search

hillu / go-yara

Go bindings for YARA
BSD 2-Clause "Simplified" License
356 stars 113 forks source link

yr_scanner_scan_file Using mmap is a dangerous operation #119

Open pandaWall opened 1 year ago

pandaWall commented 1 year ago

When yara maps a file of size using mmap, SIGBUS is triggered when the file size is cleared to zero before yr_scanner_scan_mem is called. So is there any solution other than to read files into memory in advance。

hillu commented 1 year ago

YARA itself tries to catch that signal unless explicitly instructed otherwise, so you should just see a failed scan. See the YR_TRYCATCH macro in exception.h for details. Does your Go program panic after getting that SIGBUS signal?

hillu commented 1 year ago

@pandaWall ping?

hillu commented 1 year ago

@pandaWall ping?

pandaWall commented 1 year ago

Sorry to see your reply just now, I saw that the source code supports the YR_TRYCATCH macro definition, which only captures the signal when SIGBUS is triggered to ensure that the program will not crash. However, I hope that the library can change the calling method of mmap and add an interface to read a certain length of buffer for detection by means of read.

pandaWall commented 1 year ago

Sorry to see your reply just now, I saw that the source code supports the YR_TRYCATCH macro definition, which only captures the signal when SIGBUS is triggered to ensure that the program will not crash. However, I hope that the library can change the calling method of mmap and add an interface to read a certain length of buffer for detection by means of read.

@hillu Looking forward to your reply

hillu commented 1 year ago

@pandaWall The YR_TRYCATCH macro is used within libyara unless the SCAN_FLAGS_NO_TRYCATCH flag has been passed to any of the yr_scan_*. After learning ((#124) that catching signals may interefere with the Go runtime, I'm inclined to add that flag to all thee Scan* functions.

I'm afraid that we can't call mmap in specific ways to avoid SIGBUS being raised.

pandaWall commented 1 year ago

@hillu Thank you for your reply, my friend。So it looks like that, but what I'm doing is I'm reading a piece of content and I'm using scan_mem to detect it.

hillu commented 1 year ago

At this point, a minimal reproducer would be useful, I think.

plusvic commented 10 months ago

This issue is related to https://github.com/hillu/go-yara/pull/137

That PR addresses the issue of YARA's signal handler interfering with Golang's runtime, at least for the ScanMem function which doesn't actually needs the handler at all.

For the ScanFile function things get more complicated because it relies on memory-mapped files as already discussed. I need to investigate further and check if