Refuse to map procfs files on Linux #1848
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It makes no sense to try to mmap files for which the filesystem lies about the size (0). Clsoe VirusTotal#1838
hillu
force-pushed
the
dont-scan-proc
branch
from
186ebb5
to
fb9ee2e
Compare
plusvic
approved these changes
Jan 2, 2023
fengjixuchui
added a commit
to fengjixuchui/yara
that referenced
this pull request
Jan 2, 2023
Refuse to map procfs files on Linux (VirusTotal#1848)
|
A dependency to libmagick, linux/magic.h complicates cross compilation. @hillu how did you fix this for your own projects? |
No, "magic" in this case refers to filesystem magic numbers reported by --- a/libyara/filemap.c
+++ b/libyara/filemap.c
@@ -159,7 +159,7 @@ YR_API int yr_filemap_map_fd(
#ifdef __linux__
#include <sys/vfs.h>
-#include <linux/magic.h>
+#define PROC_SUPER_MAGIC 0x9fa0
#endif
#define MAP_EXTRA_FLAGS 0 |
|
Thanks a lot Hillu! Somehow the Go linker keeps adding -lmagic to my build which I assumed was related to the above but I should continue my search. Anyhow, thanks for the patch! |
|
Thanks @plusvic. To clarify, there were two issues:
(We use https://github.com/hillu/go-yara v4.3 and we incorrectly assumed we had to use a corresponding yara version) |
hillu
added a commit
to hillu/yara
that referenced
this pull request
Sep 5, 2024
PR VirusTotal#1848 caused build issues with some "unusual" build configurations – apparently we can't rely on linux/magic.h being present when cross-building for musl libc. Defining PROC_SUPER_MAGIC should not cause a problems since it should be considered part of the Linux kernel/user API and it is unlikely to change.
hillu
added a commit
to hillu/yara
that referenced
this pull request
Sep 5, 2024
PR VirusTotal#1848 caused build issues with some "unusual" build configurations – apparently we can't rely on linux/magic.h being present when cross-building for musl libc. Defining PROC_SUPER_MAGIC should not cause a problems since it should be considered part of the Linux kernel/user API and it is unlikely to change.
plusvic
pushed a commit
that referenced
this pull request
Sep 5, 2024
PR #1848 caused build issues with some "unusual" build configurations – apparently we can't rely on linux/magic.h being present when cross-building for musl libc. Defining PROC_SUPER_MAGIC should not cause a problems since it should be considered part of the Linux kernel/user API and it is unlikely to change.
DavidTurland
pushed a commit
to DavidTurland/yara
that referenced
this pull request
Sep 9, 2024
PR VirusTotal#1848 caused build issues with some "unusual" build configurations – apparently we can't rely on linux/magic.h being present when cross-building for musl libc. Defining PROC_SUPER_MAGIC should not cause a problems since it should be considered part of the Linux kernel/user API and it is unlikely to change.
