Add more integer overflow checks

7 years ago · 922fea7616
parent 080131c86e
commit 922fea7616
7 changed files with 104 additions and 15 deletions
--- a/include/shared.h
+++ b/include/shared.h
@ -13,6 +13,9 @@
 #include <time.h>
 #include <fcntl.h>

+bool overflow_check_int64_add (const u64 a, const u64 b);
+bool overflow_check_int64_mul (const u64 a, const u64 b);
+
 bool is_power_of_2 (const u32 v);

 u32 get_random_num (const u32 min, const u32 max);
--- a/include/wordlist.h
+++ b/include/wordlist.h
@ -19,7 +19,7 @@ void get_next_word_std (char *buf, u64 sz, u64 *len, u64 *off);

 void get_next_word   (hashcat_ctx_t *hashcat_ctx, FILE *fd, char **out_buf, u32 *out_len);
 int  load_segment    (hashcat_ctx_t *hashcat_ctx, FILE *fd);
-u64  count_words     (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile);
+int  count_words     (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile, u64 *result);
 int  wl_data_init    (hashcat_ctx_t *hashcat_ctx);
 void wl_data_destroy (hashcat_ctx_t *hashcat_ctx);

--- a/src/combinator.c
+++ b/src/combinator.c
@ -82,7 +82,19 @@ int combinator_ctx_init (hashcat_ctx_t *hashcat_ctx)

    combinator_ctx->combs_cnt = 1;

-    const u64 words1_cnt = count_words (hashcat_ctx, fp1, dictfile1);
+    u64 words1_cnt = 0;
+
+    const int rc1 = count_words (hashcat_ctx, fp1, dictfile1, &words1_cnt);
+
+    if (rc1 == -1)
+    {
+      event_log_error (hashcat_ctx, "Integer overflow detected in keyspace of wordlist: %s", dictfile1);
+
+      fclose (fp1);
+      fclose (fp2);
+
+      return -1;
+    }

    if (words1_cnt == 0)
    {
@ -96,7 +108,19 @@ int combinator_ctx_init (hashcat_ctx_t *hashcat_ctx)

    combinator_ctx->combs_cnt = 1;

-    const u64 words2_cnt = count_words (hashcat_ctx, fp2, dictfile2);
+    u64 words2_cnt = 0;
+
+    const int rc2 = count_words (hashcat_ctx, fp2, dictfile2, &words2_cnt);
+
+    if (rc2 == -1)
+    {
+      event_log_error (hashcat_ctx, "Integer overflow detected in keyspace of wordlist: %s", dictfile2);
+
+      fclose (fp1);
+      fclose (fp2);
+
+      return -1;
+    }

    if (words2_cnt == 0)
    {
--- a/src/mpsp.c
+++ b/src/mpsp.c
@ -815,9 +815,7 @@ static int sp_get_sum (u32 start, u32 stop, cs_t *root_css_buf, u64 *result)

  for (i = start; i < stop; i++)
  {
-    u64 t;
-
-    if (__builtin_mul_overflow (sum, root_css_buf[i].cs_len, &t) == true) return -1;
+    if (overflow_check_int64_mul (sum, root_css_buf[i].cs_len) == true) return -1;

    sum *= root_css_buf[i].cs_len;
  }
--- a/src/shared.c
+++ b/src/shared.c
@ -7,6 +7,20 @@
 #include "types.h"
 #include "shared.h"

+bool overflow_check_int64_add (const u64 a, const u64 b)
+{
+  u64 t;
+
+  return __builtin_add_overflow (a, b, &t);
+}
+
+bool overflow_check_int64_mul (const u64 a, const u64 b)
+{
+  u64 t;
+
+  return __builtin_mul_overflow (a, b, &t);
+}
+
 bool is_power_of_2 (const u32 v)
 {
  return (v && !(v & (v - 1)));
--- a/src/straight.c
+++ b/src/straight.c
@ -74,7 +74,14 @@ int straight_ctx_update_loop (hashcat_ctx_t *hashcat_ctx)
        return -1;
      }

-      status_ctx->words_cnt = count_words (hashcat_ctx, fd, straight_ctx->dict);
+      const int rc = count_words (hashcat_ctx, fd, straight_ctx->dict, &status_ctx->words_cnt);
+
+      if (rc == -1)
+      {
+        event_log_error (hashcat_ctx, "Integer overflow detected in keyspace of wordlist: %s", straight_ctx->dict);
+
+        return -1;
+      }

      fclose (fd);

@ -102,7 +109,14 @@ int straight_ctx_update_loop (hashcat_ctx_t *hashcat_ctx)
        return -1;
      }

