b9000 rwxp 001b7000 fd:02 1705541                        /usr/lib64/libc-2.18.so
3bc29b9000-3bc29be000 rwxp 00000000 00:00 0 
3bc2a00000-3bc2a03000 r-xp 00000000 fd:02 1704601                        /usr/lib64/libdl-2.18.so
3bc2a03000-3bc2c02000 ---p 00003000 fd:02 1704601                        /usr/lib64/libdl-2.18.so
3bc2c02000-3bc2c03000 r-xp 00002000 fd:02 1704601                        /usr/lib64/libdl-2.18.so
3bc2c03000-3bc2c04000 rwxp 00003000 fd:02 1704601                        /usr/lib64/libdl-2.18.so
3bc2e00000-3bc2e18000 r-xp 00000000 fd:02 1708938                        /usr/lib64/libpthread-2.18.so
3bc2e18000-3bc3017000 ---p 00018000 fd:02 1708938                        /usr/lib64/libpthread-2.18.so
3bc3017000-3bc3018000 r-xp 00017000 fd:02 1708938                        /usr/lib64/libpthread-2.18.so
3bc3018000-3bc3019000 rwxp 00018000 fd:02 1708938                        /usr/lib64/libpthread-2.18.so
3bc3019000-3bc301d000 rwxp 00000000 00:00 0 
3bc3200000-3bc3305000 r-xp 00000000 fd:02 1711860                        /usr/lib64/libm-2.18.so
3bc3305000-3bc3505000 ---p 00105000 fd:02 1711860                        /usr/lib64/libm-2.18.so
3bc3505000-3bc3506000 r-xp 00105000 fd:02 1711860                        /usr/lib64/libm-2.18.so
3bc3506000-3bc3507000 rwxp 00106000 fd:02 1711860                        /usr/lib64/libm-2.18.so
3bc3600000-3bc3615000 r-xp 00000000 fd:02 1710517                        /usr/lib64/libz.so.1.2.8
3bc3615000-3bc3814000 ---p 00015000 fd:02 1710517                        /usr/lib64/libz.so.1.2.8
3bc3814000-3bc3815000 r-xp 00014000 fd:02 1710517                        /usr/lib64/libz.so.1.2.8
3bc3815000-3bc3816000 rwxp 00015000 fd:02 1710517                        /usr/lib64/libz.so.1.2.8
3bc3a00000-3bc3a24000 r-xp 00000000 fd:02 1714581                        /usr/lib64/liblzma.so.5.0.99
3bc3a24000-3bc3c23000 ---p 00024000 fd:02 1714581                        /usr/lib64/liblzma.so.5.0.99
3bc3c23000-3bc3c24000 r-xp 00023000 fd:02 1714581                        /usr/lib64/liblzma.so.5.0.99
3bc3c24000-3bc3c25000 rwxp 00024000 fd:02 1714581                        /usr/lib64/liblzma.so.5.0.99
3bc3e00000-3bc3e65000 r-xp 00000000 fd:02 1714580                        /usr/lib64/libpcre.so.1.2.1
3bc3e65000-3bc4064000 ---p 00065000 fd:02 1714580                        /usr/lib64/libpcre.so.1.2.1
3bc4064000-3bc4065000 r-xp 00064000 fd:02 1714580                        /usr/lib64/libpcre.so.1.2.1
3bc4065000-3bc4066000 rwxp 00065000 fd:02 1714580                        /usr/lib64/libpcre.so.1.2.1
3bc4200000-3bc4221000 r-xp 00000000 fd:02 1714582                        /usr/lib64/libselinux.so.1
3bc4221000-3bc4420000 ---p 00021000 fd:02 1714582                        /usr/lib64/libselinux.so.1
3bc4420000-3bc4421000 r-xp 00020000 fd:02 1714582                        /usr/lib64/libselinux.so.1
3bc4421000-3bc4422000 rwxp 00021000 fd:02 1714582                        /usr/lib64/libselinux.so.1
3bc4422000-3bc4424000 rwxp 00000000 00:00 0 
3bc4600000-3bc4616000 r-xp 00000000 fd:02 1722727                        /usr/lib64/libgomp.so.1.0.0
3bc4616000-3bc4815000 ---p 00016000 fd:02 1722727                        /usr/lib64/libgomp.so.1.0.0
3bc4815000-3bc4816000 r-xp 00015000 fd:02 1722727                        /usr/lib64/libgomp.so.1.0.0
3bc4816000-3bc4817000 rwxp 00016000 fd:02 1722727                        /usr/lib64/libgomp.so.1.0.0
3bc4a00000-3bc4a15000 r-xp 00000000 fd:02 1712255                        /usr/lib64/libgcc_s-4.8.3-20140911.so.1
3bc4a15000-3bc4c14000 ---p 00015000 fd:02 1712255                        /usr/lib64/libgcc_s-4.8.3-20140911.so.1
3bc4c14000-3bc4c15000 r-xp 00014000 fd:02 1712255                        /usr/lib64/libgcc_s-4.8.3-20140911.so.1
3bc4c15000-3bc4c16000 rwxp 00015000 fd:02 1712255                        /usr/lib64/libgcc_s-4.8.3-20140911.so.1
3bc4e00000-3bc4e16000 r-xp 00000000 fd:02 1716302                        /usr/lib64/libresolv-2.18.so
3bc4e16000-3bc5016000 ---p 00016000 fd:02 1716302                        /usr/lib64/libresolv-2.18.so
3bc5016000-3bc5017000 r-xp 00016000 fd:02 1716302                        /usr/lib64/libresolv-2.18.so
3bc5017000-3bc5018000 rwxp 00017000 fd:02 1716302                        /usr/lib64/libresolv-2.18.so
3bc5018000-3bc501a000 rwxp 00000000 00:00 0 
3bd2200000-3bd223a000 r-xp 00000000 fd:02 1722766                        /usr/lib64/libnspr4.so
3bd223a000-3bd2439000 ---p 0003a000 fd:02 1722766                        /usr/lib64/libnspr4.so
3bd2439000-3bd243a000 r-xp 00039000 fd:02 1722766                        /usr/lib64/libnspr4.so
3bd243a000-3bd243c000 rwxp 0003a000 fd:02 1722766                        /usr/lib64/libnspr4.so
3bd243c000-3bd243e000 rwxp 00000000 00:00 0 
3bd2600000-3bd2603000 r-xp 00000000 fd:02 1722768                        /usr/lib64/libplds4.so
