Invalid memory access (potential information disclosure) in yr_arena_write_data()

[fumfel]

Invalid memory access (potential information disclosure) in yr_arena_write_data()

Git HEAD: 11ffa88

Payload

To reproduce: yara yara_ir_yr_arena_write_data.yar /usr/bin/strings

ASAN:

==1708==ERROR: AddressSanitizer: unknown-crash on address 0x7f23216f5000 at pc 0x0000004a1817 bp 0x7ffc4c8386d0 sp 0x7ffc4c837e80
READ of size 3004 at 0x7f23216f5000 thread T0
    #0 0x4a1816 in __asan_memcpy /home/llvm/clang-3.9/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413:3
    #1 0x595781 in yr_arena_write_data XYZ/yara/libyara/arena.c:736:3
    #2 0x53b84a in _yr_scan_verify_chained_string_match XYZ/yara/libyara/scan.c:403:7
    #3 0x53d787 in _yr_scan_match_callback XYZ/yara/libyara/scan.c:474:14
    #4 0x5260ef in yr_re_fast_exec XYZ/yara/libyara/re.c:2253:11
    #5 0x53e2a0 in _yr_scan_verify_re_match XYZ/yara/libyara/scan.c:611:5
    #6 0x53f4a9 in yr_scan_verify_match XYZ/yara/libyara/scan.c:747:5
    #7 0x535e1d in _yr_rules_scan_mem_block XYZ/yara/libyara/rules.c:276:9
    #8 0x537634 in yr_rules_scan_mem_blocks XYZ/yara/libyara/rules.c:452:5
    #9 0x538a28 in yr_rules_scan_mem XYZ/yara/libyara/rules.c:586:10
    #10 0x538a28 in yr_rules_scan_file XYZ/yara/libyara/rules.c:610
    #11 0x4ee789 in main XYZ/yara/yara.c:1228:14
    #12 0x7f232029f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x41a458 in _start (/usr/local/bin/yara+0x41a458)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: unknown-crash /home/llvm/clang-3.9/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0fe4e42d69b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4e42d69c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4e42d69d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4e42d69e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4e42d69f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe4e42d6a00:[fe]fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe4e42d6a10: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe4e42d6a20: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe4e42d6a30: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe4e42d6a40: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fe4e42d6a50: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1708==ABORTING

[plusvic]

I'm unable to reproduce this issue with the /usr/bin/strings I have. Can you send me the exact /usr/bin/strings you are using?

[plusvic]

Never mind, I've identified the problem.

[plusvic]

@fumfel please check with the latest commit, which should solve this problem. By the way you're doing a great job in fuzzing YARA, I would love to hear about your setup.

[fumfel]

@plusvic 1aaac7b is fine 👍

My setup is pretty simple:

1. American Fuzzy Lop (with yara binary) or LLVM Libfuzzer (https://gist.github.com/fumfel/c8b3c7e5be700b2303d2e42d957c5990)
2. Corpora from https://github.com/fumfel/yara-fuzzing-corpus

[plusvic]

Cool!