[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150913171251.04e03b0d@pc1>
Date: Sun, 13 Sep 2015 17:12:51 +0200
From: Hanno Böck <hanno@...eck.de>
To: john-dev@...ts.openwall.com
Subject: Invalid memory our of bounds read in DES_std_set_key
Hi,
When compiling john-1.8.0 with address sanitizer it will expose an out
of bounds read in the function DES_std_set_key.
The error happens in line 664:
DES_key[1] = key[1] & 0x7F;
The variable "key" is a parameter to the function and the value comes
indirectly from a function call in formats.c, line 168:
format->methods.set_key("", index);
As you can see an empty string is passed. Therefore accessing key[1]
won't work.
I'm not entirely sure what was the intention of that code, so I'm not
sure how to fix it. The full address sanitizer error is pasted below.
To get it / reproduce:
make OMPFLAGS="-fsanitize=address -g -ggdb -fno-omit-frame-pointer"
LDFLAGS="-fsanitize=address" CC="clang" generic
Hanno
-------------------
==4322==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000052bd01 at pc 0x0000004dd9c4 bp 0x7ffdb8867230 sp 0x7ffdb8867228
READ of size 1 at 0x00000052bd01 thread T0
#0 0x4dd9c3 in DES_std_set_key /tmp/john-1.8.0/src/DES_std.c:664:15
#1 0x4da280 in set_key /tmp/john-1.8.0/src/DES_fmt.c:328:2
#2 0x5102e7 in fmt_self_test_body /tmp/john-1.8.0/src/formats.c:168:4
#3 0x5102e7 in fmt_self_test /tmp/john-1.8.0/src/formats.c:232
#4 0x50b282 in benchmark_format /tmp/john-1.8.0/src/bench.c:114:15
#5 0x50ce9c in main /tmp/john-1.8.0/src/best.c:79:6
#6 0x7fcb3462b7af in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.21-r1/work/glibc-2.21/csu/libc-start.c:289
#7 0x4180e8 in _start (/tmp/john-1.8.0/src/bench+0x4180e8)
0x00000052bd01 is located 63 bytes to the left of global variable '<string literal>' defined in 'formats.c:185:9' (0x52bd40) of size 5
'<string literal>' is ascii string 'bsdi'
0x00000052bd01 is located 0 bytes to the right of global variable '<string literal>' defined in 'formats.c:168:28' (0x52bd00) of size 1
'<string literal>' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow /tmp/john-1.8.0/src/DES_std.c:664:15 in DES_std_set_key
Shadow bytes around the buggy address:
0x00008009d750: f9 f9 f9 f9 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9
0x00008009d760: 07 f9 f9 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
0x00008009d770: 00 02 f9 f9 f9 f9 f9 f9 00 00 01 f9 f9 f9 f9 f9
0x00008009d780: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x00008009d790: 00 02 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
=>0x00008009d7a0:[01]f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
0x00008009d7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009d7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009d7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008009d7e0: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
0x00008009d7f0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4322==ABORTING
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno@...eck.de
GPG: BBB51E42
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
