rar format: asan error for ./jtrts.pl -random -seed=987179 -passthru="--fork=2"

frank-dittrich commented 9 years ago

This is with latest rar format fixes, JtR commit be26caa3a3cf6fe841605f622df7406781ae1387 and TestSute commit https://github.com/magnumripper/jtrTestSuite/commit/14e2cc5f4b63a4829c1985434fe421369a7120d2:

(master)test $ ./jtrts.pl -q -type full -random -seed=987179 -passthru="--fork=2"
-------------------------------------------------------------------------------
- JtR-TestSuite (jtrts). Version 1.13, Dec 21, 2014.  By, Jim Fougeron & others
- Testing:  John the Ripper password cracker, version 1.8.0.2-jumbo-1-bleeding_omp [linux-gnu 64-bit AVX2-autoconf]
--------------------------------------------------------------------------------
form=rar                          guesses:  144 -show= 217 0:00:05:35 DONE : Expected count(s) (297)  [!!!FAILED!!!  return code 256]
.pot CHK:rar                      guesses:  225 -show= 225 0:00:00:38 DONE : Expected count(s) (297)  [!!!FAILED!!!]
Some tests had Errors. Performed 400 tests.  1 errors  1 errors reprocessing the .POT files  1 runs had non-zero return code (cores?)
Time used was 4461 seconds

Just repeating the rar test:

(master)test $ ./jtrts.pl -type rar -stoponerror -random -seed=987179 -passthru="--fork=2"
-------------------------------------------------------------------------------
- JtR-TestSuite (jtrts). Version 1.13, Dec 21, 2014.  By, Jim Fougeron & others
- Testing:  John the Ripper password cracker, version 1.8.0.2-jumbo-1-bleeding_omp [linux-gnu 64-bit AVX2-autoconf]
--------------------------------------------------------------------------------

John Jumbo build detected.

form=rar                          guesses:  130 0:00:02:34 DONE  [PASSED]
.pot CHK:rar                      guesses:  130 0:00:00:08 DONE  [PASSED]

form=rar                          guesses:  144 -show= 215 0:00:05:40 DONE : Expected count(s) (297)  [!!!FAILED!!!  return code 256]
Exiting on error. The .pot file ./tst.pot continas the found data
The command used to run this test was:

../run/john -ses=./tst  --fork=2 -pot=./tst.pot rar2_tst.in --wordlist=pw-60.dic -form=rar

Reproducing it on the command line:

(master)test $ rm tst.*
(master)test $ ../run/john -ses=./tst  --fork=2 -pot=./tst.pot rar2_tst.in --wordlist=pw-60.dic -form=rar
Loaded 297 password hashes with 297 different salts (rar, RAR3 [SHA1 AES 32/64])
Will run 2 OpenMP threads per process (4 total across 2 processes)
Node numbers 1-2 of 2 (fork)
Press 'q' or Ctrl-C to abort, almost any other key for status
q��rt12345       (u22-rar)
password         (u9-rar)
!!!!!!!!!        (u13-rar)
...
johnripper       (u27-rar)
12qw3�e�         (u32-rar3hp)
12qw3�e�         (u32-rar)
=================================================================
==14504== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffd8d8001f at pc 0x4e0ce6 bp 0x7fffd8d7ff60 sp 0x7fffd8d7ff50
READ of size 1 at 0x7fffd8d8001f thread T0
    #0 0x4e0ce5 (/home/fd/git/JtR/run/john+0x4e0ce5)
    #1 0x4e5092 (/home/fd/git/JtR/run/john+0x4e5092)
    #2 0x6add78 (/home/fd/git/JtR/run/john+0x6add78)
    #3 0x6af63f (/home/fd/git/JtR/run/john+0x6af63f)
    #4 0x761bb8 (/home/fd/git/JtR/run/john+0x761bb8)
    #5 0x763735 (/home/fd/git/JtR/run/john+0x763735)
    #6 0x763900 (/home/fd/git/JtR/run/john+0x763900)
    #7 0x7b095a (/home/fd/git/JtR/run/john+0x7b095a)
    #8 0x776ab5 (/home/fd/git/JtR/run/john+0x776ab5)
    #9 0x77781b (/home/fd/git/JtR/run/john+0x77781b)
    #10 0x38dd621d64 (/usr/lib64/libc-2.18.so+0x21d64)
    #11 0x4065b4 (/home/fd/git/JtR/run/john+0x4065b4)
Address 0x7fffd8d8001f is located at offset 95 in frame <read_tables> of T0's stack:
  This frame has 2 object(s):
    [32, 52) 'bit_length'
    [96, 500) 'table'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Shadow bytes around the buggy address:
  0x10007b1a7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b1a7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b1a7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b1a7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b1a7ff0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 04 f4
=>0x10007b1a8000: f2 f2 f2[f2]00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b1a8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b1a8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b1a8030: 00 00 00 00 00 00 04 f4 f3 f3 f3 f3 00 00 00 00
  0x10007b1a8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b1a8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==14504== ABORTING
(master)test $ 12qw3�e�         (u32-rar)
qwert12345       (u24-rar)
qwert12345       (u24-rar)
qwerty           (u23-rar)
...
qerwt            (u19-rar)
qerwt            (u19-rar)
qerwt            (u19-rar3hp)
2 144g 0:00:05:40 DONE (2015-01-07 22:20) 0.4224g/s 0.1437p/s 29.06c/s 29.06C/s qerwt

