Fixed out-of-boundary read in PKZIP masterkey kernel if the password candidate has length zero.

Now that kernel threads are no longer fixed over the entire session, hardware_power and hardware_power_all needs to be updated the same way as kernel_power and kernel_power_all for each call to inner2_loop().
3 years ago · 9254603960
parent 49117745cf
commit 9254603960
7 changed files with 28 additions and 25 deletions
--- a/OpenCL/m20500_a3-pure.cl
+++ b/OpenCL/m20500_a3-pure.cl
@ -296,7 +296,7 @@ KERNEL_FQ void m20500_sxx (KERN_ATTR_VECTOR ())
  u32 prep1 = digests_buf[DIGESTS_OFFSET].digest_buf[1];
  u32 prep2 = digests_buf[DIGESTS_OFFSET].digest_buf[2];

-  for (u32 pos = pw_len - 1; pos >= 4; pos--)
+  for (int pos = pw_len - 1; pos >= 4; pos--)
  {
    const u32 t = hc_bfe_S (pws[gid].i[pos / 4], (pos & 3) * 8, 8);

--- a/docs/changes.txt
+++ b/docs/changes.txt
@ -22,6 +22,7 @@
 - Fixed invalid data type in the sha384_hmac_init_vector_128() function that take effect if the vector data type was specified manually
 - Fixed out-of-boundary read in input_tokenizer() if the signature in the hash is longer than the length of the plugin's signature constant
 - Fixed out-of-boundary read in the Stuffit5 module in hash_decode()
+- Fixed out-of-boundary read in PKZIP masterkey kernel if the password candidate has length zero
 - Fixed random rule generator option --generate-rules-func-min by fixing switch() case to not select a not existing option group type
 - Fixed segfault when a combination of the flags --user and --show is given and a hash was specified directly on the command line
 - Fixed syntax check of HAS_VPERM macro in several kernel includes causing invalid error message for AMD GPUs on Windows
--- a/include/types.h
+++ b/include/types.h
@ -1242,6 +1242,7 @@ typedef struct hc_device_param
  u32     kernel_loops_min_sav; // the _sav are required because each -i iteration
  u32     kernel_loops_max_sav; // needs to recalculate the kernel_loops_min/max based on the current amplifier count
  u32     kernel_threads;
+  u32     kernel_threads_prev;
  u32     kernel_threads_min;
  u32     kernel_threads_max;

--- a/src/autotune.c
+++ b/src/autotune.c
@ -196,7 +196,9 @@ static int autotune (hashcat_ctx_t *hashcat_ctx, hc_device_param_t *device_param
    // from here it's clear we are allowed to autotune
    // so let's init some fake words

-    const u32 kernel_power_max = device_param->hardware_power * kernel_accel_max;
+    const u32 hardware_power_max = ((hashconfig->opts_type & OPTS_TYPE_MP_MULTI_DISABLE) ? 1 : device_param->device_processors) * kernel_threads_max;
+
+    const u32 kernel_power_max = hardware_power_max * kernel_accel_max;

    if (device_param->is_cuda == true)
    {
--- a/src/backend.c
+++ b/src/backend.c
@ -10705,8 +10705,6 @@ int backend_session_begin (hashcat_ctx_t *hashcat_ctx)

  u64 size_total_host_all = 0;

-  u32 hardware_power_all = 0;
-
  for (int backend_devices_idx = 0; backend_devices_idx < backend_ctx->backend_devices_cnt; backend_devices_idx++)
  {
    /**
@ -14497,7 +14495,7 @@ int backend_session_begin (hashcat_ctx_t *hashcat_ctx)
    //    device_param->kernel_threads = kernel_threads;
    device_param->kernel_threads = 0;

-    device_param->hardware_power = ((hashconfig->opts_type & OPTS_TYPE_MP_MULTI_DISABLE) ? 1 : device_processors) * device_param->kernel_threads_max;
+    u32 hardware_power_max = ((hashconfig->opts_type & OPTS_TYPE_MP_MULTI_DISABLE) ? 1 : device_processors) * device_param->kernel_threads_max;

    u32 kernel_accel_min = device_param->kernel_accel_min;
    u32 kernel_accel_max = device_param->kernel_accel_max;
@ -14520,7 +14518,7 @@ int backend_session_begin (hashcat_ctx_t *hashcat_ctx)

