Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

4.2.x #1776

Open
wants to merge 28 commits into
base: master
Choose a base branch
from
Open

4.2.x #1776

wants to merge 28 commits into from

Conversation

thomas000274
Copy link

Is it feasible?

hillu and others added 28 commits March 17, 2022 12:03
Memory-mapped files from tmpfs (major number = 0) are no longer ignored.
iterator->last_error is now initialized to ERROR_SUCCESS in yr_process_open_iterator. Additionally if yr_process_get_first_memory_block returns, NULL, iterator->last_error is set to ERROR_COULD_NOT_READ_PROCESS_MEMORY.
Also allow a 64 bits integer as the argument to --skip-larger both in Linux and Windows.
… to NULL.

As @1ndahous3 highlighted in #1674, not setting the pointer to NULL leads to a dangling pointer.
The previous version enters an infinite loop when calling d2i_PKCS7 with PE file 11203b5a4f18f40a86d74738c31a59c4ec1e838c177a415c46a372da49d4a51a.
Regular expressions with a character class followed by a dash (-) failed with "bad character range". For example,  /[0-9]-2/ was not accepted as a valid regexp.
In ARM the pointer returned by yr_notebook_alloc was being rounded up to a 4-bytes boundary, but the size of the buffer was not increased accordingly. This means the caller of yr_notebook_alloc could receive a buffer that is 1 to 3 bytes smaller than the requested sized.
Fix memory leaks described in #1703.
* test: Relax pe32 condition in magic tests

Turns out different versions of libmagic return different file
identification for the PE32 sample in magic tests. Relax this condition
to the common part of the identification to make tests less reliant on
the testing platform.

* test: Relax macho condition in magic tests
* Fix issue #1708

* Add test case for #1708

Build a dotnet pe that triggers this issue:
https://github.com/dangodangodango/BadDotnetPe
* Fix null derefrences while loading compiled rules

* Fix nulldereference in yr_object_create

* Fix assert to explicitly catch null identifier in yr_object_create
* Fix compiler warnings with dex debug mode.

* Fix crashes in dex module.

This commit fixes a few crashes in the dex module. There are actually three of
them:

The first is incorrect usage of "struct_fits_in_dex" caused by passing
"sizeof(code_item_t)" instead of just "code_item_t" as the third argument. In
the test case the pointer for code_item started in the bounds of the dex but
only the first 8 bytes were within bounds, and since
"sizeof(sizeof(code_item_t))" is less than 8 the check was passing. The fix here
is to pass just the struct type as the third argument.

The second crash was an off-by-one error when parsing a string. The check
ensured the string fits in the dex but was not including an extra byte which was
copied in the call to set_sized_string. Just like before, this was a case of a
string falling right on the end of a dex file.

The third crash was due to a missing "struct_fits_in_dex" check. We ended up
with a pointer to a map_item_t which was off the ends of the dex bounds.

With this commit all the test cases provided in the report are now passing. I
did a quick sweep of the module to make sure there were no other cases where we
were incorrectly using "struct_fits_in_dex" and didn't find any.

These were all documented at a private report via huntr.dev
(https://huntr.dev/bounties/007a7784-c211-4847-9cc3-aec38e7d5157/)

Found by @sudhackar.

Fixes #1726.
* Fix negative indexing in dex module.

When attempting to call dex_get_integer() or dex_get_string() with a negative
index we would eventually land in the assert() at
https://github.com/VirusTotal/yara/blob/master/libyara/object.c#L497 failing.
Instead of doing that let's check for negative values before going any further,
which will at least allow the module to continue processing.

* YR_UNDEFINED is < 0 already. Simplify the logic when checking for negative index.

* Revert "YR_UNDEFINED is < 0 already. Simplify the logic when checking for negative index."

This reverts commit 38af38f.
@google-cla
Copy link

google-cla bot commented Aug 29, 2022

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@thomas000274 thomas000274 reopened this Aug 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants