Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap out of bounds read in yara_yyparse() #597

Closed
fumfel opened this issue Jan 23, 2017 · 2 comments
Closed

Heap out of bounds read in yara_yyparse() #597

fumfel opened this issue Jan 23, 2017 · 2 comments

Comments

@fumfel
Copy link

fumfel commented Jan 23, 2017

Heap out of bounds read in yara_yyparse()

Git HEAD: 5a8f180

To reproduce: yara yara_hoobr_yyparse_l833.yar strings

Payload

ASAN:

==16721==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000cff1 at pc 0x0000004251cf bp 0x7ffdd8257230 sp 0x7ffdd82569d8
READ of size 130 at 0x60d00000cff1 thread T0
    #0 0x4251ce in __interceptor_strlen /home/llvm/clang-3.9/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:227:5
    #1 0x578166 in yara_yyparse XYZ/yara/libyara/grammar.y:833:13
    #2 0x50c590 in yr_lex_parse_rules_file XYZ/yara/libyara/lexer.l:822:3
    #3 0x4f094e in yr_compiler_add_file XYZ/yara/libyara/compiler.c:357:12
    #4 0x4ee094 in main XYZ/yara/yara.c:1124:17
    #5 0x7f6f1b58782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x41a408 in _start (/usr/local/bin/yara+0x41a408)

0x60d00000cff1 is located 0 bytes to the right of 129-byte region [0x60d00000cf70,0x60d00000cff1)
allocated by thread T0 here:
    #0 0x4b8c1c in malloc /home/llvm/clang-3.9/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x5770ea in yara_yyparse XYZ/yara/libyara/grammar.y:808:36
    #2 0x50c590 in yr_lex_parse_rules_file XYZ/yara/libyara/lexer.l:822:3

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/llvm/clang-3.9/final/llvm.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:227:5 in __interceptor_strlen
Shadow bytes around the buggy address:
  0x0c1a7fff99a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff99b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff99c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff99d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff99e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
=>0x0c1a7fff99f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa
  0x0c1a7fff9a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16721==ABORTING
plusvic added a commit that referenced this issue Jan 23, 2017
@plusvic
Fix issue #597
ab906da
@plusvic
Copy link
Member

plusvic commented Jan 23, 2017

Fixed in ab906da

@plusvic plusvic closed this as completed Jan 23, 2017
hillu pushed a commit to hillu/yara that referenced this issue Mar 27, 2017
@plusvic @hillu
Fix issue VirusTotal#597
c869ac1 
(cherry picked from commit ab906da)
@fgeek
Copy link

fgeek commented Apr 4, 2017

CVE-2017-5923 has been assigned for this issue.

hillu pushed a commit to hillu/yara that referenced this issue Apr 9, 2017
@plusvic @hillu
Fix issue VirusTotal#597
83c42e3 
(cherry picked from commit ab906da)
CaldurG pushed a commit to CaldurG/yara that referenced this issue Jul 14, 2017
@plusvic
Fix issue VirusTotal#597
47ba9da
CaldurG pushed a commit to CaldurG/yara that referenced this issue Jul 14, 2017
@plusvic
Fix issue VirusTotal#597
ca42c79
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@plusvic @fgeek @fumfel