3bd2603000-3bd2802000 ---p 00003000 fd:02 1722768                        /usr/lib64/libplds4.so
3bd2802000-3bd2803000 r-xp 00002000 fd:02 1722768                        /usr/lib64/libplds4.so
3bd2803000-3bd2804000 rwxp 00003000 fd:02 1722768                        /usr/lib64/libplds4.so
3bd2a00000-3bd2a03000 r-xp 00000000 fd:02 1722741                        /usr/lib64/libcom_err.so.2.1
3bd2a03000-3bd2c02000 ---p 00003000 fd:02 1722741                        /usr/lib64/libcom_err.so.2.1
3bd2c02000-3bd2c03000 r-xp 00002000 fd:02 1722741                        /usr/lib64/libcom_err.so.2.1
3bd2c03000-3bd2c04000 rwxp 00003000 fd:02 1722741                        /usr/lib64/libcom_err.so.2.1
3bd2e00000-3bd2e04000 r-xp 00000000 fd:02 1722767                        /usr/lib64/libplc4.so
3bd2e04000-3bd3003000 ---p 00004000 fd:02 1722767                        /usr/lib64/libplc4.so
3bd3003000-3bd3004000 r-xp 00003000 fd:02 1722767                        /usr/lib64/libplc4.so
3bd3004000-3bd3005000 rwxp 00004000 fd:02 1722767                        /usr/lib64/libplc4.so
3bd3a00000-3bd3a03000 r-xp 00000000 fd:02 1711889                        /usr/lib64/libkeyutils.so.1.5
3bd3a03000-3bd3c02000 ---p 00003000 fd:02 1711889                        /usr/lib64/libkeyutils.so.1.5
3bd3c02000-3bd3c03000 r-xp 00002000 fd:02 1711889                        /usr/lib64/libkeyutils.so.1.5
3bd3c03000-3bd3c04000 rwxp 00003000 fd:02 1711889                        /usr/lib64/libkeyutils.so.1.5
3bd4200000-3bd42d0000 r-xp 00000000 fd:02 1722743                        /usr/lib64/libkrb5.so.3.3
3bd42d0000-3bd44cf000 ---p 000d0000 fd:02 1722743                        /usr/lib64/libkrb5.so.3.3
3bd44cf000-3bd44dd000 r-xp 000cf000 fd:02 1722743                        /usr/lib64/libkrb5.so.3.3
3bd44dd000-3bd44e0000 rwxp 000dd000 fd:02 1722743                        /usr/lib64/libkrb5.so.3.3
3bd4600000-3bd460d000 r-xp 00000000 fd:02 1722739                        /usr/lib64/libkrb5support.so.0.1
3bd460d000-3bd480c000 ---p 0000d000 fd:02 1722739                        /usr/lib64/libkrb5support.so.0.1
3bd480c000-3bd480d000 r-xp 0000c000 fd:02 1722739                        /usr/lib64/libkrb5support.so.0.1
3bd480d000-3bd480e000 rwxp 0000d000 fd:02 1722739                        /usr/lib64/libkrb5support.so.0.1
3bd4a00000-3bd4a32000 r-xp 00000000 fd:02 1722740                        /usr/lib64/libk5crypto.so.3.1
3bd4a32000-3bd4c31000 ---p 00032000 fd:02 1722740                        /usr/lib64/libk5crypto.so.3.1
3bd4c31000-3bd4c33000 r-xp 00031000 fd:02 1722740                        /usr/lib64/libk5crypto.so.3.1
3bd4c33000-3bd4c34000 rwxp 00033000 fd:02 1722740                        /usr/lib64/libk5crypto.so.3.1
3bd4c34000-3bd4c35000 rwxp 00000000 00:00 0 
3bd6200000-3bd6247000 r-xp 00000000 fd:02 1711911                        /usr/lib64/libgssapi_krb5.so.2.2
3bd6247000-3bd6447000 ---p 00047000 fd:02 1711911                        /usr/lib64/libgssapi_krb5.so.2.2
3bd6447000-3bd6448000 r-xp 00047000 fd:02 1711911                        /usr/lib64/libgssapi_krb5.so.2.2
3bd6448000-3bd644a000 rwxp 00048000 fd:02 1711911                        /usr/lib64/libgssapi_krb5.so.2.2
3bd9600000-3bd966e000 r-xp 00000000 fd:02 1722596                        /usr/lib64/libgmp.so.10.1.2
3bd966e000-3bd986d000 ---p 0006e000 fd:02 1722596                        /usr/lib64/libgmp.so.10.1.2
3bd986d000-3bd986e000 r-xp 0006d000 fd:02 1722596                        /usr/lib64/libgmp.so.10.1.2
3bd986e000-3bd9877000 rwxp 0006e000 fd:02 1722596                        /usr/lib64/libgmp.so.10.1.2
7fc84265f000-7fc842660000 ---p 00000000 00:00 0 
7fc842660000-7fc842e60000 rwxp 00000000 00:00 0                          [stack:22948]
7fc84301d000-7fc84301e000 ---p 00000000 00:00 0 
7fc84301e000-7fc84381e000 rwxp 00000000 00:00 0                          [stack:22947]
7fc84399f000-7fc843bea000 rwxp 00000000 00:00 0 
7fc843bea000-7fc843bf1000 r-xp 00000000 fd:02 1708649                    /usr/lib64/librt-2.18.so
7fc843bf1000-7fc843df0000 ---p 00007000 fd:02 1708649                    /usr/lib64/librt-2.18.so
7fc843df0000-7fc843df1000 r-xp 00006000 fd:02 1708649                    /usr/lib64/librt-2.18.so
7fc843df1000-7fc843df2000 rwxp 00007000 fd:02 1708649                    /usr/lib64/librt-2.18.so
7fc843df2000-7fc843df9000 rwxp 00000000 00:00 0 
7fc843e09000-7fc843e0c000 rwxp 00000000 00:00 0 
7fffff1c8000-7fffff25e000 rwxp 00000000 00:00 0                          [stack]
7fffff394000-7fffff396000 r-xp 00000000 00:00 0                          [vdso]
7fffff396000-7fffff398000 r--p 00000000 00:00 0                          [vvar]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
sh: line 1: 22946 Aborted                 (core dumped) ../run/john -ses=./tst -pot=./tst.pot dynamic_56_tst.in --wordlist=pw.dic 2>&1 > /dev/null

