segmentation fault while using ZIP plugin on GPU

[holocronweaver]

Using the ZIP plugin with the suggested rule -r markov -a 6:12:rockyou:1000 I am encountering segmentation faults during cracking. The fault usually occurs one or two minutes into cracking.

• OS - Ubuntu 12.04 x64
• GPU - AMD HD6950 (Catalyst 12.8 driver)
• CPU - Intel i5-2550k.
• Main memory - 16 GB DDR3

I am cracking a zipped version of this background image which I then compress using the Linux zip utility with the alphanumeric password 89890rabbit. Here is an example zip.

Here is the relevant stdout:

[hashkill] Version 0.3.0
[hashkill] Scheduler initialized.
[hashkill] Plugin 'zip' loaded successfully
[hashkill] Rule based attack, using rule:markov
[hashkill] Encrypted using strong AES128 encryption
[hashkill] Found >= 0 password-protected files in archive!
[hashkill] File wallpaper.zip loaded successfully
[hashkill] CPU features: SSE2 SSE3
[hashkill] Detected 4 CPUs.
[hashkill] Found GPU device: Advanced Micro Devices, Inc. - Cayman
[hashkill] Temperature threshold set to 90 degrees C
[hashkill] GPU0: AMD Radeon HD 6900 Series  [busy:0%] [temp:59C]
[hashkill] Attack has O(N) complexity
[hashkill] Loading kernel: /usr/local/share/hashkill/kernels/amd_zips__Cayman.bin

Progress: 0%   Speed: 633K c/s   Cracked: 0 passwords  Segmentation fault (core dumped)

Here is the resulting dump and compiled hashkill binary with debug hooks.

[gat3way]

Could you please provide the zip sample as well? Also the Catalyst driver version you were using. I will try to reproduce the problem.

[holocronweaver]

I have updated the original issue with requested data.

[gat3way]

I don't have much luck reproducing the issue :( Need to try 12.8 though, I'm still using 12.4. Did you use the prebuilt binaries, or you built them from source? Also, since you have core dumped, could you please send me the core file to analyze it with gdb? I guess it won't reveal much since debug symbols are stripped, yet it could help more or less...

[holocronweaver]

I compiled from source and received no errors. Also, it may help to mention that I am using Ubuntu 12.04 with the latest updates. I am adding a link to the dump in my issue description.

[gat3way]

Grrr I am an idiot, core file is useless to me without the binary :(

But then since you built from source, you could easily rebuild it with debug symbols so that I can definitely see where exactly it crashes, backtrace, register state, etc. Could you just edit src/Makefile.am and change this line:

hashkill_CFLAGS = -fPIC -s -O3 -fomit-frame-pointer -momit-leaf-frame-pointer -Wall -Wno-format -ftree-vectorize -DBINDIR=\"$(BINDIR)\" -DDATADIR=\"$(IDATADIR)\" -pthread -Wno-unused-value -Wno-switch -D_7ZIP_ST -flto -fwhole-program -Wno-psabi

to

hashkill_CFLAGS = -fPIC -g -O3 -fomit-frame-pointer -momit-leaf-frame-pointer -Wall -Wno-format -ftree-vectorize -DBINDIR=\"$(BINDIR)\" -DDATADIR=\"$(IDATADIR)\" -pthread -Wno-unused-value -Wno-switch -D_7ZIP_ST -flto -fwhole-program -Wno-psabi

then run make clean;make;make install, then run the program until it crashes and send me both hashkill binary and the core file? Sorry for that :( Yet, it would be of a great help to me, I would be finally able to see exactly what caused the crash and fix it.

[holocronweaver]

I have uploaded a bzip2 archive file containing both the hashkill binary with debug hooks and the newly created core file. See the updated link at the bottom of the issue description. And no worries about the slight mistake - after all, I should be thanking you for putting this great piece of software together and debugging it!

[blshkv]

It might be easy to find a bug by just looking at gcc warning messages.

For example: inlined from ‘ocl_bruteforce_zip_thread’ at ocl_zip.c:1187:10 warning: call to __builtin___memcpy_chk will always overflow destination buffer In function 'bzero'

btw, you might want to fix the rest huge list of other effected files:

inlined from ‘hash_plugin_parse_hash’ at mssql-2000.c:66:13:
inlined from ‘hash_plugin_parse_hash’ at mssql-2005.c:66:13:
inlined from ‘ocl_bruteforce_ipb2_thread’ at ocl_ipb2.c:542:10:
inlined from ‘ocl_bruteforce_ipb2_thread’ at ocl_ipb2.c:589:2:
inlined from ‘ocl_bruteforce_ipb2_thread’ at ocl_ipb2.c:663:6:
inlined from ‘ocl_bruteforce_ipb2_thread’ at ocl_ipb2.c:704:6:
inlined from ‘ocl_bruteforce_ldap_ssha_thread’ at ocl_ldap-ssha.c:809:10:
inlined from ‘ocl_bruteforce_lm_thread’ at ocl_lm.c:470:15:
inlined from ‘ocl_bruteforce_lm_thread’ at ocl_lm.c:472:15:
inlined from ‘ocl_bruteforce_lm_thread’ at ocl_lm.c:474:15:
inlined from ‘ocl_bruteforce_lm_thread’ at ocl_lm.c:476:15:
inlined from ‘ocl_bruteforce_md4_thread’ at ocl_md4.c:480:10:
inlined from ‘ocl_bruteforce_md4_thread’ at ocl_md4.c:520:15:
inlined from ‘ocl_bruteforce_md4_thread’ at ocl_md4.c:523:8:
inlined from ‘ocl_bruteforce_md4_thread’ at ocl_md4.c:525:15:
inlined from ‘ocl_bruteforce_md4_thread’ at ocl_md4.c:527:15:
inlined from ‘ocl_bruteforce_md5_passsalt_thread’ at ocl_md5-passsalt.c:728:10:
inlined from ‘ocl_bruteforce_md5_passsalt_thread’ at ocl_md5-passsalt.c:774:2:
inlined from ‘ocl_bruteforce_md5_saltpass_thread’ at ocl_md5-saltpass.c:496:10:
inlined from ‘ocl_bruteforce_md5_saltpass_thread’ at ocl_md5-saltpass.c:542:2:
inlined from ‘ocl_bruteforce_md5_thread’ at ocl_md5.c:514:10:
inlined from ‘ocl_bruteforce_md5_thread’ at ocl_md5.c:554:15:
inlined from ‘ocl_bruteforce_md5_thread’ at ocl_md5.c:557:15:
inlined from ‘ocl_bruteforce_md5_thread’ at ocl_md5.c:559:15:
inlined from ‘ocl_bruteforce_md5_thread’ at ocl_md5.c:561:15:
inlined from ‘ocl_bruteforce_md5md5_thread’ at ocl_md5md5.c:474:15:
inlined from ‘ocl_bruteforce_md5md5_thread’ at ocl_md5md5.c:476:15:
inlined from ‘ocl_bruteforce_md5md5_thread’ at ocl_md5md5.c:478:15:
inlined from ‘ocl_bruteforce_md5md5_thread’ at ocl_md5md5.c:480:15:
inlined from ‘ocl_bruteforce_md5md5_thread’ at ocl_md5md5.c:493:10:
inlined from ‘ocl_bruteforce_mscash_thread’ at ocl_mscash.c:516:10:
inlined from ‘ocl_bruteforce_mscash_thread’ at ocl_mscash.c:561:2:
inlined from ‘ocl_bruteforce_mssql_2000_thread’ at ocl_mssql-2000.c:621:10:
inlined from ‘ocl_bruteforce_mssql_2000_thread’ at ocl_mssql-2000.c:667:2:
inlined from ‘ocl_bruteforce_mssql_2005_thread’ at ocl_mssql-2005.c:618:10:
inlined from ‘ocl_bruteforce_mssql_2005_thread’ at ocl_mssql-2005.c:664:2:
inlined from ‘ocl_bruteforce_mysql5_thread’ at ocl_mysql5.c:460:15:
inlined from ‘ocl_bruteforce_mysql5_thread’ at ocl_mysql5.c:462:15:
inlined from ‘ocl_bruteforce_mysql5_thread’ at ocl_mysql5.c:464:15:
inlined from ‘ocl_bruteforce_mysql5_thread’ at ocl_mysql5.c:477:10:
inlined from ‘ocl_bruteforce_ntlm_thread’ at ocl_ntlm.c:481:10:
inlined from ‘ocl_bruteforce_ntlm_thread’ at ocl_ntlm.c:521:15:
inlined from ‘ocl_bruteforce_ntlm_thread’ at ocl_ntlm.c:524:8:
inlined from ‘ocl_bruteforce_ntlm_thread’ at ocl_ntlm.c:526:15:
inlined from ‘ocl_bruteforce_ntlm_thread’ at ocl_ntlm.c:528:15:
inlined from ‘ocl_bruteforce_oracle11g_thread’ at ocl_oracle11g.c:680:10:
inlined from ‘ocl_bruteforce_oracle11g_thread’ at ocl_oracle11g.c:726:2:
inlined from ‘ocl_bruteforce_oracle_old_thread’ at ocl_oracle-old.c:506:10:
inlined from ‘ocl_bruteforce_oracle_old_thread’ at ocl_oracle-old.c:552:2:
inlined from ‘ocl_bruteforce_osx_old_thread’ at ocl_osx-old.c:408:10:
inlined from ‘ocl_bruteforce_osxlion_thread’ at ocl_osxlion.c:414:10:
inlined from ‘ocl_bruteforce_osxlion_thread’ at ocl_osxlion.c:457:2:
inlined from ‘ocl_bruteforce_sha1_thread’ at ocl_sha1.c:502:15:
inlined from ‘ocl_bruteforce_sha1_thread’ at ocl_sha1.c:506:15:
inlined from ‘ocl_bruteforce_sha1_thread’ at ocl_sha1.c:510:15:
inlined from ‘ocl_bruteforce_sha1_thread’ at ocl_sha1.c:514:15:
inlined from ‘ocl_bruteforce_sha256_thread’ at ocl_sha256.c:479:15:
inlined from ‘ocl_bruteforce_sha256_thread’ at ocl_sha256.c:481:15:
inlined from ‘ocl_bruteforce_sha256_thread’ at ocl_sha256.c:483:15:
inlined from ‘ocl_bruteforce_sha256_thread’ at ocl_sha256.c:485:15:
inlined from ‘ocl_bruteforce_sha512_thread’ at ocl_sha512.c:432:15:
inlined from ‘ocl_bruteforce_sha512_thread’ at ocl_sha512.c:434:15:
inlined from ‘ocl_bruteforce_sha512_thread’ at ocl_sha512.c:436:15:
inlined from ‘ocl_bruteforce_sha512_thread’ at ocl_sha512.c:438:15:
inlined from ‘ocl_bruteforce_sl3_thread’ at ocl_sl3.c:376:15:
inlined from ‘ocl_bruteforce_sl3_thread’ at ocl_sl3.c:380:15:
inlined from ‘ocl_bruteforce_sl3_thread’ at ocl_sl3.c:384:15:
inlined from ‘ocl_bruteforce_sl3_thread’ at ocl_sl3.c:388:15:
inlined from ‘ocl_bruteforce_smf_thread’ at ocl_smf.c:497:10:
inlined from ‘ocl_bruteforce_smf_thread’ at ocl_smf.c:543:2:
inlined from ‘ocl_bruteforce_vbulletin_thread’ at ocl_vbulletin.c:600:10:
inlined from ‘ocl_bruteforce_vbulletin_thread’ at ocl_vbulletin.c:647:2:
inlined from ‘ocl_bruteforce_zip_thread’ at ocl_zip.c:1187:10:
inlined from ‘ocl_markov_ipb2_thread’ at ocl_ipb2.c:1228:2:
inlined from ‘ocl_markov_lm_thread’ at ocl_lm.c:1000:15:
inlined from ‘ocl_markov_lm_thread’ at ocl_lm.c:994:15:
inlined from ‘ocl_markov_lm_thread’ at ocl_lm.c:996:15:
inlined from ‘ocl_markov_lm_thread’ at ocl_lm.c:998:15:
inlined from ‘ocl_markov_md4_thread’ at ocl_md4.c:1518:15:
inlined from ‘ocl_markov_md4_thread’ at ocl_md4.c:1521:8:
