From 922fea7616255b3cc3603cebd5f3c0bb00654668 Mon Sep 17 00:00:00 2001 From: jsteube Date: Wed, 22 Feb 2017 16:33:23 +0100 Subject: [PATCH] Add more integer overflow checks --- include/shared.h | 3 +++ include/wordlist.h | 2 +- src/combinator.c | 28 ++++++++++++++++++++++++++-- src/mpsp.c | 4 +--- src/shared.c | 14 ++++++++++++++ src/straight.c | 36 ++++++++++++++++++++++++++++++++---- src/wordlist.c | 32 +++++++++++++++++++++++++++----- 7 files changed, 104 insertions(+), 15 deletions(-) diff --git a/include/shared.h b/include/shared.h index dc08ff278..583682186 100644 --- a/include/shared.h +++ b/include/shared.h @@ -13,6 +13,9 @@ #include #include +bool overflow_check_int64_add (const u64 a, const u64 b); +bool overflow_check_int64_mul (const u64 a, const u64 b); + bool is_power_of_2 (const u32 v); u32 get_random_num (const u32 min, const u32 max); diff --git a/include/wordlist.h b/include/wordlist.h index 0efa2221e..05effa9a1 100644 --- a/include/wordlist.h +++ b/include/wordlist.h @@ -19,7 +19,7 @@ void get_next_word_std (char *buf, u64 sz, u64 *len, u64 *off); void get_next_word (hashcat_ctx_t *hashcat_ctx, FILE *fd, char **out_buf, u32 *out_len); int load_segment (hashcat_ctx_t *hashcat_ctx, FILE *fd); -u64 count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile); +int count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile, u64 *result); int wl_data_init (hashcat_ctx_t *hashcat_ctx); void wl_data_destroy (hashcat_ctx_t *hashcat_ctx); diff --git a/src/combinator.c b/src/combinator.c index d006611a4..8d4f74839 100644 --- a/src/combinator.c +++ b/src/combinator.c @@ -82,7 +82,19 @@ int combinator_ctx_init (hashcat_ctx_t *hashcat_ctx) combinator_ctx->combs_cnt = 1; - const u64 words1_cnt = count_words (hashcat_ctx, fp1, dictfile1); + u64 words1_cnt = 0; + + const int rc1 = count_words (hashcat_ctx, fp1, dictfile1, &words1_cnt); + + if (rc1 == -1) + { + event_log_error (hashcat_ctx, "Integer overflow detected in keyspace of wordlist: %s", dictfile1); + + fclose (fp1); + fclose (fp2); + + return -1; + } if (words1_cnt == 0) { @@ -96,7 +108,19 @@ int combinator_ctx_init (hashcat_ctx_t *hashcat_ctx) combinator_ctx->combs_cnt = 1; - const u64 words2_cnt = count_words (hashcat_ctx, fp2, dictfile2); + u64 words2_cnt = 0; + + const int rc2 = count_words (hashcat_ctx, fp2, dictfile2, &words2_cnt); + + if (rc2 == -1) + { + event_log_error (hashcat_ctx, "Integer overflow detected in keyspace of wordlist: %s", dictfile2); + + fclose (fp1); + fclose (fp2); + + return -1; + } if (words2_cnt == 0) { diff --git a/src/mpsp.c b/src/mpsp.c index 02a5853bd..f08c9680f 100644 --- a/src/mpsp.c +++ b/src/mpsp.c @@ -815,9 +815,7 @@ static int sp_get_sum (u32 start, u32 stop, cs_t *root_css_buf, u64 *result) for (i = start; i < stop; i++) { - u64 t; - - if (__builtin_mul_overflow (sum, root_css_buf[i].cs_len, &t) == true) return -1; + if (overflow_check_int64_mul (sum, root_css_buf[i].cs_len) == true) return -1; sum *= root_css_buf[i].cs_len; } diff --git a/src/shared.c b/src/shared.c index cadd86beb..15ad31001 100644 --- a/src/shared.c +++ b/src/shared.c @@ -7,6 +7,20 @@ #include "types.h" #include "shared.h" +bool overflow_check_int64_add (const u64 a, const u64 b) +{ + u64 t; + + return __builtin_add_overflow (a, b, &t); +} + +bool overflow_check_int64_mul (const u64 a, const u64 b) +{ + u64 t; + + return __builtin_mul_overflow (a, b, &t); +} + bool is_power_of_2 (const u32 v) { return (v && !