form=dynamic_56                   guesses: 1500 0:00:00:02 DONE  [PASSED]
.pot CHK:dynamic_56               guesses: 1500 0:00:00:00 DONE  [PASSED]

frank-dittrich · 2014-10-24T15:48:03Z

[...]
form=dynamic_65                   guesses: 1500 0:00:00:01 DONE  [PASSED]
.pot CHK:dynamic_65               guesses: 1500 0:00:00:00 DONE  [PASSED]
*** Error in `../run/john': munmap_chunk(): invalid pointer: 0x00007f810de9e010 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3bc2675a4f]
/lib64/libc.so.6[0x3bc267b8a7]
../run/john[0x5d8b88]
../run/john[0x5cf2d8]
../run/john[0x5cf7a3]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x3bc2621d65]
../run/john[0x4062dd]
======= Memory map: ========
00400000-00708000 r-xp 00000000 fd:03 2378910                            /home/fd/git/JtR/run/john
00907000-00908000 r-xp 00307000 fd:03 2378910                            /home/fd/git/JtR/run/john
00908000-00954000 rwxp 00308000 fd:03 2378910                            /home/fd/git/JtR/run/john
00954000-0114b000 rwxp 00000000 00:00 0 
0187f000-01b9c000 rwxp 00000000 00:00 0                                  [heap]
324a600000-324a71e000 r-xp 00000000 fd:02 1724407                        /usr/lib64/libnss3.so
324a71e000-324a91e000 ---p 0011e000 fd:02 1724407                        /usr/lib64/libnss3.so
324a91e000-324a923000 r-xp 0011e000 fd:02 1724407                        /usr/lib64/libnss3.so
324a923000-324a925000 rwxp 00123000 fd:02 1724407                        /usr/lib64/libnss3.so
324a925000-324a927000 rwxp 00000000 00:00 0 
324aa00000-324aa25000 r-xp 00000000 fd:02 1711826                        /usr/lib64/libnssutil3.so
324aa25000-324ac25000 ---p 00025000 fd:02 1711826                        /usr/lib64/libnssutil3.so
324ac25000-324ac2b000 r-xp 00025000 fd:02 1711826                        /usr/lib64/libnssutil3.so
324ac2b000-324ac2c000 rwxp 0002b000 fd:02 1711826                        /usr/lib64/libnssutil3.so
324ae00000-324afbd000 r-xp 00000000 fd:02 1707754                        /usr/lib64/libcrypto.so.1.0.1e
324afbd000-324b1bc000 ---p 001bd000 fd:02 1707754                        /usr/lib64/libcrypto.so.1.0.1e
324b1bc000-324b1d7000 r-xp 001bc000 fd:02 1707754                        /usr/lib64/libcrypto.so.1.0.1e
324b1d7000-324b1e3000 rwxp 001d7000 fd:02 1707754                        /usr/lib64/libcrypto.so.1.0.1e
324b1e3000-324b1e7000 rwxp 00000000 00:00 0 
324b200000-324b277000 r-xp 00000000 fd:02 1722808                        /usr/lib64/libfreebl3.so
324b277000-324b476000 ---p 00077000 fd:02 1722808                        /usr/lib64/libfreebl3.so
324b476000-324b478000 r-xp 00076000 fd:02 1722808                        /usr/lib64/libfreebl3.so
324b478000-324b479000 rwxp 00078000 fd:02 1722808                        /usr/lib64/libfreebl3.so
324b479000-324b47d000 rwxp 00000000 00:00 0 
324b600000-324b624000 r-xp 00000000 fd:02 1724409                        /usr/lib64/libsmime3.so
324b624000-324b823000 ---p 00024000 fd:02 1724409                        /usr/lib64/libsmime3.so
324b823000-324b826000 r-xp 00023000 fd:02 1724409                        /usr/lib64/libsmime3.so
324b826000-324b827000 rwxp 00026000 fd:02 1724409                        /usr/lib64/libsmime3.so
324ba00000-324ba3a000 r-xp 00000000 fd:02 1724408                        /usr/lib64/libssl3.so
324ba3a000-324bc3a000 ---p 0003a000 fd:02 1724408                        /usr/lib64/libssl3.so
324bc3a000-324bc3d000 r-xp 0003a000 fd:02 1724408                        /usr/lib64/libssl3.so
324bc3d000-324bc3e000 rwxp 0003d000 fd:02 1724408                        /usr/lib64/libssl3.so
324bc3e000-324bc3f000 rwxp 00000000 00:00 0 
324be00000-324be08000 r-xp 00000000 fd:02 1723054                        /usr/lib64/libcrypt-2.18.so
324be08000-324c007000 ---p 00008000 fd:02 1723054                        /usr/lib64/libcrypt-2.18.so
324c007000-324c008000 r-xp 00007000 fd:02 1723054                        /usr/lib64/libcrypt-2.18.so
324c008000-324c009000 rwxp 00008000 fd:02 1723054                        /usr/lib64/libcrypt-2.18.so
324c009000-324c037000 rwxp 00000000 00:00 0 
324c200000-324c262000 r-xp 00000000 fd:02 1712376                        /usr/lib64/libssl.so.1.0.1e
324c262000-324c461000 ---p 00062000 fd:02 1712376                        /usr/lib64/libssl.so.1.0.1e
324c461000-324c465000 r-xp 00061000 fd:02 1712376                        /usr/lib64/libssl.so.1.0.1e
324c465000-324c46c000 rwxp 00065000 fd:02 1712376                        /usr/lib64/libssl.so.1.0.1e
3bc2200000-3bc2220000 r-xp 00000000 fd:02 1705513                        /usr/lib64/ld-2.18.so
3bc241f000-3bc2420000 r-xp 0001f000 fd:02 1705513                        /usr/lib64/ld-2.18.so
3bc2420000-3bc2421000 rwxp 00020000 fd:02 1705513                        /usr/lib64/ld-2.18.so
3bc2421000-3bc2422000 rwxp 00000000 00:00 0 
3bc2600000-3bc27b4000 r-xp 00000000 fd:02 1705541                        /usr/lib64/libc-2.18.so
3bc27b4000-3bc29b3000 ---p 001b4000 fd:02 1705541                        /usr/lib64/libc-2.18.so
3bc29b3000-3bc29b7000 r-xp 001b3000 fd:02 1705541                        /usr/lib64/libc-2.18.so
3bc29b7000-3bc29b9000 rwxp 001b7000 fd:02 1705541                        /usr/lib64/libc-2.18.so
3bc29b9000-3bc29be000 rwxp 00000000 00:00 0 
3bc2a00000-3bc2a03000 r-xp 00000000 fd:02 1704601                        /usr/lib64/libdl-2.18.so
3bc2a03000-3bc2c02000 ---p 00003000 fd:02 1704601                        /usr/lib64/libdl-2.18.so
3bc2c02000-3bc2c03000 r-xp 00002000 fd:02 1704601                        /usr/lib64/libdl-2.18.so
3bc2c03000-3bc2c04000 rwxp 00003000 fd:02 1704601                        /usr/lib64/libdl-2.18.so
3bc2e00000-3bc2e18000 r-xp 00000000 fd:02 1708938                        /usr/lib64/libpthread-2.18.so
3bc2e18000-3bc3017000 ---p 00018000 fd:02 1708938                        /usr/lib64/libpthread-2.18.so
3bc3017000-3bc3018000 r-xp 00017000 fd:02 1708938                        /usr/lib64/libpthread-2.18.so
3bc3018000-3bc3019000 rwxp 00018000 fd:02 1708938                        /usr/lib64/libpthread-2.18.so
3bc3019000-3bc301d000 rwxp 00000000 00:00 0 
3bc3200000-3bc3305000 r-xp 00000000 fd:02 1711860                        /usr/lib64/libm-2.18.so
3bc3305000-3bc3505000 ---p 00105000 fd:02 1711860                        /usr/lib64/libm-2.18.so
3bc3505000-3bc3506000 r-xp 00105000 fd:02 1711860                        /usr/lib64/libm-2.18.so
3bc3506000-3bc3507000 rwxp 00106000 fd:02 1711860                        /usr/lib64/libm-2.18.so
3bc3600000-3bc3615000 r-xp 00000000 fd:02 1710517                        /usr/lib64/libz.so.1.2.8
3bc3615000-3bc3814000 ---p 00015000 fd:02 1710517                        /usr/lib64/libz.so.1.2.8
3bc3814000-3bc3815000 r-xp 00014000 fd:02 1710517                        /usr/lib64/libz.so.1.2.8
3bc3815000-3bc3816000 rwxp 00015000 fd:02 1710517                        /usr/lib64/libz.so.1.2.8
3bc3a00000-3bc3a24000 r-xp 00000000 fd:02 1714581                        /usr/lib64/liblzma.so.5.0.99
3bc3a24000-3bc3c23000 ---p 00024000 fd:02 1714581                        /usr/lib64/liblzma.so.5.0.99
3bc3c23000-3bc3c24000 r-xp 00023000 fd:02 1714581                        /usr/lib64/liblzma.so.5.0.99
3bc3c24000-3bc3c25000 rwxp 00024000 fd:02 1714581                        /usr/lib64/liblzma.so.5.0.99
3bc3e00000-3bc3e65000 r-xp 00000000 fd:02 1714580                        /usr/lib64/libpcre.so.1.2.1