-      status_ctx->words_cnt = count_words (hashcat_ctx, fd, combinator_ctx->dict1);
+      const int rc = count_words (hashcat_ctx, fd, combinator_ctx->dict1, &status_ctx->words_cnt);
+
+      if (rc == -1)
+      {
+        event_log_error (hashcat_ctx, "Integer overflow detected in keyspace of wordlist: %s", combinator_ctx->dict1);
+
+        return -1;
+      }

      fclose (fd);
    }
@ -117,7 +131,14 @@ int straight_ctx_update_loop (hashcat_ctx_t *hashcat_ctx)
        return -1;
      }

-      status_ctx->words_cnt = count_words (hashcat_ctx, fd, combinator_ctx->dict2);
+      const int rc = count_words (hashcat_ctx, fd, combinator_ctx->dict2, &status_ctx->words_cnt);
+
+      if (rc == -1)
+      {
+        event_log_error (hashcat_ctx, "Integer overflow detected in keyspace of wordlist: %s", combinator_ctx->dict2);
+
+        return -1;
+      }

      fclose (fd);
    }
@ -156,7 +177,14 @@ int straight_ctx_update_loop (hashcat_ctx_t *hashcat_ctx)
      return -1;
    }

-    status_ctx->words_cnt = count_words (hashcat_ctx, fd, straight_ctx->dict);
+    const int rc = count_words (hashcat_ctx, fd, straight_ctx->dict, &status_ctx->words_cnt);
+
+    if (rc == -1)
+    {
+      event_log_error (hashcat_ctx, "Integer overflow detected in keyspace of wordlist: %s", straight_ctx->dict);
+
+      return -1;
+    }

    fclose (fd);

--- a/src/wordlist.c
+++ b/src/wordlist.c
@ -255,7 +255,7 @@ void pw_add (hc_device_param_t *device_param, const u8 *pw_buf, const int pw_len
  //}
 }

-u64 count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile)
+int count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile, u64 *result)
 {
  combinator_ctx_t     *combinator_ctx     = hashcat_ctx->combinator_ctx;
  straight_ctx_t       *straight_ctx       = hashcat_ctx->straight_ctx;
@ -269,7 +269,12 @@ u64 count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile)

  d.cnt = 0;

-  if (hc_fstat (fileno (fd), &d.stat)) return 0;
+  if (hc_fstat (fileno (fd), &d.stat))
+  {
+    *result = 0;
+
+    return 0;
+  }

  d.stat.st_mode    = 0;
  d.stat.st_nlink   = 0;
@ -283,7 +288,12 @@ u64 count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile)
  d.stat.st_blocks  = 0;
  #endif

-  if (d.stat.st_size == 0) return 0;
+  if (d.stat.st_size == 0)
+  {
+    *result = 0;
+
+    return 0;
+  }

  const u64 cached_cnt = dictstat_find (hashcat_ctx, &d);

@ -295,10 +305,14 @@ u64 count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile)

      if (user_options_extra->attack_kern == ATTACK_KERN_STRAIGHT)
      {
+        if (overflow_check_int64_mul (keyspace, (u64) straight_ctx->kernel_rules_cnt) == true) return -1;
+
        keyspace *= straight_ctx->kernel_rules_cnt;
      }
      else if (user_options_extra->attack_kern == ATTACK_KERN_COMBI)
      {
+        if (overflow_check_int64_mul (keyspace, combinator_ctx->combs_cnt) == true) return -1;
+
        keyspace *= combinator_ctx->combs_cnt;
      }

@ -311,7 +325,9 @@ u64 count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile)

      EVENT_DATA (EVENT_WORDLIST_CACHE_HIT, &cache_hit, sizeof (cache_hit));

-      return (keyspace);
+      *result = keyspace;
+
+      return 0;
    }
  }

@ -362,10 +378,14 @@ u64 count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile)
      {
        if (user_options_extra->attack_kern == ATTACK_KERN_STRAIGHT)
        {
+          if (overflow_check_int64_add (cnt, (u64) straight_ctx->kernel_rules_cnt) == true) return -1;
+
          cnt += straight_ctx->kernel_rules_cnt;
        }
        else if (user_options_extra->attack_kern == ATTACK_KERN_COMBI)
        {
+          if (overflow_check_int64_add (cnt, combinator_ctx->combs_cnt) == true) return -1;
+
          cnt += combinator_ctx->combs_cnt;
        }

@ -413,7 +433,9 @@ u64 count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile)

  //hc_signal (sigHandler_default);

-  return (cnt);
+  *result = cnt;
+
+  return 0;
 }

 int wl_data_init (hashcat_ctx_t *hashcat_ctx)