(master)test $ ../run/asan_symbolize.py 
    #0 0x4e0ce5 (/home/fd/git/JtR/run/john+0x4e0ce5)
    #1 0x4e5092 (/home/fd/git/JtR/run/john+0x4e5092)
    #2 0x6add78 (/home/fd/git/JtR/run/john+0x6add78)
    #3 0x6af63f (/home/fd/git/JtR/run/john+0x6af63f)
    #4 0x761bb8 (/home/fd/git/JtR/run/john+0x761bb8)
    #5 0x763735 (/home/fd/git/JtR/run/john+0x763735)
    #6 0x763900 (/home/fd/git/JtR/run/john+0x763900)
    #7 0x7b095a (/home/fd/git/JtR/run/john+0x7b095a)
    #8 0x776ab5 (/home/fd/git/JtR/run/john+0x776ab5)
    #9 0x77781b (/home/fd/git/JtR/run/john+0x77781b)
    #10 0x38dd621d64 (/usr/lib64/libc-2.18.so+0x21d64)
    #11 0x4065b4 (/home/fd/git/JtR/run/john+0x4065b4)
llvm-symbolizer: for the -functions option: 'short' is invalid value for boolean argument! Try 0 or 1
    #0 0x4e0ce5 in read_tables /home/fd/git/JtR/src/unrar.c:538
    #1 0x4e5092 in rar_unpack29 /home/fd/git/JtR/src/unrar.c:962
    #2 0x6add78 in crypt_all._omp_fn.1 /home/fd/git/JtR/src/rar_fmt_plug.c:801
    #3 0x6af63f in crypt_all /home/fd/git/JtR/src/rar_fmt_plug.c:706
    #4 0x761bb8 in crk_password_loop /home/fd/git/JtR/src/cracker.c:685
    #5 0x763735 in crk_salt_loop /home/fd/git/JtR/src/cracker.c:743
    #6 0x763900 in crk_process_key /home/fd/git/JtR/src/cracker.c:780
    #7 0x7b095a in do_wordlist_crack /home/fd/git/JtR/src/wordlist.c:1227 (discriminator 1)
    #8 0x776ab5 in john_run /home/fd/git/JtR/src/john.c:1358
    #9 0x77781b in main /home/fd/git/JtR/src/john.c:1651
    #10 0x38dd621d64 in ?? ??:0
    #11 0x4065b4 in _start ??:?

magnumripper commented 9 years ago

OK in 00d4fe7 I tried to implement a similar test in rar_getbits() that @jfoug did in rarvm_getbits() in aa9589ed because it really looked like that would be the issue. But it did not help. I committed it anyway because I have a feeling it will be a good thing.

Right before the ASAN crash I had this

rar_getbits: in_addr=3 in_bit=3 read_top=48

So we were not anywhere near the end. Yet it indicates we read past buffer there. I'm not sure how to proceed.

magnumripper commented 9 years ago

I give up for now

magnumripper commented 9 years ago

Was read_top not the correct struct member to test? I'm not 100% sure so don't get embedded.

jfoug commented 9 years ago

I think https://github.com/magnumripper/JohnTheRipper/commit/079e3ca9be6eaa327e4ea7ece86e8a59804498b0 also fixed this one.

frank-dittrich commented 9 years ago

Yes, it does. Thanks.

openwall / john

rar format: asan error for ./jtrts.pl -random -seed=987179 -passthru="--fork=2" #1008