Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null Pointer Dereference in yy_get_next_buffer() #576

Closed
fumfel opened this issue Dec 6, 2016 · 7 comments
Closed

Null Pointer Dereference in yy_get_next_buffer() #576

fumfel opened this issue Dec 6, 2016 · 7 comments

Comments

@fumfel
Copy link

fumfel commented Dec 6, 2016

Null Pointer Dereference in yy_get_next_buffer()

Tested on latest Git HEAD: 779b9a7

Payload

To reproduce: yara yara_null_ptr.yar strings

ASAN output:

==10216==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7f083c71ba bp 0x000000000001 sp 0x7ffe9eece890 T0)
==10216==The signal is caused by a READ memory access.
==10216==Hint: address points to the zero page.
    #0 0x7f7f083c71b9 in fread (/lib/x86_64-linux-gnu/libc.so.6+0x6e1b9)
    #1 0x52b81f in yy_get_next_buffer XYZ/yara/libyara/re_lexer.c:1573:3
    #2 0x5242e0 in re_yylex XYZ/yara/libyara/re_lexer.c:1413:17
    #3 0x5af3ce in re_yyparse XYZ/yara/libyara/re_grammar.c:1252:16
    #4 0x531215 in yr_parse_re_string XYZ/yara/libyara/re_lexer.l:610:3
    #5 0x5a996a in yr_parser_reduce_string_declaration XYZ/yara/libyara/parser.c:519:31
    #6 0x575db9 in yara_yyparse XYZ/yara/libyara/grammar.y:529:26
    #7 0x50c3d0 in yr_lex_parse_rules_file XYZ/yara/libyara/lexer.l:815:3
    #8 0x4f097e in yr_compiler_add_file XYZ/yara/libyara/compiler.c:357:12
    #9 0x4ee0c4 in main XYZ/yara/yara.c:1124:17
    #10 0x7f7f0837982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x41a408 in _start (/usr/local/bin/yara+0x41a408)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x6e1b9) in fread
==10216==ABORTING
plusvic added a commit that referenced this issue Jan 4, 2017
@plusvic
Fix issue #576
eb491e0
@plusvic
Copy link
Member

plusvic commented Jan 4, 2017

Fixed in eb491e0

@plusvic plusvic closed this as completed Jan 4, 2017
@fumfel
Copy link
Author

fumfel commented Jan 5, 2017

Still exist in 890c3f8

Payload

@plusvic
Copy link
Member

plusvic commented Jan 5, 2017

Mmmm, if the regexp is /\x/ it detects the end of the buffer and returns:

invalid regular expression "$": unexpected end of buffer

Are you getting a SEGV with the change in eb491e0 ?

@fumfel
Copy link
Author

fumfel commented Jan 8, 2017

Yup - with and without ASAN.

Here's my config:
Ubuntu 16.04 x64
CC: Clang 3.9 & gcc version 5.4.0 (tested on both)

@plusvic
Copy link
Member

plusvic commented Jan 9, 2017

Can you send a stack trace? I'm trying to reproduce the issue to no avail.

@hillu
Copy link
Contributor

hillu commented Jan 9, 2017 via email
edited

hillu pushed a commit to hillu/yara that referenced this issue Mar 27, 2017
@plusvic @hillu
Fix issue VirusTotal#576
8e364af 
(cherry picked from commit eb491e0)
@fgeek
Copy link

fgeek commented Apr 4, 2017

CVE-2016-10210 has been assigned for this issue.

hillu pushed a commit to hillu/yara that referenced this issue Apr 9, 2017
@plusvic @hillu
Fix issue VirusTotal#576
6cfb058 
(cherry picked from commit eb491e0)
CaldurG pushed a commit to CaldurG/yara that referenced this issue Jul 14, 2017
@plusvic
Fix issue VirusTotal#576
abf07c4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hillu @plusvic @fgeek @fumfel