3bc3e65000-3bc4064000 ---p 00065000 fd:02 1714580                        /usr/lib64/libpcre.so.1.2.1
3bc4064000-3bc4065000 r-xp 00064000 fd:02 1714580                        /usr/lib64/libpcre.so.1.2.1
3bc4065000-3bc4066000 rwxp 00065000 fd:02 1714580                        /usr/lib64/libpcre.so.1.2.1
3bc4200000-3bc4221000 r-xp 00000000 fd:02 1714582                        /usr/lib64/libselinux.so.1
3bc4221000-3bc4420000 ---p 00021000 fd:02 1714582                        /usr/lib64/libselinux.so.1
3bc4420000-3bc4421000 r-xp 00020000 fd:02 1714582                        /usr/lib64/libselinux.so.1
3bc4421000-3bc4422000 rwxp 00021000 fd:02 1714582                        /usr/lib64/libselinux.so.1
3bc4422000-3bc4424000 rwxp 00000000 00:00 0 
3bc4600000-3bc4616000 r-xp 00000000 fd:02 1722727                        /usr/lib64/libgomp.so.1.0.0
3bc4616000-3bc4815000 ---p 00016000 fd:02 1722727                        /usr/lib64/libgomp.so.1.0.0
3bc4815000-3bc4816000 r-xp 00015000 fd:02 1722727                        /usr/lib64/libgomp.so.1.0.0
3bc4816000-3bc4817000 rwxp 00016000 fd:02 1722727                        /usr/lib64/libgomp.so.1.0.0
3bc4a00000-3bc4a15000 r-xp 00000000 fd:02 1712255                        /usr/lib64/libgcc_s-4.8.3-20140911.so.1
3bc4a15000-3bc4c14000 ---p 00015000 fd:02 1712255                        /usr/lib64/libgcc_s-4.8.3-20140911.so.1
3bc4c14000-3bc4c15000 r-xp 00014000 fd:02 1712255                        /usr/lib64/libgcc_s-4.8.3-20140911.so.1
3bc4c15000-3bc4c16000 rwxp 00015000 fd:02 1712255                        /usr/lib64/libgcc_s-4.8.3-20140911.so.1
3bc4e00000-3bc4e16000 r-xp 00000000 fd:02 1716302                        /usr/lib64/libresolv-2.18.so
3bc4e16000-3bc5016000 ---p 00016000 fd:02 1716302                        /usr/lib64/libresolv-2.18.so
3bc5016000-3bc5017000 r-xp 00016000 fd:02 1716302                        /usr/lib64/libresolv-2.18.so
3bc5017000-3bc5018000 rwxp 00017000 fd:02 1716302                        /usr/lib64/libresolv-2.18.so
3bc5018000-3bc501a000 rwxp 00000000 00:00 0 
3bd2200000-3bd223a000 r-xp 00000000 fd:02 1722766                        /usr/lib64/libnspr4.so
3bd223a000-3bd2439000 ---p 0003a000 fd:02 1722766                        /usr/lib64/libnspr4.so
3bd2439000-3bd243a000 r-xp 00039000 fd:02 1722766                        /usr/lib64/libnspr4.so
3bd243a000-3bd243c000 rwxp 0003a000 fd:02 1722766                        /usr/lib64/libnspr4.so
3bd243c000-3bd243e000 rwxp 00000000 00:00 0 
3bd2600000-3bd2603000 r-xp 00000000 fd:02 1722768                        /usr/lib64/libplds4.so
3bd2603000-3bd2802000 ---p 00003000 fd:02 1722768                        /usr/lib64/libplds4.so
3bd2802000-3bd2803000 r-xp 00002000 fd:02 1722768                        /usr/lib64/libplds4.so
3bd2803000-3bd2804000 rwxp 00003000 fd:02 1722768                        /usr/lib64/libplds4.so
3bd2a00000-3bd2a03000 r-xp 00000000 fd:02 1722741                        /usr/lib64/libcom_err.so.2.1
3bd2a03000-3bd2c02000 ---p 00003000 fd:02 1722741                        /usr/lib64/libcom_err.so.2.1
3bd2c02000-3bd2c03000 r-xp 00002000 fd:02 1722741                        /usr/lib64/libcom_err.so.2.1
3bd2c03000-3bd2c04000 rwxp 00003000 fd:02 1722741                        /usr/lib64/libcom_err.so.2.1
3bd2e00000-3bd2e04000 r-xp 00000000 fd:02 1722767                        /usr/lib64/libplc4.so
3bd2e04000-3bd3003000 ---p 00004000 fd:02 1722767                        /usr/lib64/libplc4.so
3bd3003000-3bd3004000 r-xp 00003000 fd:02 1722767                        /usr/lib64/libplc4.so
3bd3004000-3bd3005000 rwxp 00004000 fd:02 1722767                        /usr/lib64/libplc4.so
3bd3a00000-3bd3a03000 r-xp 00000000 fd:02 1711889                        /usr/lib64/libkeyutils.so.1.5
3bd3a03000-3bd3c02000 ---p 00003000 fd:02 1711889                        /usr/lib64/libkeyutils.so.1.5
3bd3c02000-3bd3c03000 r-xp 00002000 fd:02 1711889                        /usr/lib64/libkeyutils.so.1.5
3bd3c03000-3bd3c04000 rwxp 00003000 fd:02 1711889                        /usr/lib64/libkeyutils.so.1.5
3bd4200000-3bd42d0000 r-xp 00000000 fd:02 1722743                        /usr/lib64/libkrb5.so.3.3
3bd42d0000-3bd44cf000 ---p 000d0000 fd:02 1722743                        /usr/lib64/libkrb5.so.3.3
3bd44cf000-3bd44dd000 r-xp 000cf000 fd:02 1722743                        /usr/lib64/libkrb5.so.3.3
3bd44dd000-3bd44e0000 rwxp 000dd000 fd:02 1722743                        /usr/lib64/libkrb5.so.3.3
3bd4600000-3bd460d000 r-xp 00000000 fd:02 1722739                        /usr/lib64/libkrb5support.so.0.1
3bd460d000-3bd480c000 ---p 0000d000 fd:02 1722739                        /usr/lib64/libkrb5support.so.0.1
3bd480c000-3bd480d000 r-xp 0000c000 fd:02 1722739                        /usr/lib64/libkrb5support.so.0.1
3bd480d000-3bd480e000 rwxp 0000d000 fd:02 1722739                        /usr/lib64/libkrb5support.so.0.1
3bd4a00000-3bd4a32000 r-xp 00000000 fd:02 1722740                        /usr/lib64/libk5crypto.so.3.1
3bd4a32000-3bd4c31000 ---p 00032000 fd:02 1722740                        /usr/lib64/libk5crypto.so.3.1
3bd4c31000-3bd4c33000 r-xp 00031000 fd:02 1722740                        /usr/lib64/libk5crypto.so.3.1
3bd4c33000-3bd4c34000 rwxp 00033000 fd:02 1722740                        /usr/lib64/libk5crypto.so.3.1
3bd4c34000-3bd4c35000 rwxp 00000000 00:00 0 
3bd6200000-3bd6247000 r-xp 00000000 fd:02 1711911                        /usr/lib64/libgssapi_krb5.so.2.2
3bd6247000-3bd6447000 ---p 00047000 fd:02 1711911                        /usr/lib64/libgssapi_krb5.so.2.2
3bd6447000-3bd6448000 r-xp 00047000 fd:02 1711911                        /usr/lib64/libgssapi_krb5.so.2.2
3bd6448000-3bd644a000 rwxp 00048000 fd:02 1711911                        /usr/lib64/libgssapi_krb5.so.2.2
3bd9600000-3bd966e000 r-xp 00000000 fd:02 1722596                        /usr/lib64/libgmp.so.10.1.2
3bd966e000-3bd986d000 ---p 0006e000 fd:02 1722596                        /usr/lib64/libgmp.so.10.1.2
3bd986d000-3bd986e000 r-xp 0006d000 fd:02 1722596                        /usr/lib64/libgmp.so.10.1.2
3bd986e000-3bd9877000 rwxp 0006e000 fd:02 1722596                        /usr/lib64/libgmp.so.10.1.2
7f810cb5e000-7f810cb5f000 ---p 00000000 00:00 0 
7f810cb5f000-7f810d35f000 rwxp 00000000 00:00 0                          [stack:23875]
7f810d51c000-7f810d51d000 ---p 00000000 00:00 0 
7f810d51d000-7f810dd1d000 rwxp 00000000 00:00 0                          [stack:23874]
7f810de9e000-7f810e0e9000 rwxp 00000000 00:00 0 
7f810e0e9000-7f810e0f0000 r-xp 00000000 fd:02 1708649                    /usr/lib64/librt-2.18.so
7f810e0f0000-7f810e2ef000 ---p 00007000 fd:02 1708649                    /usr/lib64/librt-2.18.so
7f810e2ef000-7f810e2f0000 r-xp 00006000 fd:02 1708649                    /usr/lib64/librt-2.18.so
7f810e2f0000-7f810e2f1000 rwxp 00007000 fd:02 1708649                    /usr/lib64/librt-2.18.so
7f810e2f1000-7f810e2f8000 rwxp 00000000 00:00 0 
7f810e308000-7f810e30b000 rwxp 00000000 00:00 0 
7fff08e9d000-7fff08f33000 rwxp 00000000 00:00 0                          [stack]
7fff08fd8000-7fff08fda000 r-xp 00000000 00:00 0                          [vdso]
7fff08fda000-7fff08fdc000 r--p 00000000 00:00 0                          [vvar]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
sh: line 1: 23873 Aborted                 (core dumped) ../run/john -ses=./tst -pot=./tst.pot dynamic_66_tst.in --wordlist=pw.dic 2>&1 > /dev/null

