Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alignment in 32-bits. Again #2070

Open
detrio333 opened this issue Apr 27, 2024 · 0 comments
Open

Alignment in 32-bits. Again #2070

detrio333 opened this issue Apr 27, 2024 · 0 comments
Labels
bug

Comments

@detrio333
Copy link

I faced problem which solved in 9c26038
Yara rules compiled by yara64.exe don't work with yara32.exe.
I saw the problem was solved by addition field 'uint32_t unused;', but I think it is non-persistent soltuion. Adding one more uint32_t raise the probem again

To Reproduce

  1. simple rule. file rules.yara
import "string"

rule StringLength
{
    condition:
        string.length("123") == 3
}
  1. yarac64.exe "D:\rules.yara" d:\rules.yarac
  2. 64 bit version run ok
yara64.exe -C "D:\rules.yarac" "D:\1.txt"
StringLength D:\1.txt
  1. 32 bit version don't work
yara32.exe -C "D:\rules.yarac" "D:\1.txt"

I obtain in debug mode rule_table is collapsed
image
5) Ubuntu compiled version run as expected for 32 and 64 bit both

Please complete the following information:

  • OS: Win10, Ubuntu 22.04
  • YARA version: 4.5.0 release

Additional context
I can see problem with aligment in macro

#define DECLARE_REFERENCE(type, name) \
  union                               \
  {                                   \
    type name;                        \
    YR_ARENA_REF name##_;             \
  } YR_ALIGN(8)

when

#if defined(__GNUC__)
#define YR_ALIGN(n) __attribute__((aligned(n)))
#elif defined(_MSC_VER)
#define YR_ALIGN(n) __declspec(align(n))
#else
#define YR_ALIGN(n)
#endif

According microsoft documentaion https://learn.microsoft.com/en-us/cpp/cpp/align-cpp?view=msvc-170 aling command must go before struct or union declarion. For gcc __attribute__((aligned(n))) can be wriiten before and after both.

Using YR_ALIGN everywhere except DECLARE_REFERENCE is before struct, union. For example

struct YR_EXTERNAL_VARIABLE
{
  int32_t type;

  YR_ALIGN(8) union
  {
    int64_t i;
    double f;
    char* s;
  } value;

  DECLARE_REFERENCE(const char*, identifier);
};

It work nice.
I think there were no problems before because YR_RULE contained 2 int32_t field. Adding uint32_t required_strings caues misalining in rule loading. 'uint32_t unused;' is non-persistent soltuion, because another new field also break the loading. I suggest to move YR_ALIGN(8) to try avoid same problem in future

#define DECLARE_REFERENCE(type, name) \
  YR_ALIGN(8) union                   \
  {                                   \
    type name;                        \
    YR_ARENA_REF name##_;             \
  }
@detrio333 detrio333 added the bug label Apr 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@detrio333