Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANO7a6wiLObZ0-mXj5X_KL1GRnXW92i4DTN15g1iS_FVObjqbQ@mail.gmail.com>
Date: Sat, 30 Jun 2012 14:23:47 +0530
From: Dhiru Kholia <dhiru.kholia@...il.com>
To: john-dev@...ts.openwall.com
Subject: asan report

Hi,

So far, I have found out that asan doesn't work with the following formats:

Target : linux-x86-64-clang-debug

$ clang --version
clang version 3.1 (branches/release_31)
Target: x86_64-unknown-linux-gnu
Thread model: posix


1. xsha

Benchmarking: Mac OS X 10.4 - 10.6 salted SHA-1 [128/128 SSE2
intrinsics 8x]...
=================================================================
==28010== ERROR: AddressSanitizer global-buffer-overflow on address
0x0000006b0240 at pc 0x4da4f4 bp 0x7fff9f71ff10 sp 0x7fff9f71ff08
READ of size 4 at 0x0000006b0240 thread T0
    #0 0x4da4f4 in set_key /home/dsk/magnum-jumbo/src/XSHA_fmt_plug.c:304
0x0000006b0240 is located 0 bytes inside of global variable '.str12
(formats.c)' (0x6b0240) of size 1
  '.str12 (formats.c)' is ascii string ''

  while((temp = *wkey++) & 0xff) { <== problematic code
                if (!(temp & 0xff00))
                {
                        *keybuf_word = JOHNSWAP((temp & 0xff) | (0x80 << 8));
                        len++;
                        goto key_cleaning;
                }


2.  trip

Benchmarking: Tripcode DES [128/128 BS SSE2-16]...
=================================================================
==28647== ERROR: AddressSanitizer global-buffer-overflow on address
0x0000006b0240 at pc 0x4414c9 bp 0x7fff45bf30c0 sp 0x7fff45bf30b8
READ of size 8 at 0x0000006b0240 thread T0
    #0 0x4414c9 in set_key /home/dsk/magnum-jumbo/src/trip_fmt.c:547
0x0000006b0240 is located 0 bytes inside of global variable '.str12
(formats.c)' (0x6b0240) of size 1
  '.str12 (formats.c)' is ascii string ''

static void set_key(char *key, int index)
{
        memcpy(buffer[index].key, key, PLAINTEXT_LENGTH);
}

This code doesn't seem to check key's length.


3. BSDI (reported in another thread)

4.  dynamic format (reported in another thread)

5. sapb

Benchmarking: SAP CODVN B (BCODE) [128/128 SSE2 intrinsics 20x]...
=================================================================
==29216== ERROR: AddressSanitizer global-buffer-overflow on address
0x0000006779e0 at pc 0x4d514f bp 0x7fff67fff8a0 sp 0x7fff67fff898
READ of size 8 at 0x0000006779e0 thread T0
    #0 0x4d514f in set_key /home/dsk/magnum-jumbo/src/sapB_fmt_plug.c:191
0x0000006779e0 is located 0 bytes inside of global variable '.str6
(sapB_fmt_plug.c)' (0x6779e0) of size 2
  '.str6 (sapB_fmt_plug.c)' is ascii string 'X'

static void set_key(char *key, int index)
{
        memcpy(saved_plain[index], key, PLAINTEXT_LENGTH);
        keyLen[index] = -1;
}

6. sapg

Benchmarking: SAP CODVN F/G (PASSCODE) [128/128 SSE2 intrinsics 8x]...
=================================================================
==29453== ERROR: AddressSanitizer global-buffer-overflow on address
0x0000006b0292 at pc 0x4ef363 bp 0x7fff69397f50 sp 0x7fff69397f48
READ of size 1 at 0x0000006b0292 thread T0
    #0 0x4ef363 in set_key /home/dsk/magnum-jumbo/src/sapG_fmt_plug.c:205
0x0000006b0292 is located 14 bytes to the right of global variable
'.str13 (formats.c)' (0x6b0280) of size 4
  '.str13 (formats.c)' is ascii string 'des'

static void set_key(char *key, int index)
{
        memcpy((char*)saved_plain[index], key, PLAINTEXT_LENGTH);
        keyLen[index] = -1;
}

7. salted-sha1

Benchmarking: Salted SHA-1 [128/128 SSE2 intrinsics 8x]...
=================================================================
==29737== ERROR: AddressSanitizer global-buffer-overflow on address
0x000000683844 at pc 0x4f2c5e bp 0x7ffff61eb420 sp 0x7ffff61eb418
READ of size 4 at 0x000000683844 thread T0
    #0 0x4f2c5e in set_key /home/dsk/magnum-jumbo/src/salted_sha1_fmt_plug.c:163
0x000000683844 is located 4 bytes inside of global variable '.str6
(salted_sha1_fmt_plug.c)' (0x683840) of size 7
  '.str6 (salted_sha1_fmt_plug.c)' is ascii string 'thales'

while((temp = *wkey++) & 0xff) { <== have seen such a loop mutiple times now :-)
                if (!(temp & 0xff00))
                {
                        *keybuf_word = JOHNSWAP((temp & 0xff) | (0x80 << 8));
                        len++;
                        goto key_cleaning;
                }


8. raw-sha1-ng

Benchmarking: Raw SHA-1 (pwlen <= 15) [128/128 SSE2 intrinsics 4x]...
=================================================================
==30079== ERROR: AddressSanitizer global-buffer-overflow on address
0x0000006a9020 at pc 0x537f2e bp 0x7fff53cb89e0 sp 0x7fff53cb89d8
READ of size 16 at 0x0000006a9020 thread T0
    #0 0x537f2e in sha1_fmt_set_key
/home/dsk/magnum-jumbo/src/rawSHA1_ng_fmt.c:363

9. raw-sha1-linkedin


Benchmarking: Raw SHA-1 LinkedIn [128/128 SSE2 intrinsics 8x]...
=================================================================
==30895== ERROR: AddressSanitizer global-buffer-overflow on address
0x000000696d8c at pc 0x5100f4 bp 0x7fff9d8f92e0 sp 0x7fff9d8f92d8
READ of size 4 at 0x000000696d8c thread T0
    #0 0x5100f4 in rawsha1_set_key
/home/dsk/magnum-jumbo/src/rawSHA1_linkedIn_fmt_plug.c:141

        while((unsigned char)(temp = *wkey++)) {
                if (!(temp & 0xff00))
                {
                        *keybuf_word = JOHNSWAP((temp & 0xff) | (0x80 << 8));
                        len++;
                        goto key_cleaning;
                }

10. Other formats which don't work with asan are raw-sha1, raw-md5,
raw-md4, oracle11, nsldap, netntlm, netlm, nethalflm, mysql-sha1,
hmac-md5, hmac-sha1, and ipb2

Lets start fixing these formats.

-- 
Cheers,
Dhiru

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.