form=dynamic_66                   guesses: 1500 0:00:00:02 DONE  [PASSED]
.pot CHK:dynamic_66               guesses: 1500 0:00:00:00 DONE  [PASSED]

[...]

form=gost                         guesses: 1500 0:00:00:00 DONE  [PASSED]
.pot CHK:gost                     guesses: 1500 0:00:00:00 DONE  [PASSED]

All tests passed without error.  Performed 279 tests.  Time used was 573 seconds

So, only a few dynamic formats are affected. (This test was with commit 339052e reverted.)

BTW, I guess I'll create a new jtrts issue.
After the core, $? is not 0, and jtrts shouldn't report that test as passed without error.

I guess

frank-dittrich · 2014-10-24T16:19:38Z

It looks like reverting 339052e, as expected, just makes this issue reappear:
#690

magnumripper · 2014-10-24T16:25:19Z

Unfortunately @jfoug might not be able to have a look at this immediately. But it's good we tracked it down.

jfoug · 2014-10-25T14:57:41Z

This bug fix (339052e) was for the 64 bit formats where hash(hash(x).hash(y)) caused a full 256 bytes of usage. Whirlpool, sha512, etc. This was the problem were we were gettin OMP failures. If this is reverted, then those failures will come back (87-88 107-108 are formats that push the buffer to extreme limit).

I will see if I can find the problem. One big problem, is it works perfectly on cygwin64 (sorry linux guys) I will have to see if I can figure this one out on the VM

jfoug · 2014-10-25T15:02:36Z

nope, got cygwin to core on OMP=5

magnumripper · 2014-10-25T15:44:11Z

I would think so, I get segfaults on OSX 64-bit. Should not be arch dependant other than SSE2.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000942129 in MEMDBG_checkSnapshot_possible_exit_on_error (h=..., exit_on_any_leaks=0) at memdbg.c:759
759         if (p->mdbg_cnt > h.alloc_cnt && p->mdbg_fpst == MEMFPOST) {

Even memdbg itself cored, that's funny!

jfoug · 2014-10-25T15:56:43Z

The dynamic_fmt.c change for 339052e is obvious a cause of extensive overflows. BUT it was removed due to causing other issues. I just have to find those issues. It may have been in TS failures.

frank-dittrich · 2014-10-25T16:07:20Z

MEMDBG_HDR and MEMDBG_HDR2 might be to small to detect typical memory corruption on sse2/avx builds, and we neede to (optionally) increase their size.

frank-dittrich · 2014-10-25T16:37:51Z

@magnumripper

I would think so, I get segfaults on OSX 64-bit. Should not be arch dependant other than SSE2.