(v & (v - 1))); diff --git a/src/straight.c b/src/straight.c index fcd17809a..7b7d43001 100644 --- a/src/straight.c +++ b/src/straight.c @@ -74,7 +74,14 @@ int straight_ctx_update_loop (hashcat_ctx_t *hashcat_ctx) return -1; } - status_ctx->words_cnt = count_words (hashcat_ctx, fd, straight_ctx->dict); + const int rc = count_words (hashcat_ctx, fd, straight_ctx->dict, &status_ctx->words_cnt); + + if (rc == -1) + { + event_log_error (hashcat_ctx, "Integer overflow detected in keyspace of wordlist: %s", straight_ctx->dict); + + return -1; + } fclose (fd); @@ -102,7 +109,14 @@ int straight_ctx_update_loop (hashcat_ctx_t *hashcat_ctx) return -1; } - status_ctx->words_cnt = count_words (hashcat_ctx, fd, combinator_ctx->dict1); + const int rc = count_words (hashcat_ctx, fd, combinator_ctx->dict1, &status_ctx->words_cnt); + + if (rc == -1) + { + event_log_error (hashcat_ctx, "Integer overflow detected in keyspace of wordlist: %s", combinator_ctx->dict1); + + return -1; + } fclose (fd); } @@ -117,7 +131,14 @@ int straight_ctx_update_loop (hashcat_ctx_t *hashcat_ctx) return -1; } - status_ctx->words_cnt = count_words (hashcat_ctx, fd, combinator_ctx->dict2); + const int rc = count_words (hashcat_ctx, fd, combinator_ctx->dict2, &status_ctx->words_cnt); + + if (rc == -1) + { + event_log_error (hashcat_ctx, "Integer overflow detected in keyspace of wordlist: %s", combinator_ctx->dict2); + + return -1; + } fclose (fd); } @@ -156,7 +177,14 @@ int straight_ctx_update_loop (hashcat_ctx_t *hashcat_ctx) return -1; } - status_ctx->words_cnt = count_words (hashcat_ctx, fd, straight_ctx->dict); + const int rc = count_words (hashcat_ctx, fd, straight_ctx->dict, &status_ctx->words_cnt); + + if (rc == -1) + { + event_log_error (hashcat_ctx, "Integer overflow detected in keyspace of wordlist: %s", straight_ctx->dict); + + return -1; + } fclose (fd); diff --git a/src/wordlist.c b/src/wordlist.c index 4eff8b0a8..0d991c7d4 100644 --- a/src/wordlist.c +++ b/src/wordlist.c @@ -255,7 +255,7 @@ void pw_add (hc_device_param_t *device_param, const u8 *pw_buf, const int pw_len //} } -u64 count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile) +int count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile, u64 *result) { combinator_ctx_t *combinator_ctx = hashcat_ctx->combinator_ctx; straight_ctx_t *straight_ctx = hashcat_ctx->straight_ctx; @@ -269,7 +269,12 @@ u64 count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile) d.cnt = 0; - if (hc_fstat (fileno (fd), &d.stat)) return 0; + if (hc_fstat (fileno (fd), &d.stat)) + { + *result = 0; + + return 0; + } d.stat.st_mode = 0; d.stat.st_nlink = 0; @@ -283,7 +288,12 @@ u64 count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile) d.stat.st_blocks = 0; #endif - if (d.stat.st_size == 0) return 0; + if (d.stat.st_size == 0) + { + *result = 0; + + return 0; + } const u64 cached_cnt = dictstat_find (hashcat_ctx, &d); @@ -295,10 +305,14 @@ u64 count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile) if (user_options_extra->attack_kern == ATTACK_KERN_STRAIGHT) { + if (overflow_check_int64_mul (keyspace, (u64) straight_ctx->kernel_rules_cnt) == true) return -1; + keyspace *= straight_ctx->kernel_rules_cnt; } else if (user_options_extra->attack_kern == ATTACK_KERN_COMBI) { + if (overflow_check_int64_mul (keyspace, combinator_ctx->combs_cnt) == true) return -1; + keyspace *= combinator_ctx->combs_cnt; } @@ -311,7 +325,9 @@ u64 count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile) EVENT_DATA (EVENT_WORDLIST_CACHE_HIT, &cache_hit, sizeof (cache_hit)); - return (keyspace); + *result = keyspace; + + return 0; } } @@ -362,10 +378,14 @@ u64 count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile) { if (user_options_extra->attack_kern == ATTACK_KERN_STRAIGHT) { + if (overflow_check_int64_add (cnt, (u64) straight_ctx->kernel_rules_cnt) == true) return -1; + cnt += straight_ctx->kernel_rules_cnt; } else if (user_options_extra->attack_kern == ATTACK_KERN_COMBI) { + if (overflow_check_int64_add (cnt, combinator_ctx->combs_cnt) == true) return -1; + cnt += combinator_ctx->combs_cnt; } @@ -413,7 +433,9 @@ u64 count_words (hashcat_ctx_t *hashcat_ctx, FILE *fd, const char *dictfile) //hc_signal (sigHandler_default); - return (cnt); + *result = cnt; + + return 0; } int wl_data_init (hashcat_ctx_t *hashcat_ctx)