Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid memory access (potential information disclosure) in yr_arena_write_data() #678

Closed
fumfel opened this issue Jun 6, 2017 · 5 comments

Comments

Projects
None yet
2 participants
@fumfel
Copy link

commented Jun 6, 2017

Invalid memory access (potential information disclosure) in yr_arena_write_data()

Git HEAD: 11ffa88

Payload

To reproduce: yara yara_ir_yr_arena_write_data.yar /usr/bin/strings

ASAN:

==1708==ERROR: AddressSanitizer: unknown-crash on address 0x7f23216f5000 at pc 0x0000004a1817 bp 0x7ffc4c8386d0 sp 0x7ffc4c837e80
READ of size 3004 at 0x7f23216f5000 thread T0
    #0 0x4a1816 in __asan_memcpy /home/llvm/clang-3.9/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413:3
    #1 0x595781 in yr_arena_write_data XYZ/yara/libyara/arena.c:736:3
    #2 0x53b84a in _yr_scan_verify_chained_string_match XYZ/yara/libyara/scan.c:403:7
    #3 0x53d787 in _yr_scan_match_callback XYZ/yara/libyara/scan.c:474:14
    #4 0x5260ef in yr_re_fast_exec XYZ/yara/libyara/re.c:2253:11
    #5 0x53e2a0 in _yr_scan_verify_re_match XYZ/yara/libyara/scan.c:611:5
    #6 0x53f4a9 in yr_scan_verify_match XYZ/yara/libyara/scan.c:747:5
    #7 0x535e1d in _yr_rules_scan_mem_block XYZ/yara/libyara/rules.c:276:9
    #8 0x537634 in yr_rules_scan_mem_blocks XYZ/yara/libyara/rules.c:452:5
    #9 0x538a28 in yr_rules_scan_mem XYZ/yara/libyara/rules.c:586:10
    #10 0x538a28 in yr_rules_scan_file XYZ/yara/libyara/rules.c:610
    #11 0x4ee789 in main XYZ/yara/yara.c:1228:14
    #12 0x7f232029f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x41a458 in _start (/usr/local/bin/yara+0x41a458)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: unknown-crash /home/llvm/clang-3.9/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0fe4e42d69b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4e42d69c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4e42d69d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4e42d69e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4e42d69f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe4e42d6a00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe4e42d6a10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe4e42d6a20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe4e42d6a30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe4e42d6a40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe4e42d6a50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1708==ABORTING
@plusvic

This comment has been minimized.

Copy link
Collaborator

commented Jun 6, 2017

I'm unable to reproduce this issue with the /usr/bin/strings I have. Can you send me the exact /usr/bin/strings you are using?

@plusvic

This comment has been minimized.

Copy link
Collaborator

commented Jun 6, 2017

Never mind, I've identified the problem.

plusvic added a commit that referenced this issue Jun 6, 2017

@plusvic

This comment has been minimized.

Copy link
Collaborator

commented Jun 6, 2017

@fumfel please check with the latest commit, which should solve this problem. By the way you're doing a great job in fuzzing YARA, I would love to hear about your setup.

@fumfel

This comment has been minimized.

Copy link
Author

commented Jun 7, 2017

@plusvic 1aaac7b is fine 👍

My setup is pretty simple:

  1. American Fuzzy Lop (with yara binary) or LLVM Libfuzzer (https://gist.github.com/fumfel/c8b3c7e5be700b2303d2e42d957c5990)
  2. Corpora from https://github.com/fumfel/yara-fuzzing-corpus
@plusvic

This comment has been minimized.

Copy link
Collaborator

commented Jun 7, 2017

Cool!

@plusvic plusvic closed this Jun 7, 2017

plusvic added a commit that referenced this issue Jun 27, 2017

CaldurG pushed a commit to CaldurG/yara that referenced this issue Jul 14, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.