That's wrong.
With OMP_NUM_THREADS=9 (but not with OMP_NUM_THREADS smaller than 9), I was able to reproduce this on a legacy linux-x86-any build (with OMP enabled) on 32bit linux:

$ OMP_NUM_THREADS=9 ./john --test=0 --format=dynamic_0
Will run 9 OpenMP threads
Testing: dynamic_0 [md5($p) (raw-md5) 32/32 6144x1 (MD5_body)]... (9xOMP) PASS
*** Error in `./john': munmap_chunk(): invalid pointer: 0x09046508 ***
======= Backtrace: =========
/lib/libc.so.6[0x48788143]
/lib/libc.so.6[0x4878e984]
/lib/libc.so.6[0x48731e8a]
./john[0x81e60d8]
./john[0x81dc745]
./john[0x81dcdca]
/lib/libc.so.6(__libc_start_main+0xf3)[0x48733b73]
./john[0x804d331]
======= Memory map: ========
08048000-082f5000 r-xp 00000000 fd:03 1874442    /home/fd/git/JtR/run/john
082f5000-082f6000 r-xp 002ac000 fd:03 1874442    /home/fd/git/JtR/run/john
082f6000-08322000 rwxp 002ad000 fd:03 1874442    /home/fd/git/JtR/run/john
08322000-08b5c000 rwxp 00000000 00:00 0 
08f8d000-0908b000 rwxp 00000000 00:00 0          [heap]
41881000-418a2000 r-xp 00000000 fd:01 1180269    /usr/lib/libnssutil3.so
418a2000-418a3000 ---p 00021000 fd:01 1180269    /usr/lib/libnssutil3.so
418a3000-418a6000 r-xp 00021000 fd:01 1180269    /usr/lib/libnssutil3.so
418a6000-418a7000 rwxp 00024000 fd:01 1180269    /usr/lib/libnssutil3.so
418a9000-418cd000 r-xp 00000000 fd:01 1193866    /usr/lib/libsmime3.so
418cd000-418cf000 r-xp 00023000 fd:01 1193866    /usr/lib/libsmime3.so
418cf000-418d0000 rwxp 00025000 fd:01 1193866    /usr/lib/libsmime3.so
418f8000-41932000 r-xp 00000000 fd:01 1187666    /usr/lib/libssl3.so
41932000-41934000 r-xp 00039000 fd:01 1187666    /usr/lib/libssl3.so
41934000-41935000 rwxp 0003b000 fd:01 1187666    /usr/lib/libssl3.so
41937000-41996000 r-xp 00000000 fd:01 1201060    /usr/lib/libssl.so.1.0.1e
41996000-41998000 r-xp 0005f000 fd:01 1201060    /usr/lib/libssl.so.1.0.1e
41998000-4199c000 rwxp 00061000 fd:01 1201060    /usr/lib/libssl.so.1.0.1e
41a8d000-41bb4000 r-xp 00000000 fd:01 1186027    /usr/lib/libnss3.so
41bb4000-41bb5000 ---p 00127000 fd:01 1186027    /usr/lib/libnss3.so
41bb5000-41bb8000 r-xp 00127000 fd:01 1186027    /usr/lib/libnss3.so
41bb8000-41bba000 rwxp 0012a000 fd:01 1186027    /usr/lib/libnss3.so
41bbc000-41c1d000 r-xp 00000000 fd:01 1201062    /usr/lib/libfreebl3.so
41c1d000-41c1e000 ---p 00061000 fd:01 1201062    /usr/lib/libfreebl3.so
41c1e000-41c1f000 r-xp 00061000 fd:01 1201062    /usr/lib/libfreebl3.so
41c1f000-41c20000 rwxp 00062000 fd:01 1201062    /usr/lib/libfreebl3.so
41c20000-41c24000 rwxp 00000000 00:00 0 
41c26000-41c2d000 r-xp 00000000 fd:01 1201063    /usr/lib/libcrypt-2.18.so
41c2d000-41c2e000 r-xp 00006000 fd:01 1201063    /usr/lib/libcrypt-2.18.so
41c2e000-41c2f000 rwxp 00007000 fd:01 1201063    /usr/lib/libcrypt-2.18.so
41c2f000-41c56000 rwxp 00000000 00:00 0 
41e74000-42025000 r-xp 00000000 fd:01 1201059    /usr/lib/libcrypto.so.1.0.1e
42025000-42035000 r-xp 001b0000 fd:01 1201059    /usr/lib/libcrypto.so.1.0.1e
42035000-4203c000 rwxp 001c0000 fd:01 1201059    /usr/lib/libcrypto.so.1.0.1e
4203c000-4203f000 rwxp 00000000 00:00 0 
486f7000-48716000 r-xp 00000000 fd:01 1180239    /usr/lib/ld-2.18.so
48716000-48717000 r-xp 0001e000 fd:01 1180239    /usr/lib/ld-2.18.so
48717000-48718000 rwxp 0001f000 fd:01 1180239    /usr/lib/ld-2.18.so
4871a000-488d2000 r-xp 00000000 fd:01 1180240    /usr/lib/libc-2.18.so
488d2000-488d4000 r-xp 001b8000 fd:01 1180240    /usr/lib/libc-2.18.so
488d4000-488d5000 rwxp 001ba000 fd:01 1180240    /usr/lib/libc-2.18.so
488d5000-488d8000 rwxp 00000000 00:00 0 
488da000-488f1000 r-xp 00000000 fd:01 1180242    /usr/lib/libpthread-2.18.so
488f1000-488f2000 r-xp 00016000 fd:01 1180242    /usr/lib/libpthread-2.18.so
488f2000-488f3000 rwxp 00017000 fd:01 1180242    /usr/lib/libpthread-2.18.so
488f3000-488f5000 rwxp 00000000 00:00 0 
488f7000-488fa000 r-xp 00000000 fd:01 1180251    /usr/lib/libdl-2.18.so
488fa000-488fb000 r-xp 00002000 fd:01 1180251    /usr/lib/libdl-2.18.so
488fb000-488fc000 rwxp 00003000 fd:01 1180251    /usr/lib/libdl-2.18.so
488fe000-48943000 r-xp 00000000 fd:01 1180267    /usr/lib/libm-2.18.so
48943000-48944000 r-xp 00044000 fd:01 1180267    /usr/lib/libm-2.18.so
48944000-48945000 rwxp 00045000 fd:01 1180267    /usr/lib/libm-2.18.so
48947000-4895c000 r-xp 00000000 fd:01 1180258    /usr/lib/libz.so.1.2.8
4895c000-4895d000 r-xp 00014000 fd:01 1180258    /usr/lib/libz.so.1.2.8
4895d000-4895e000 rwxp 00015000 fd:01 1180258    /usr/lib/libz.so.1.2.8
48960000-48987000 r-xp 00000000 fd:01 1180260    /usr/lib/liblzma.so.5.0.99
48987000-48988000 r-xp 00027000 fd:01 1180260    /usr/lib/liblzma.so.5.0.99
48988000-48989000 rwxp 00028000 fd:01 1180260    /usr/lib/liblzma.so.5.0.99
4898b000-489f3000 r-xp 00000000 fd:01 1180259    /usr/lib/libpcre.so.1.2.1
489f3000-489f4000 r-xp 00068000 fd:01 1180259    /usr/lib/libpcre.so.1.2.1
489f4000-489f5000 rwxp 00069000 fd:01 1180259    /usr/lib/libpcre.so.1.2.1
