search

odin1314 / yara-project

Automatically exported from code.google.com/p/yara-project
Apache License 2.0
0 stars 0 forks source link

Buffer overflow in error printing #22

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I'm using HEAD verion.

styx@styx-zone:~/@virlab/q$ valgrind yara userdb.yara 
8D610742B96EC1F14EF758E4004A63D7F1102486 
==31051== Memcheck, a memory error detector
==31051== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al.
==31051== Using Valgrind-3.6.1 and LibVEX; rerun with -h for copyright info
==31051== Command: yara userdb.yara 8D610742B96EC1F14EF758E4004A63D7F1102486
==31051== 
*** buffer overflow detected ***: yara terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x590a1d7]
/lib/x86_64-linux-gnu/libc.so.6(+0xfd0f0)[0x59090f0]
/lib/x86_64-linux-gnu/libc.so.6(__strncpy_chk+0x16e)[0x59083de]
yara[0x405624]
yara[0x40b7b4]
yara[0x406961]
yara[0x402388]

GDB backtrace:

Program received signal SIGABRT, Aborted.
0x00007ffff709ed05 in raise (sig=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:64
64  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) bt
#0  0x00007ffff709ed05 in raise (sig=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff70a2ab6 in abort () at abort.c:92
#2  0x00007ffff70d7d7b in __libc_message (do_abort=2, fmt=0x7ffff71beb23 "*** 
%s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
#3  0x00007ffff71691d7 in __fortify_fail (msg=0x7ffff71beaba "buffer overflow 
detected") at fortify_fail.c:32
#4  0x00007ffff71680f0 in __chk_fail () at chk_fail.c:29
#5  0x00007ffff71673de in __strncpy_chk (s1=<value optimized out>, s2=<value 
optimized out>, n=<value optimized out>, s1len=<value optimized out>)
    at strncpy_chk.c:34
#6  0x0000000000405624 in strncpy (yyscanner=<value optimized out>, 
    error_message=0x7fffffffd650 "syntax error, unexpected '{', expecting _TEXTSTRING_ or _HEXSTRING_ or _REGEXP_") at /usr/include/bits/string3.h:121
#7  yyerror (yyscanner=<value optimized out>, 
    error_message=0x7fffffffd650 "syntax error, unexpected '{', expecting _TEXTSTRING_ or _HEXSTRING_ or _REGEXP_") at lex.l:428
#8  0x000000000040b7b4 in yyparse (yyscanner=0x6132b0) at grammar.c:2488
#9  0x0000000000406961 in parse_rules_file (rules_file=0x613050, 
context=0x7ffff7f4e010) at lex.l:491
#10 0x0000000000402388 in main (argc=3, argv=0x7fffffffd878) at yara.c:576
(gdb) quit
A debugging session is active.

    Inferior 1 [process 31067] will be killed.

My sollution:
In lex.l local var 'message' has size 512 and the error message in context has 
only 256. So I just increased the size of 'last_error_extra_info' to 512.

Original issue reported on code.google.com by styx...@gmail.com on 13 Jun 2011 at 8:08

Attachments:

GoogleCodeExporter commented 9 years ago 
Fixed on r113

Original comment by plus...@gmail.com on 27 Jun 2011 at 7:00

GoogleCodeExporter commented 9 years ago 
Issue 28 has been merged into this issue.

Original comment by plus...@gmail.com on 28 Jul 2011 at 11:01