Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b4737d46d700411a6172a2db958a8616@smtp.hushmail.com>
Date: Sun, 13 Sep 2015 18:10:12 +0200
From: magnum <john.magnum@...hmail.com>
To: john-dev@...ts.openwall.com
Subject: Re: Invalid memory our of bounds read in DES_std_set_key

On 2015-09-13 17:12, Hanno Böck wrote:
> When compiling john-1.8.0 with address sanitizer it will expose an out
> of bounds read in the function DES_std_set_key.
>
> The error happens in line 664:
> 	DES_key[1] = key[1] & 0x7F;
>
> The variable "key" is a parameter to the function and the value comes
> indirectly from a function call in formats.c, line 168:
> 			format->methods.set_key("", index);
>
> As you can see an empty string is passed. Therefore accessing key[1]
> won't work.

In Jumbo this is fixed like this:

/* Mutes ASan problems. We pass a buffer long enough for any use */
#define fmt_set_key(key, index)	  \
	{ \
		static char buf_key[PLAINTEXT_BUFFER_SIZE]; \
		char *s = key, *d = buf_key; \
		while ((*d++ = *s++)); \
		format->methods.set_key(buf_key, index); \
	}

It was actually changed a bit further recently, to have that buffer 
SIMD-aligned. BTW inc.c has a similar problem where it tests the 
zero-length key, also worked around in Jumbo.

magnum

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.