New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fixes for crashes found with fuzzing #5166
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I only looked at what's in patch context. I made some nitpicks, but overall this looks fine. Thank you, Aleksey!
I guess this means we need to enhance the self-tests to truncate a copy of the returned salt to the format's However, we seem to have no way to guarantee the data following the truncated salt won't just happen to match what's in the full returned salt (unless we over-read the returned salt just to ensure we produce different e.g. first byte there, but such over-reading is unsafe, so let's not do it). So this will be a best-effort test, which is fine. We can over-allocate, say, 1 byte to put some varying value in that extra byte. |
I fixed |
Yes, but it only shows cumulative changes - it would not help detect e.g. the desired changes inadvertently being in a wrong commit, or some commit introducing extra changes that another commit then removes. I wish GitHub provided a tool to easily detect those. |
I guess copying into test db truncates at Fuzzer could find overflow for too small buffers. Static analysis could find that buffer size is not in sync with Talking about checks of additional constraints during fuzzing, I would check that result from |
I don't understand this.
Please feel free to implement that. Thanks! |
Force-pushing to keep nice "source history" seems a popular variant of workflow and GitHub is informed about it. OTOH I don't see discussions about highlighting commits with new changes to review breakdown of cumulative changes. |
Some formats has salt of variable length. Usually it is stored with padding and treated as fixed size by code outside of format. (There is dyna_salt feature allowing variable lengths without padding, but it is used for a small number of formats where really big salts can happen.) So some of formats with variable lengths of salts do not include test cases for maximum allowed length of salt. For instance, |
It closes #5157. It affects the following formats:
--test=0
and--fuzz=../run/fuzz.dic
are ok.I prepared fixes quickly, so some of them might be suboptimal.
JFYI I was caught by the following problem fixing
wowsrp
: I increased buffer size right inget_salt
instead of change toSALT_SIZE
. So salt would be truncated and there would be a crash during cracking or uncrackable hash. Self-tests do not catch such mistake: all tests worked well with smaller buffer. Fuzzer does not catch it too.My fixes for memory leaks in #5158 introduced use-after-free for dynamic salts because
ldr_free_db
is called in fuzzer and in john.The problem affects a subset of formats using
dyna_salt
(approximatelygpg,7z,pkzip,zip
+ their opencl variants).The last commit fixes the use-after-free. To allow excessive calls to
ldr_free_db
, I just setdb->salts
toNULL
inldr_free_db
. I am not sure if it is ok. But ASan does not report leaks. I would like this bit to be reviewed better.If everything is fine, this PR is ready. Thanks!