inlined from ‘ocl_markov_md4_thread’ at ocl_md4.c:1523:15:
inlined from ‘ocl_markov_md4_thread’ at ocl_md4.c:1525:15:
inlined from ‘ocl_markov_md5_passsalt_thread’ at ocl_md5-passsalt.c:1399:2:
inlined from ‘ocl_markov_md5_saltpass_thread’ at ocl_md5-saltpass.c:1167:2:
inlined from ‘ocl_markov_md5_thread’ at ocl_md5.c:1623:15:
inlined from ‘ocl_markov_md5_thread’ at ocl_md5.c:1626:15:
inlined from ‘ocl_markov_md5_thread’ at ocl_md5.c:1628:15:
inlined from ‘ocl_markov_md5_thread’ at ocl_md5.c:1630:15:
inlined from ‘ocl_markov_md5md5_thread’ at ocl_md5md5.c:1001:15:
inlined from ‘ocl_markov_md5md5_thread’ at ocl_md5md5.c:1003:15:
inlined from ‘ocl_markov_md5md5_thread’ at ocl_md5md5.c:1005:15:
inlined from ‘ocl_markov_md5md5_thread’ at ocl_md5md5.c:999:15:
inlined from ‘ocl_markov_mscash_thread’ at ocl_mscash.c:1186:2:
inlined from ‘ocl_markov_mssql_2000_thread’ at ocl_mssql-2000.c:1292:2:
inlined from ‘ocl_markov_mssql_2005_thread’ at ocl_mssql-2005.c:1289:2:
inlined from ‘ocl_markov_mysql5_thread’ at ocl_mysql5.c:980:15:
inlined from ‘ocl_markov_mysql5_thread’ at ocl_mysql5.c:982:15:
inlined from ‘ocl_markov_mysql5_thread’ at ocl_mysql5.c:984:15:
inlined from ‘ocl_markov_mysql5_thread’ at ocl_mysql5.c:986:15:
inlined from ‘ocl_markov_ntlm_thread’ at ocl_ntlm.c:1470:15:
inlined from ‘ocl_markov_ntlm_thread’ at ocl_ntlm.c:1473:8:
inlined from ‘ocl_markov_ntlm_thread’ at ocl_ntlm.c:1475:15:
inlined from ‘ocl_markov_ntlm_thread’ at ocl_ntlm.c:1477:15:
inlined from ‘ocl_markov_oracle11g_thread’ at ocl_oracle11g.c:1352:2:
inlined from ‘ocl_markov_oracle_old_thread’ at ocl_oracle-old.c:1177:2:
inlined from ‘ocl_markov_osxlion_thread’ at ocl_osxlion.c:1065:2:
inlined from ‘ocl_markov_sha1_thread’ at ocl_sha1.c:1410:15:
inlined from ‘ocl_markov_sha1_thread’ at ocl_sha1.c:1414:15:
inlined from ‘ocl_markov_sha1_thread’ at ocl_sha1.c:1418:15:
inlined from ‘ocl_markov_sha1_thread’ at ocl_sha1.c:1422:15:
inlined from ‘ocl_markov_sha256_thread’ at ocl_sha256.c:1032:15:
inlined from ‘ocl_markov_sha256_thread’ at ocl_sha256.c:1034:15:
inlined from ‘ocl_markov_sha256_thread’ at ocl_sha256.c:1036:15:
inlined from ‘ocl_markov_sha256_thread’ at ocl_sha256.c:1038:15:
inlined from ‘ocl_markov_sha512_thread’ at ocl_sha512.c:958:15:
inlined from ‘ocl_markov_sha512_thread’ at ocl_sha512.c:960:15:
inlined from ‘ocl_markov_sha512_thread’ at ocl_sha512.c:962:15:
inlined from ‘ocl_markov_sha512_thread’ at ocl_sha512.c:964:15:
inlined from ‘ocl_markov_smf_thread’ at ocl_smf.c:1168:2:
inlined from ‘ocl_markov_vbulletin_thread’ at ocl_vbulletin.c:1289:2:
inlined from ‘ocl_rule_lm_thread’ at ocl_lm.c:1517:15:
inlined from ‘ocl_rule_lm_thread’ at ocl_lm.c:1519:15:
inlined from ‘ocl_rule_lm_thread’ at ocl_lm.c:1521:15:
