Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANO7a6zkxPb98vAOK43XPCmaVP2g+bHh_fNqJFNEd-oypjfxRA@mail.gmail.com>
Date: Wed, 27 Jun 2012 14:57:17 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: john-dev@...ts.openwall.com
Subject: Re: SSH format crashes when built using "linux-x86-clang-debug"

On Wed, Jun 27, 2012 at 2:47 PM, Dhiru Kholia <dhiru.kholia@...il.com> wrote:
> On Wed, Jun 27, 2012 at 1:51 PM, Solar Designer <solar@...nwall.com> wrote:
>> On Wed, Jun 27, 2012 at 12:04:24PM +0530, Dhiru Kholia wrote:
>>> SSH format crashes when built using "linux-x86-clang-debug".
>>>
>>> $ ../run/john -format=ssh -t
>>> Benchmarking: SSH RSA/DSA (one 2048-bit RSA and one 1024-bit DSA key)
>>> [32/32]...
>>> ==5844== ERROR: AddressSanitizer global-buffer-overflow on address
>>> 0x0832f51f at pc 0x816a88b bp 0xbff25f58 sp 0xbff25f50
>>
>> Can you provide a little bit of disassembly around this place?
>>
>>> READ of size 1 at 0x0832f51f thread T0
>>
> $ ~/llvm/projects/compiler-rt/lib/asan/scripts/asan_symbolize.py < log
> Benchmarking: SSH RSA/DSA (one 2048-bit RSA and one 1024-bit DSA key) [32/32]...
> ==7052== ERROR: AddressSanitizer global-buffer-overflow on address
> 0x0833051f at pc 0x816b42b bp 0xbfcb22b8 sp 0xbfcb22b0
> READ of size 1 at 0x0833051f thread T0
>    #0 0x816b42b in benchmark_format /home/dsk/magnum-jumbo/src/bench.c:164
>    #1 0x816bec1 in benchmark_all /home/dsk/magnum-jumbo/src/bench.c:453
>    #2 0x818ba6a in john_run /home/dsk/magnum-jumbo/src/john.c:873
>    #3 0x818521c in main /home/dsk/magnum-jumbo/src/john.c:1093
>    #4 0xb72d73d5 in __libc_start_main ??:0
> 0x0833051f is located 30 bytes to the right of global variable
> The offending line seems to be  memcpy(two_salts[index], salt,
> format->params.salt_size); this time. I can see no problem with it. I
> commented it out and ssh format runs fine. (but this solution can't be
> correct!).

The actual size of "static struct custom_salt cs" might be less than
defined SALT_SIZE. Will this cause a problem? It this the cause behind
the crashes?

The following patch fixes the problem (at least on my machine),

diff --git a/src/ssh_fmt.c b/src/ssh_fmt.c
index b26fa9a..bf0d161 100644
--- a/src/ssh_fmt.c
+++ b/src/ssh_fmt.c
@@ -40,7 +40,7 @@
 #define BENCHMARK_LENGTH    -1001
 #define PLAINTEXT_LENGTH    32
 #define BINARY_SIZE         0
-#define SALT_SIZE           4224
+#define SALT_SIZE           sizeof(struct custom_salt)
 #define MIN_KEYS_PER_CRYPT  1
 #define MAX_KEYS_PER_CRYPT  1

-- 
Cheers,
Dhiru

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.