From 62bc8689b7dc48f2ce0c1b4658487de4462af1d1 Mon Sep 17 00:00:00 2001 From: jsteube Date: Wed, 22 Feb 2017 12:28:23 +0100 Subject: [PATCH] Mask Checks: Added integer overflow detection for a keyspace of a mask provided by user --- docs/changes.txt | 1 + include/types.h | 2 +- src/mpsp.c | 37 ++++++++++++++++++++++++++++++++----- 3 files changed, 34 insertions(+), 6 deletions(-) diff --git a/docs/changes.txt b/docs/changes.txt index 135392170..79fe59470 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -78,6 +78,7 @@ - Helper: Added functions to check existence, type, read- and write-permissions and rewrite sources to use them instead of stat() - Keyfile handling: Make sure that the memory is cleanly freed whenever a VeraCrypt/TrueCrypt keyfile fails to load - Mask Checks: Added additional memory cleanups after parsing/verifying masks +- Mask Checks: Added integer overflow detection for a keyspace of a mask provided by user - Mask Increment: Fixed memory leak in case mask_append() fails - OpenCL Device: Do a check on available constant memory size and abort if it's less than 64kB - OpenCL Device Management: Fixed several memory leaks in case initialization of an OpenCL device or platform failed diff --git a/include/types.h b/include/types.h index 0ad7a02c1..e0a15ed0b 100644 --- a/include/types.h +++ b/include/types.h @@ -1589,7 +1589,7 @@ typedef struct combinator_ctx char *dict2; u32 combs_mode; - u32 combs_cnt; + u64 combs_cnt; } combinator_ctx_t; diff --git a/src/mpsp.c b/src/mpsp.c index 06ca1dd12..15426a748 100644 --- a/src/mpsp.c +++ b/src/mpsp.c @@ -807,7 +807,7 @@ static int sp_setup_tbl (hashcat_ctx_t *hashcat_ctx) return 0; } -static u64 sp_get_sum (u32 start, u32 stop, cs_t *root_css_buf) +static int sp_get_sum (u32 start, u32 stop, cs_t *root_css_buf, u64 *result) { u64 sum = 1; @@ -815,10 +815,16 @@ static u64 sp_get_sum (u32 start, u32 stop, cs_t *root_css_buf) for (i = start; i < stop; i++) { + u64 t; + + if (__builtin_umull_overflow (sum, root_css_buf[i].cs_len, &t) == true) return -1; + sum *= root_css_buf[i].cs_len; } - return (sum); + *result = sum; + + return 0; } static void sp_tbl_to_css (hcstat_table_t *root_table_buf, hcstat_table_t *markov_table_buf, cs_t *root_css_buf, cs_t *markov_css_buf, u32 threshold, u32 uniq_tbls[SP_PW_MAX][CHARSIZ]) @@ -1089,7 +1095,14 @@ int mask_ctx_update_loop (hashcat_ctx_t *hashcat_ctx) sp_tbl_to_css (mask_ctx->root_table_buf, mask_ctx->markov_table_buf, mask_ctx->root_css_buf, mask_ctx->markov_css_buf, user_options->markov_threshold, uniq_tbls); - combinator_ctx->combs_cnt = sp_get_sum (0, mask_ctx->css_cnt, mask_ctx->root_css_buf); + const int rc_get_sum = sp_get_sum (0, mask_ctx->css_cnt, mask_ctx->root_css_buf, &combinator_ctx->combs_cnt); + + if (rc_get_sum == -1) + { + event_log_error (hashcat_ctx, "Integer overflow detected in keyspace of mask: %s", mask_ctx->mask); + + return -1; + } const int rc_update_mp = opencl_session_update_mp (hashcat_ctx); @@ -1179,7 +1192,14 @@ int mask_ctx_update_loop (hashcat_ctx_t *hashcat_ctx) sp_tbl_to_css (mask_ctx->root_table_buf, mask_ctx->markov_table_buf, mask_ctx->root_css_buf, mask_ctx->markov_css_buf, user_options->markov_threshold, uniq_tbls); - status_ctx->words_cnt = sp_get_sum (0, mask_ctx->css_cnt, mask_ctx->root_css_buf); + const int rc_get_sum1 = sp_get_sum (0, mask_ctx->css_cnt, mask_ctx->root_css_buf, &status_ctx->words_cnt); + + if (rc_get_sum1 == -1) + { + event_log_error (hashcat_ctx, "Integer overflow detected in keyspace of mask: %s", mask_ctx->mask); + + return -1; + } // copy + args @@ -1187,7 +1207,14 @@ int mask_ctx_update_loop (hashcat_ctx_t *hashcat_ctx) mp_css_split_cnt (hashcat_ctx, css_cnt_orig, css_cnt_lr); - mask_ctx->bfs_cnt = sp_get_sum (0, css_cnt_lr[1], mask_ctx->root_css_buf); + const int rc_get_sum2 = sp_get_sum (0, css_cnt_lr[1], mask_ctx->root_css_buf, &mask_ctx->bfs_cnt); + + if (rc_get_sum2 == -1) + { + event_log_error (hashcat_ctx, "Integer overflow detected in keyspace of mask: %s", mask_ctx->mask); + + return -1; + } const int rc_update_mp_rl = opencl_session_update_mp_rl (hashcat_ctx, css_cnt_lr[0], css_cnt_lr[1]);