Memory Explosion Bug

[Jizhou-Chen]

Description

• We are analyzing malware samples for our research.
• We found that running capa with a malware sample (sha256: c177e0a9e745a247a944f805189daf4c2f3f059340290c8c0ec0861bacaa8316) leads to memory explosion: capa keeps consuming the memory till all the available memory gets exhausted, which kills the machine.
• The consequence of this bug could be severe for users running capa directly on their host, hence this report.

Steps to Reproduce

1. Download and extract capa of version v.6.1.0 executable from https://github.com/mandiant/capa/releases/download/v6.1.0/capa-v6.1.0-linux.zip
2. Run capa with c177e0a9e745a247a944f805189daf4c2f3f059340290c8c0ec0861bacaa8316 malware sample.
3. Watch the memory consumption of capa.
   • Note: The binary that causes the bug is not publicly shared here because it is malware. The malware can be obtained from VirusTotal or I can share it with maintainers upon request.

Expected behavior: capa generates a behavior report.

Actual behavior: capa hangs and keeps consuming the memory and exhausting all the memory on the host.

Versions

v6.1.0, v5.1.0 (We have tested Linux version only)

Additional Information

While the above steps are sufficient to reproduce the bug per se, we will try to collect information such as stack trace to help locate the root cause later.

[mr-tz]

Thanks for the detailed report. I suspect it's an issue during the vivisect binary analysis step, but we'll investigate what's going on.

[mr-tz]

Reported vivisect issue upstream in https://github.com/vivisect/vivisect/issues/635