search

VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.18k stars 1.43k forks source link

NULL pointer dereference in libyara/re.c #2084

Closed djuricmilan closed 3 months ago

djuricmilan commented 4 months ago

Describe the bug There is a NULL pointer dereference in function _yr_re_fiber_sync inside libyara/re.c. As visible in the attached screenshot from GDB, the content of the memory pointed to by fiber is 0x00000000. The code dereferences this address to access the member ip which results in a segmentation fault.

To Reproduce Build yara version v4.5.0 from source with ASAN. The PoC is given in the ZIP file: yara.zip

yara ./id:000000,sig:06,src:001106,op:arith8,pos:51,val:-18 3.yar

ASAN trace:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==220214==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55c38eab1c44 bp 0x55c38eb5fd60 sp 0x7fff13e5fcf0 T0)
==220214==The signal is caused by a READ memory access.
==220214==Hint: address points to the zero page.
    #0 0x55c38eab1c44  (/nix/store/700pirxid807dlf3bsyzv5627vmlcfyn-target_final/bin/yara+0x1e9c44)
    #1 0x55c38eaaf858  (/nix/store/700pirxid807dlf3bsyzv5627vmlcfyn-target_final/bin/yara+0x1e7858)
    #2 0x55c38eacf282  (/nix/store/700pirxid807dlf3bsyzv5627vmlcfyn-target_final/bin/yara+0x207282)
    #3 0x55c38eac1433  (/nix/store/700pirxid807dlf3bsyzv5627vmlcfyn-target_final/bin/yara+0x1f9433)
    #4 0x55c38eac070e  (/nix/store/700pirxid807dlf3bsyzv5627vmlcfyn-target_final/bin/yara+0x1f870e)
    #5 0x55c38eac1b99  (/nix/store/700pirxid807dlf3bsyzv5627vmlcfyn-target_final/bin/yara+0x1f9b99)
    #6 0x55c38ea405d8  (/nix/store/700pirxid807dlf3bsyzv5627vmlcfyn-target_final/bin/yara+0x1785d8)
    #7 0x55c38ea3cbe2  (/nix/store/700pirxid807dlf3bsyzv5627vmlcfyn-target_final/bin/yara+0x174be2)
    #8 0x7f515c3e1fcd  (/nix/store/p9ysh5rk109gyjj3cn6jr54znvvlahfl-glibc-2.38-66/lib/libc.so.6+0x27fcd) (BuildId: 26495ff69df462534fb238dc0fb1608f6f75576a)
    #9 0x7f515c3e2088  (/nix/store/p9ysh5rk109gyjj3cn6jr54znvvlahfl-glibc-2.38-66/lib/libc.so.6+0x28088) (BuildId: 26495ff69df462534fb238dc0fb1608f6f75576a)
    #10 0x55c38e90c594  (/nix/store/700pirxid807dlf3bsyzv5627vmlcfyn-target_final/bin/yara+0x44594)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/nix/store/700pirxid807dlf3bsyzv5627vmlcfyn-target_final/bin/yara+0x1e9c44) 
==220214==ABORTING

Screenshots image

Please complete the following information: