Open AlekseyCherepanov opened 2 years ago
Minified crasher:
$ cat t.pw
$pkzip$1*1*2*0*14*6eeeeeeeeee*775f54d8*0*47*8*14*8cd0*11b75efed56a5795f07c509268a88b4a6ff362ef*$/pkzip$
$ ./run/john --format=pkzip t.pw --mask='3780'
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
==5836==WARNING: AddressSanitizer failed to allocate 0x6eeeeeeeeee bytes
==5836==AddressSanitizer's allocator is terminating the process instead of returning 0
==5836==If you don't like this behavior set allocator_may_return_null=1
==5836==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:216 "((0)) != (0)" (0x0, 0x0)
#0 0x7ff20f812fa5 in AsanCheckFailed ../../../../src/libsanitizer/asan/asan_rtl.cc:67
#1 0x7ff20f82df39 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_termination.cc:77
#2 0x7ff20f818006 in __sanitizer::ReportAllocatorCannotReturnNull() ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:216
#3 0x7ff20f818043 in __sanitizer::ReturnNullOrDieOnFailure::OnBadRequest() ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:232
#4 0x7ff20f7477e5 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) ../../../../src/libsanitizer/asan/asan_allocator.cc:415
#5 0x7ff20f746286 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) ../../../../src/libsanitizer/asan/asan_allocator.cc:812
#6 0x7ff20f80830b in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:87
#7 0x5583634eb070 in mem_alloc /home/user/john/src/memory.c:90
#8 0x5583633e701c in cmp_exact /home/user/john/src/pkzip_fmt_plug.c:948
#9 0x5583634a7b04 in crk_password_loop /home/user/john/src/cracker.c:908
#10 0x5583634a9a4b in crk_salt_loop /home/user/john/src/cracker.c:1065
#11 0x5583634aaeff in crk_done /home/user/john/src/cracker.c:1321
#12 0x5583634e9194 in mask_done /home/user/john/src/mask.c:2512
#13 0x5583634c7451 in john_run /home/user/john/src/john.c:1844
#14 0x5583634c7451 in main /home/user/john/src/john.c:2082
#15 0x7ff20ed6409a in __libc_start_main ../csu/libc-start.c:308
#16 0x55836303d1f9 in _start (/home/user/john/run/john+0x1ed1f9)
Original password "test" would trigger the problem in cmp_exact too for the minified crasher. So fuzzer could be improved without adding excessive hashing.
I created hashes with
--fuzz-dump
commenting out most of self-tests in pkzip format (for test in #5023).It turned out that regular attack can crash when in ASan build: (local paths are replaced by
...
)john can catch failure of allocation:
Not all attacks trigger the problem:
So there are 2 problems:
--fuzz
are not enough to find all bugs