489f7000-48a18000 r-xp 00000000 fd:01 1180261    /usr/lib/libselinux.so.1
48a18000-48a19000 r-xp 00020000 fd:01 1180261    /usr/lib/libselinux.so.1
48a19000-48a1a000 rwxp 00021000 fd:01 1180261    /usr/lib/libselinux.so.1
48a1a000-48a1b000 rwxp 00000000 00:00 0 
48a1d000-48a38000 r-xp 00000000 fd:01 1180280    /usr/lib/libgcc_s-4.8.3-20140911.so.1
48a38000-48a39000 r-xp 0001a000 fd:01 1180280    /usr/lib/libgcc_s-4.8.3-20140911.so.1
48a39000-48a3a000 rwxp 0001b000 fd:01 1180280    /usr/lib/libgcc_s-4.8.3-20140911.so.1
48a3c000-48a53000 r-xp 00000000 fd:01 1192731    /usr/lib/libgomp.so.1.0.0
48a53000-48a54000 r-xp 00016000 fd:01 1192731    /usr/lib/libgomp.so.1.0.0
48a54000-48a55000 rwxp 00017000 fd:01 1192731    /usr/lib/libgomp.so.1.0.0
49812000-49815000 r-xp 00000000 fd:01 1180274    /usr/lib/libplds4.so
49815000-49816000 r-xp 00002000 fd:01 1180274    /usr/lib/libplds4.so
49816000-49817000 rwxp 00003000 fd:01 1180274    /usr/lib/libplds4.so
49819000-49853000 r-xp 00000000 fd:01 1180272    /usr/lib/libnspr4.so
49853000-49854000 ---p 0003a000 fd:01 1180272    /usr/lib/libnspr4.so
49854000-49855000 r-xp 0003a000 fd:01 1180272    /usr/lib/libnspr4.so
49855000-49856000 rwxp 0003b000 fd:01 1180272    /usr/lib/libnspr4.so
49856000-49858000 rwxp 00000000 00:00 0 
4985a000-4985e000 r-xp 00000000 fd:01 1180273    /usr/lib/libplc4.so
4985e000-4985f000 r-xp 00003000 fd:01 1180273    /usr/lib/libplc4.so
4985f000-49860000 rwxp 00004000 fd:01 1180273    /usr/lib/libplc4.so
4988b000-4988e000 r-xp 00000000 fd:01 1180243    /usr/lib/libcom_err.so.2.1
4988e000-4988f000 r-xp 00002000 fd:01 1180243    /usr/lib/libcom_err.so.2.1
4988f000-49890000 rwxp 00003000 fd:01 1180243    /usr/lib/libcom_err.so.2.1
49eaa000-49f70000 r-xp 00000000 fd:01 1180388    /usr/lib/libkrb5.so.3.3
49f70000-49f71000 ---p 000c6000 fd:01 1180388    /usr/lib/libkrb5.so.3.3
49f71000-49f77000 r-xp 000c6000 fd:01 1180388    /usr/lib/libkrb5.so.3.3
49f77000-49f79000 rwxp 000cc000 fd:01 1180388    /usr/lib/libkrb5.so.3.3
49fa4000-49fd7000 r-xp 00000000 fd:01 1180387    /usr/lib/libk5crypto.so.3.1
49fd7000-49fd8000 r-xp 00033000 fd:01 1180387    /usr/lib/libk5crypto.so.3.1
49fd8000-49fd9000 rwxp 00034000 fd:01 1180387    /usr/lib/libk5crypto.so.3.1
49fd9000-49fda000 rwxp 00000000 00:00 0 
4a269000-4a26c000 r-xp 00000000 fd:01 1180385    /usr/lib/libkeyutils.so.1.5
4a26c000-4a26d000 r-xp 00002000 fd:01 1180385    /usr/lib/libkeyutils.so.1.5
4a26d000-4a26e000 rwxp 00003000 fd:01 1180385    /usr/lib/libkeyutils.so.1.5
4a270000-4a27c000 r-xp 00000000 fd:01 1180386    /usr/lib/libkrb5support.so.0.1
4a27c000-4a27d000 r-xp 0000b000 fd:01 1180386    /usr/lib/libkrb5support.so.0.1
4a27d000-4a27e000 rwxp 0000c000 fd:01 1180386    /usr/lib/libkrb5support.so.0.1
4a330000-4a376000 r-xp 00000000 fd:01 1180389    /usr/lib/libgssapi_krb5.so.2.2
4a376000-4a377000 r-xp 00046000 fd:01 1180389    /usr/lib/libgssapi_krb5.so.2.2
4a377000-4a378000 rwxp 00047000 fd:01 1180389    /usr/lib/libgssapi_krb5.so.2.2
4aa2e000-4aa95000 r-xp 00000000 fd:01 1180379    /usr/lib/sse2/libgmp.so.10.1.2
4aa95000-4aa96000 r-xp 00066000 fd:01 1180379    /usr/lib/sse2/libgmp.so.10.1.2
4aa96000-4aa9d000 rwxp 00067000 fd:01 1180379    /usr/lib/sse2/libgmp.so.10.1.2
b33be000-b33bf000 ---p 00000000 00:00 0 
b33bf000-b3bbf000 rwxp 00000000 00:00 0          [stack:8422]
b3bbf000-b3bc0000 ---p 00000000 00:00 0 
b3bc0000-b43c0000 rwxp 00000000 00:00 0          [stack:8421]
b43c0000-b43c1000 ---p 00000000 00:00 0 
b43c1000-b4bc1000 rwxp 00000000 00:00 0          [stack:8420]
b4bc1000-b4bc2000 ---p 00000000 00:00 0 
b4bc2000-b53c2000 rwxp 00000000 00:00 0          [stack:8419]
b53c2000-b53c3000 ---p 00000000 00:00 0 
b53c3000-b5bc3000 rwxp 00000000 00:00 0          [stack:8418]
b5bc3000-b5bc4000 ---p 00000000 00:00 0 
b5bc4000-b63c4000 rwxp 00000000 00:00 0          [stack:8417]
b63c4000-b63c5000 ---p 00000000 00:00 0 
b63c5000-b6bc5000 rwxp 00000000 00:00 0          [stack:8416]
b6bc5000-b6bc6000 ---p 00000000 00:00 0 
b6bc6000-b73c6000 rwxp 00000000 00:00 0          [stack:8415]
b76c8000-b76cc000 rwxp 00000000 00:00 0 
b76cc000-b76d3000 r-xp 00000000 fd:01 1180254    /usr/lib/librt-2.18.so
b76d3000-b76d4000 r-xp 00006000 fd:01 1180254    /usr/lib/librt-2.18.so
b76d4000-b76d5000 rwxp 00007000 fd:01 1180254    /usr/lib/librt-2.18.so
b76d5000-b76d6000 rwxp 00000000 00:00 0 
b76d6000-b76eb000 r-xp 00000000 fd:01 1180262    /usr/lib/libresolv-2.18.so
b76eb000-b76ec000 ---p 00015000 fd:01 1180262    /usr/lib/libresolv-2.18.so
b76ec000-b76ed000 r-xp 00015000 fd:01 1180262    /usr/lib/libresolv-2.18.so
b76ed000-b76ee000 rwxp 00016000 fd:01 1180262    /usr/lib/libresolv-2.18.so
b76ee000-b76f3000 rwxp 00000000 00:00 0 
b7702000-b7705000 rwxp 00000000 00:00 0 
b7705000-b7706000 r-xp 00000000 00:00 0          [vdso]
b7706000-b7708000 r--p 00000000 00:00 0          [vvar]
bfb1c000-bfbb1000 rwxp 00000000 00:00 0          [stack]
Aborted (core dumped)