    // this is device_processors * kernel_threads

-    accel_limit /= device_param->hardware_power;
+    accel_limit /= hardware_power_max;

    // single password candidate size

@ -14563,7 +14561,7 @@ int backend_session_begin (hashcat_ctx_t *hashcat_ctx)

    while (kernel_accel_max >= kernel_accel_min)
    {
-      const u64 kernel_power_max = device_param->hardware_power * kernel_accel_max;
+      const u64 kernel_power_max = hardware_power_max * kernel_accel_max;

      // size_pws

@ -14736,7 +14734,7 @@ int backend_session_begin (hashcat_ctx_t *hashcat_ctx)
    {
      while (kernel_accel_max > kernel_accel_min)
      {
-        const u64 kernel_power_max = device_param->hardware_power * kernel_accel_max;
+        const u64 kernel_power_max = hardware_power_max * kernel_accel_max;

        if (kernel_power_max > hashes->salts_cnt)
        {
@ -15050,18 +15048,9 @@ int backend_session_begin (hashcat_ctx_t *hashcat_ctx)
      }
    }

-    hardware_power_all += device_param->hardware_power;
-
    EVENT_DATA (EVENT_BACKEND_DEVICE_INIT_POST, &backend_devices_idx, sizeof (int));
  }

-  if (user_options->benchmark == false)
-  {
-    if (hardware_power_all == 0) return -1;
-  }
-
-  backend_ctx->hardware_power_all = hardware_power_all;
-
  EVENT_DATA (EVENT_BACKEND_SESSION_HOSTMEM, &size_total_host_all, sizeof (u64));

  return 0;
@ -15550,8 +15539,12 @@ void backend_session_reset (hashcat_ctx_t *hashcat_ctx)
    #else
    device_param->timer_speed.tv_sec = 0;
    #endif
+
+    device_param->kernel_power   = 0;
+    device_param->hardware_power = 0;
  }

+  backend_ctx->hardware_power_all = 0;
  backend_ctx->kernel_power_all   = 0;
  backend_ctx->kernel_power_final = 0;
 }
--- a/src/dispatch.c
+++ b/src/dispatch.c
@ -321,11 +321,13 @@ static int calc_stdin (hashcat_ctx_t *hashcat_ctx, hc_device_param_t *device_par
    if (device_param->speed_only_finish == true) break;
  }

-  device_param->kernel_accel_prev = device_param->kernel_accel;
-  device_param->kernel_loops_prev = device_param->kernel_loops;
+  device_param->kernel_accel_prev   = device_param->kernel_accel;
+  device_param->kernel_loops_prev   = device_param->kernel_loops;
+  device_param->kernel_threads_prev = device_param->kernel_threads;

-  device_param->kernel_accel = 0;
-  device_param->kernel_loops = 0;
+  device_param->kernel_accel   = 0;
+  device_param->kernel_loops   = 0;
+  device_param->kernel_threads = 0;

  if (iconv_enabled == true)
  {
@ -1579,11 +1581,13 @@ static int calc (hashcat_ctx_t *hashcat_ctx, hc_device_param_t *device_param)
    }
  }

-  device_param->kernel_accel_prev = device_param->kernel_accel;
-  device_param->kernel_loops_prev = device_param->kernel_loops;
+  device_param->kernel_accel_prev   = device_param->kernel_accel;
+  device_param->kernel_loops_prev   = device_param->kernel_loops;
+  device_param->kernel_threads_prev = device_param->kernel_threads;

-  device_param->kernel_accel = 0;
-  device_param->kernel_loops = 0;
+  device_param->kernel_accel   = 0;
+  device_param->kernel_loops   = 0;
+  device_param->kernel_threads = 0;

  return 0;
 }
--- a/src/status.c
+++ b/src/status.c
@ -2194,6 +2194,8 @@ int status_get_kernel_threads_dev (const hashcat_ctx_t *hashcat_ctx, const int b

  if (device_param->skipped_warning == true) return 0;

+  if (device_param->kernel_threads_prev) return device_param->kernel_threads_prev;
+
  return device_param->kernel_threads;
 }