inlined from ‘ocl_rule_lm_thread’ at ocl_lm.c:1523:15:
inlined from ‘ocl_rule_md4_thread’ at ocl_md4.c:2350:15:
inlined from ‘ocl_rule_md4_thread’ at ocl_md4.c:2352:15:
inlined from ‘ocl_rule_md4_thread’ at ocl_md4.c:2354:15:
inlined from ‘ocl_rule_md4_thread’ at ocl_md4.c:2356:15:
inlined from ‘ocl_rule_md5_thread’ at ocl_md5.c:2507:15:
inlined from ‘ocl_rule_md5_thread’ at ocl_md5.c:2509:15:
inlined from ‘ocl_rule_md5_thread’ at ocl_md5.c:2511:15:
inlined from ‘ocl_rule_md5_thread’ at ocl_md5.c:2513:15:
inlined from ‘ocl_rule_md5md5_thread’ at ocl_md5md5.c:1521:15:
inlined from ‘ocl_rule_md5md5_thread’ at ocl_md5md5.c:1523:15:
inlined from ‘ocl_rule_md5md5_thread’ at ocl_md5md5.c:1525:15:
inlined from ‘ocl_rule_md5md5_thread’ at ocl_md5md5.c:1527:15:
inlined from ‘ocl_rule_mysql5_thread’ at ocl_mysql5.c:1502:15:
inlined from ‘ocl_rule_mysql5_thread’ at ocl_mysql5.c:1504:15:
inlined from ‘ocl_rule_mysql5_thread’ at ocl_mysql5.c:1506:15:
inlined from ‘ocl_rule_mysql5_thread’ at ocl_mysql5.c:1508:15:
inlined from ‘ocl_rule_ntlm_thread’ at ocl_ntlm.c:2264:15:
inlined from ‘ocl_rule_ntlm_thread’ at ocl_ntlm.c:2266:15:
inlined from ‘ocl_rule_ntlm_thread’ at ocl_ntlm.c:2268:15:
inlined from ‘ocl_rule_ntlm_thread’ at ocl_ntlm.c:2270:15:
inlined from ‘ocl_rule_sha1_thread’ at ocl_sha1.c:2211:15:
inlined from ‘ocl_rule_sha1_thread’ at ocl_sha1.c:2213:15:
inlined from ‘ocl_rule_sha1_thread’ at ocl_sha1.c:2215:15:
inlined from ‘ocl_rule_sha1_thread’ at ocl_sha1.c:2217:15:
inlined from ‘ocl_rule_sha256_thread’ at ocl_sha256.c:1580:15:
inlined from ‘ocl_rule_sha256_thread’ at ocl_sha256.c:1582:15:
inlined from ‘ocl_rule_sha256_thread’ at ocl_sha256.c:1584:15:
inlined from ‘ocl_rule_sha256_thread’ at ocl_sha256.c:1586:15:
inlined from ‘ocl_rule_sha512_thread’ at ocl_sha512.c:1480:15:
inlined from ‘ocl_rule_sha512_thread’ at ocl_sha512.c:1482:15:
inlined from ‘ocl_rule_sha512_thread’ at ocl_sha512.c:1484:15:
inlined from ‘ocl_rule_sha512_thread’ at ocl_sha512.c:1486:15:
inlined from ‘ocl_sha512unix_crack_callback’ at ocl_sha512unix.c:424:15:
inlined from ‘ocl_sha512unix_crack_callback’ at ocl_sha512unix.c:486:27:

[gat3way]

Thank you holocronweaver!

The bug was identified in the thermal monitoring code, it crashes under certain circumstances when nvidia library is not available on the system.

It was fixed with that commit (together with another minor issue with rule engine):

https://github.com/gat3way/hashkill/commit/a7ba295bad17c7137abca40d70ce96a10472bc6c

This one is CRITICAL and I am really considering releasing a new patch version to address it.

blshkv: could you please open a new issue for your problem as it seems unrelated? I cannot get those warnings here. What gcc version are you using?

[gat3way]

Closing that one...