search

VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.08k stars 1.43k forks source link

heap-buffer-overflow libyara/exec.c:1196 in yr_execute_code #1946

Closed shinibufa closed 1 year ago

shinibufa commented 1 year ago

Describe the bug AddressSanitizer: heap-buffer-overflow libyara/exec.c:1196 in yr_execute_code

To Reproduce Steps to reproduce the behavior: 1, compile yara with asan: ./configure CC=gcc CXX=g++ CFLAGS="-g -O0 -fsanitize=address" CXXFLAGS="-g -O0 -fsanitize=address" LDFLAGS="-g -O0 -fsanitize=address" 2, run this command: ./yara -C PoC binFile

Please complete the following information:

Additional context ASAN reprot:

==1855673==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002510 at pc 0x7f1f120df3f6 bp 0x7fff9d9480a0 sp 0x7fff9d948090 READ of size 8 at 0x602000002510 thread T0

0 0x7f1f120df3f5 in yr_execute_code libyara/exec.c:1196

#1 0x7f1f12145cd8 in yr_scanner_scan_mem_blocks libyara/scanner.c:526
#2 0x7f1f121467a0 in yr_scanner_scan_mem libyara/scanner.c:670
#3 0x7f1f12146b3e in yr_scanner_scan_fd libyara/scanner.c:706
#4 0x55f0c48f511a in scan_file cli/yara.c:736
#5 0x55f0c48f9444 in main cli/yara.c:1654
#6 0x7f1f119c6082 in __libc_start_main ../csu/libc-start.c:308
#7 0x55f0c48f1ced in _start (/home/root/latestFiles/yara-4.3.2/.libs/yara+0x7ced)

Address 0x602000002510 is a wild pointer. SUMMARY: AddressSanitizer: heap-buffer-overflow libyara/exec.c:1196 in yr_execute_code Shadow bytes around the buggy address: 0x0c047fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff84a0: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1855673==ABORTING

plusvic commented 1 year ago

Closing as this is crash is the result of fuzzing compiled rules. See #1948 for more context.