DavidTurland
added a commit
to DavidTurland/yara
that referenced
this pull request
Sep 9, 2024
* Fix crash while parsing PE Rich header File e77b007c9a964411c5e33afeec18be32c86963b78f3c3e906b28fcf1382f46c3 has a Rich header of only 8 bytes, which is smaller than the RICH_SIGNATURE structure. This was causing a crash when some of the `rich_xxx` functions were used with this file. * Fix warning `_rich_version` in PE module should return an `int64_t` instead of `uint64_t`. * Use YR_MAX_PATH instead of MAX_PATH (VirusTotal#2090) Replace all instances of `MAX_PATH` with `YR_MAX_PATH`. * Adding Veeam (VirusTotal#2083) Adding Veeam to list of companies that use YARA. * Add Cado to who is using Yara (VirusTotal#2086) * Mitigate stack overflow when scanning very deep directory trees. Closes VirusTotal#2088. * Remove all references to ERROR_TOO_MANY_SCAN_THREADS This error code is not used anymore. Closes VirusTotal#2068. * Use latest MacOS in build workflow. * Use MacOS 13 in build workflow. For some reason in MacOS 14 the build fails because the `configure` script is unable to find the Jansson library, even thought it is correctly installed by `brew`. * docs: minor updates to xor (VirusTotal#2098) * use new module macros in docs (VirusTotal#2100) Co-authored-by: Tad Keller <logisch@pm.me> * filemap: define PROC_SUPER_MAGIC, avoid linux/magic.h (VirusTotal#2103) PR VirusTotal#1848 caused build issues with some "unusual" build configurations – apparently we can't rely on linux/magic.h being present when cross-building for musl libc. Defining PROC_SUPER_MAGIC should not cause a problems since it should be considered part of the Linux kernel/user API and it is unlikely to change. --------- Co-authored-by: Victor M. Alvarez <vmalvarez@virustotal.com> Co-authored-by: Chris Arceneaux <carcenea@gmail.com> Co-authored-by: chrisdoman <chris.doman@cantab.net> Co-authored-by: Wes <5124946+wesinator@users.noreply.github.com> Co-authored-by: Tad Keller <43346260+GLMONTER@users.noreply.github.com> Co-authored-by: Tad Keller <logisch@pm.me> Co-authored-by: Hilko Bengen <bengen@hilluzination.de>
DavidTurland
added a commit
to DavidTurland/yara
that referenced
this pull request
Sep 9, 2024
* Fix crash while parsing PE Rich header File e77b007c9a964411c5e33afeec18be32c86963b78f3c3e906b28fcf1382f46c3 has a Rich header of only 8 bytes, which is smaller than the RICH_SIGNATURE structure. This was causing a crash when some of the `rich_xxx` functions were used with this file. * Fix warning `_rich_version` in PE module should return an `int64_t` instead of `uint64_t`. * Use YR_MAX_PATH instead of MAX_PATH (VirusTotal#2090) Replace all instances of `MAX_PATH` with `YR_MAX_PATH`. * Adding Veeam (VirusTotal#2083) Adding Veeam to list of companies that use YARA. * Add Cado to who is using Yara (VirusTotal#2086) * Mitigate stack overflow when scanning very deep directory trees. Closes VirusTotal#2088. * Remove all references to ERROR_TOO_MANY_SCAN_THREADS This error code is not used anymore. Closes VirusTotal#2068. * Use latest MacOS in build workflow. * Use MacOS 13 in build workflow. For some reason in MacOS 14 the build fails because the `configure` script is unable to find the Jansson library, even thought it is correctly installed by `brew`. * docs: minor updates to xor (VirusTotal#2098) * use new module macros in docs (VirusTotal#2100) Co-authored-by: Tad Keller <logisch@pm.me> * filemap: define PROC_SUPER_MAGIC, avoid linux/magic.h (VirusTotal#2103) PR VirusTotal#1848 caused build issues with some "unusual" build configurations – apparently we can't rely on linux/magic.h being present when cross-building for musl libc. Defining PROC_SUPER_MAGIC should not cause a problems since it should be considered part of the Linux kernel/user API and it is unlikely to change. --------- Co-authored-by: Victor M. Alvarez <vmalvarez@virustotal.com> Co-authored-by: Chris Arceneaux <carcenea@gmail.com> Co-authored-by: chrisdoman <chris.doman@cantab.net> Co-authored-by: Wes <5124946+wesinator@users.noreply.github.com> Co-authored-by: Tad Keller <43346260+GLMONTER@users.noreply.github.com> Co-authored-by: Tad Keller <logisch@pm.me> Co-authored-by: Hilko Bengen <bengen@hilluzination.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It makes no sense to try to mmap files for which the filesystem lies about the size (0).
Clsoe #1838
(It may make sense to consider other pseudo filesystems on Linux and other Unices as well.)