From 688a580d6c8c29b2525d905cb4ae1b688fc8fba7 Mon Sep 17 00:00:00 2001 From: jsteube Date: Fri, 25 Aug 2017 20:52:13 +0200 Subject: [PATCH] Fixed an integer overflow in innerloop_step and innerloop_cnt variables --- docs/changes.txt | 1 + include/types.h | 4 ++-- src/opencl.c | 22 ++++++++++++---------- 3 files changed, 15 insertions(+), 12 deletions(-) diff --git a/docs/changes.txt b/docs/changes.txt index 338db8faf..975c40f60 100644 --- a/docs/changes.txt +++ b/docs/changes.txt @@ -25,6 +25,7 @@ - Fixed a missing barrier() call in the RACF OpenCL kernel - Fixed a missing salt length value in benchmark mode for SIP - Fixed an invalid progress value in status view if words from the base wordlist get rejected because of length +- Fixed an integer overflow in innerloop_step and innerloop_cnt variables - Fixed a parser error for mode -m 9820 = MS Office <= 2003 $3, SHA1 + RC4, collider #2 - Fixed a problem with changed current working directory, for instance by using --restore together with --remove - Fixed a problem with the conversion to the $HEX[] format: convert/hexify also all passwords of the format $HEX[] diff --git a/include/types.h b/include/types.h index f0565a1e1..14014220c 100644 --- a/include/types.h +++ b/include/types.h @@ -994,8 +994,8 @@ typedef struct hc_device_param u32 outerloop_left; double outerloop_msec; - u32 innerloop_pos; - u32 innerloop_left; + u64 innerloop_pos; + u64 innerloop_left; u32 exec_pos; double exec_msec[EXEC_CACHE]; diff --git a/src/opencl.c b/src/opencl.c index 724c43ffd..81d655e70 100644 --- a/src/opencl.c +++ b/src/opencl.c @@ -2009,8 +2009,8 @@ int run_cracker (hashcat_ctx_t *hashcat_ctx, hc_device_param_t *device_param, co // iteration type - u32 innerloop_step = 0; - u32 innerloop_cnt = 0; + u64 innerloop_step = 0; + u64 innerloop_cnt = 0; if (hashconfig->attack_exec == ATTACK_EXEC_INSIDE_KERNEL) innerloop_step = device_param->kernel_loops; else innerloop_step = 1; @@ -2021,13 +2021,13 @@ int run_cracker (hashcat_ctx_t *hashcat_ctx, hc_device_param_t *device_param, co // innerloops - for (u32 innerloop_pos = 0; innerloop_pos < innerloop_cnt; innerloop_pos += innerloop_step) + for (u64 innerloop_pos = 0; innerloop_pos < innerloop_cnt; innerloop_pos += innerloop_step) { while (status_ctx->devices_status == STATUS_PAUSED) hc_sleep (1); u32 fast_iteration = 0; - u32 innerloop_left = innerloop_cnt - innerloop_pos; + u64 innerloop_left = innerloop_cnt - innerloop_pos; if (innerloop_left > innerloop_step) { @@ -2036,10 +2036,12 @@ int run_cracker (hashcat_ctx_t *hashcat_ctx, hc_device_param_t *device_param, co fast_iteration = 1; } +printf ("%u\n", innerloop_left); + device_param->innerloop_pos = innerloop_pos; device_param->innerloop_left = innerloop_left; - device_param->kernel_params_buf32[30] = innerloop_left; + device_param->kernel_params_buf32[30] = (u32) innerloop_left; // i think we can get rid of this if (innerloop_left == false) @@ -2072,7 +2074,7 @@ int run_cracker (hashcat_ctx_t *hashcat_ctx, hc_device_param_t *device_param, co { char *line_buf = combinator_ctx->scratch_buf; - u32 i = 0; + u64 i = 0; while (i < innerloop_left) { @@ -2139,7 +2141,7 @@ int run_cracker (hashcat_ctx_t *hashcat_ctx, hc_device_param_t *device_param, co i++; } - for (u32 j = i; j < innerloop_left; j++) + for (u64 j = i; j < innerloop_left; j++) { memset (&device_param->combs_buf[j], 0, sizeof (pw_t)); } @@ -2189,7 +2191,7 @@ int run_cracker (hashcat_ctx_t *hashcat_ctx, hc_device_param_t *device_param, co { char *line_buf = combinator_ctx->scratch_buf; - u32 i = 0; + u64 i = 0; while (i < innerloop_left) { @@ -2258,7 +2260,7 @@ int run_cracker (hashcat_ctx_t *hashcat_ctx, hc_device_param_t *device_param, co i++; } - for (u32 j = i; j < innerloop_left; j++) + for (u64 j = i; j < innerloop_left; j++) { memset (&device_param->combs_buf[j], 0, sizeof (pw_t)); } @@ -3571,7 +3573,7 @@ void opencl_ctx_devices_kernel_loops (hashcat_ctx_t *hashcat_ctx) if (device_param->kernel_loops_min < device_param->kernel_loops_max) { - u32 innerloop_cnt = 0; + u64 innerloop_cnt = 0; if (hashconfig->attack_exec == ATTACK_EXEC_INSIDE_KERNEL) {