You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
However, for a few, we do. This is because we do not enter this line: https://github.com/VirusTotal/yara/blob/master/libyara/modules/macho/macho.c#L694 . So, it enters the macho_parse_file function and we hit a segfault in line 555 of macho.c . I see that the reserved variable doesn't seem to be used so there might be some other bugs in the macho.c file.
I have attached a sample rule and sample Java classfile in a zipfile that replicates the issue. yara_402_bug_zip.zip
The text was updated successfully, but these errors were encountered:
melina-delgado
changed the title
Segfault caused when Java classfiles are scanned as Mach-O files in Yara 4.0.2
Segfault caused when Java classfiles are scanned as Mach-O files in Yara 4.0.1 and 4.0.2
Jul 2, 2020
Yara version: 4.0.2, 4.0.1
Hello everyone,
A neat thing I recently learned is that Java classfiles have the same file magic as Mach-O Fat binaries. This means that the Yara macho module will try to parse Java classfiles as Mach-O files. This is the culprit line https://github.com/VirusTotal/yara/blob/master/libyara/modules/macho/macho.c#L1349
The following I have found just by stepping through gdb.
For most class files, when we enter the
macho_parse_fat_file
function, we do not entermacho_parse_file
function here: https://github.com/VirusTotal/yara/blob/master/libyara/modules/macho/macho.c#L701However, for a few, we do. This is because we do not enter this line: https://github.com/VirusTotal/yara/blob/master/libyara/modules/macho/macho.c#L694 . So, it enters the
macho_parse_file
function and we hit a segfault in line 555 ofmacho.c
. I see that the reserved variable doesn't seem to be used so there might be some other bugs in the macho.c file.I have attached a sample rule and sample Java classfile in a zipfile that replicates the issue.
yara_402_bug_zip.zip
The text was updated successfully, but these errors were encountered: