[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <55902178.8020807@mailbox.org>
Date: Sun, 28 Jun 2015 18:31:52 +0200
From: Frank Dittrich <frank.dittrich@...lbox.org>
To: john-dev@...ts.openwall.com
Subject: Re: more robustness
On 06/28/2015 01:54 PM, Kai Zhao wrote:
>> I think more people might try out and comment on your new --fuzz option
>> if you would push your changes to (a separate branch of) your own github
>> repository and provide a link to that repository/branch.
>
> Thanks, here is the link:
>
> https://github.com/loverszhaokai/JohnTheRipper/tree/fuzz_option
(fuzz_option)run $ ./john --format=PBKDF2-HMAC-SHA1 --fuzz
Fuzzing: PBKDF2-HMAC-SHA1 [PBKDF2-SHA1 128/128 AVX 4x]...
=================================================================
==26467==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffd6af53f3a at pc 0x00000044f633 bp 0x7ffd6af53bc0 sp 0x7ffd6af53bb0
WRITE of size 1 at 0x7ffd6af53f3a thread T0
#0 0x44f632 in raw_to_hex /home/fd/git/fuzz-JtR/src/base64_convert.c:241
#1 0x453afd in mime_to_hex
/home/fd/git/fuzz-JtR/src/base64_convert.c:686
#2 0x45611b in base64_convert
/home/fd/git/fuzz-JtR/src/base64_convert.c:921
#3 0x60f77d in prepare
/home/fd/git/fuzz-JtR/src/pbkdf2-hmac-sha1_fmt_plug.c:151
#4 0x6bd370 in fuzz_test /home/fd/git/fuzz-JtR/src/formats.c:1153
#5 0x6a4d2e in fuzz /home/fd/git/fuzz-JtR/src/bench.c:829
#6 0x6c995d in john_run /home/fd/git/fuzz-JtR/src/john.c:1367
#7 0x6cae5c in main /home/fd/git/fuzz-JtR/src/john.c:1753
#8 0x7f83fc8b078f in __libc_start_main (/lib64/libc.so.6+0x2078f)
#9 0x406878 in _start (/home/fd/git/fuzz-JtR/run/john+0x406878)
Address 0x7ffd6af53f3a is located in stack of thread T0 at offset 106 in
frame
#0 0x60f49e in prepare
/home/fd/git/fuzz-JtR/src/pbkdf2-hmac-sha1_fmt_plug.c:118
This frame has 3 object(s):
[32, 106) 'tmph' <== Memory access at offset 106 overflows this variable
[160, 284) 'tmp'
[320, 464) 'tmps'
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/fd/git/fuzz-JtR/src/base64_convert.c:241 raw_to_hex
Shadow bytes around the buggy address:
0x10002d5e2790: 04 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x10002d5e27a0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00
0x10002d5e27b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002d5e27c0: 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00
0x10002d5e27d0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
=>0x10002d5e27e0: 00 00 00 00 00 00 00[02]f4 f4 f2 f2 f2 f2 00 00
0x10002d5e27f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 04 f2 f2
0x10002d5e2800: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002d5e2810: 00 00 00 00 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00
0x10002d5e2820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002d5e2830: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==26467==ABORTING
Is there an easy way to reproduce this problem for a bleeding-jumbo
version without the --fuzz option?
Frank
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