$ ./john --list=build-info
Version: 1.8.0.2-bleeding-jumbo OMP
Build: linux-x86-any
Arch: 32-bit LE
$JOHN is ./
Format interface version: 12
Max. number of reported tunable costs: 3
Rec file version: REC4
Charset file version: CHR3
CHARSET_MIN: 1 (0x01)
CHARSET_MAX: 255 (0xff)
CHARSET_LENGTH: 24
Max. Markov mode level: 400
Max. Markov mode password length: 30
Compiler version: 4.8.3 20140911 (Red Hat 4.8.3-7)
gcc version: 4.8.3
OpenSSL library version: 01000105f
OpenSSL 1.0.1e-fips 11 Feb 2013
GMP library version: 5.1.2
NSS library version: 3.17.2 Basic ECC   (loaded: 3.17.2 Extended ECC)
NSPR library version: 4.10.7
Kerberos version 5 support enabled
fseek(): fseek
ftell(): ftell
fopen(): fopen
memmem(): JtR internal

jfoug · 2014-10-25T17:00:12Z

This is dyna buffers (inputs ) being overwritten. So heap after them is smashed. What it is will depend on what linker put there. But do not waste time tracking down any more issues. You will simply be chasing ur tail until the memory overflow is fixed.

jfoug · 2014-10-25T17:43:06Z

I think I have a work around for this. What I only need to do, is to drop the 'top' var down, IF it is larger than the entire count of max values. THAT is where the overflow is. I need to keep the code in there (i.e. the bad bugfix), where we do nothing if top > m_count, UNLESS it is larger than the entire count size of the buffer. What we are getting is the max count is not even divisible. I also need to look at that logic. It may be that the computation of max array size is busted.

…nal fix I want, but better

jfoug · 2014-10-25T18:06:22Z

Please test with 8a8dcec It should handle both issues. Issue 1 was dealt with by 339052e BUT it caused this issue. I think 8a8dcec gets both of them.

NOTE, leave this open. I do not like this correction. It 'may' be what is kept in the end, but I want to look for other avenues, and see if there is a better way to kill these problems.

claudioandre-br · 2014-10-25T19:05:36Z

Native (6xOMP)

All 378 formats passed self-tests!

frank-dittrich · 2014-10-25T20:19:37Z

I can confirm that both problems (issues #825 and #690) are fixed with commit 8a8dcec on 64bit linux (AC build) and 32bit linux (legacy linux-x86-any build with OMP enabled):

With 64bit Linux, I tested

(bleeding-jumbo)run $ for i in `seq 1 33`; do OMP_NUM_THREADS=$i ./john --test=0 --format=dynamic; done |grep -v PASS

and

(master)test $ for i in `seq 1 9`; do OMP_NUM_THREADS=$i ./jtrts.pl -noprelims -q -type dynamic; echo $i; done

With 32bit Linux, I just tested

$ for i in `seq 1 33`; do OMP_NUM_THREADS=$i ./john --test=0 --format=dynamic; done |grep -v PASS

The test suite (jtrts.pl) tests are still running on my 32bit system.
But I don't expect any problems here.
Besides, I never tested whether or not issue #690 ever occurred for a non-sse 32bit linux build.

jfoug · 2014-10-26T02:09:38Z

Indeed, reverting 339052e fixes the issue.
But I'm not sure whether 339052e is the culprit.
May be 339052e merely uncovers another bug that was hidden.

@frank-dittrich I want to thank you a lot for the time you put into running this issue down. It saved me a TON of time, being pointed to right where the problem was.

frank-dittrich · 2014-10-26T02:53:28Z

@jfoug No problem, just let me know when your final version of the fix is ready, and I'll repeat my tests.

jfoug · 2014-10-26T12:36:10Z

The original code is what I am going with. I did change comment and scrubbed original buggy code (commented out). I also changed the helper code comment showing what was going on. BUT the actual code itself is the same as the prior tested fix.

The cosmetic patch is 1d03123

frank-dittrich · 2014-10-26T13:11:26Z

Meanwhile, the following 32bit linux test finished without problems:

for i in `seq 1 17`; do OMP_NUM_THREADS=$i ./jtrts.pl -noprelims -q -type dynamic; echo $i; done

claudioandre-br closed this as completed Oct 24, 2014

frank-dittrich reopened this Oct 24, 2014

frank-dittrich mentioned this issue Oct 24, 2014

jtrts should report an error if john ends with $? != 0, e.g., after a core dump. openwall/john-tests#21

Closed

frank-dittrich changed the title ~~Any special requirement for libc?~~ Segfault in dynamic formats self test with OMP_NUM_THREADS=3 Oct 24, 2014

frank-dittrich added the bug label Oct 24, 2014

magnumripper assigned jfoug Oct 24, 2014

jfoug added a commit that referenced this issue Oct 25, 2014

correction of 339052e and getting #825 working. Prelim and not the fi…

8a8dcec

…nal fix I want, but better

jfoug added a commit that referenced this issue Oct 26, 2014

dynamic: finalized #825 fix

1d03123

jfoug closed this as completed Oct 26, 2014

Segfault in dynamic formats self test with OMP_NUM_THREADS=3 #825

Segfault in dynamic formats self test with OMP_NUM_THREADS=3 #825

Comments

claudioandre-br commented Oct 24, 2014

magnumripper commented Oct 24, 2014

claudioandre-br commented Oct 24, 2014

magnumripper commented Oct 24, 2014

magnumripper commented Oct 24, 2014

claudioandre-br commented Oct 24, 2014

magnumripper commented Oct 24, 2014

magnumripper commented Oct 24, 2014

claudioandre-br commented Oct 24, 2014

claudioandre-br commented Oct 24, 2014

claudioandre-br commented Oct 24, 2014

claudioandre-br commented Oct 24, 2014

frank-dittrich commented Oct 24, 2014

frank-dittrich commented Oct 24, 2014

frank-dittrich commented Oct 24, 2014

frank-dittrich commented Oct 24, 2014

frank-dittrich commented Oct 24, 2014

frank-dittrich commented Oct 24, 2014

frank-dittrich commented Oct 24, 2014

frank-dittrich commented Oct 24, 2014

magnumripper commented Oct 24, 2014

jfoug commented Oct 25, 2014

jfoug commented Oct 25, 2014

magnumripper commented Oct 25, 2014

jfoug commented Oct 25, 2014

frank-dittrich commented Oct 25, 2014

frank-dittrich commented Oct 25, 2014

jfoug commented Oct 25, 2014

jfoug commented Oct 25, 2014

jfoug commented Oct 25, 2014

claudioandre-br commented Oct 25, 2014

frank-dittrich commented Oct 25, 2014

jfoug commented Oct 26, 2014

frank-dittrich commented Oct 26, 2014

jfoug commented Oct 26, 2014

frank-dittrich commented Oct 26, 2014