You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a lack of additional cleanup of an object if it was not fully constructed in yr_object_function_create() and is being destroyed by yr_object_destroy() in the FAIL_ON_ERROR_WITH_CLEANUP() macro:
But when we fail to create a return_obj, we do yr_object_destroy(o) as a cleanup action, which only affects the data of the o object, not the parent object.
In this case, the object_as_structure(parent)->members pointer is no longer valid.
We get several functions that can perform the UAF of this pointer in the same way:
if (strcmp(member->object->identifier, field_name) ==0)
returnmember->object;
member=member->next;
}
Detected by the Application Verifier (Windows) with the low resource simulation feature:
The fix could be to additionally check the object->parent field at the end of the object destruction in yr_object_destroy() and fix the fields according to the initialization of the parent yr_object_create():
void yr_object_destroy(YR_OBJECT* object)
{
YR_STRUCTURE_MEMBER* member;
YR_STRUCTURE_MEMBER* next_member;
YR_ARRAY_ITEMS* array_items;
YR_DICTIONARY_ITEMS* dict_items;
...
// start of new code
if (object->parent != NULL)
{
switch (object->parent->type)
{
case OBJECT_TYPE_STRUCTURE:
object_as_structure(object->parent)->members = NULL;
break;
case OBJECT_TYPE_ARRAY:
object_as_array(object->parent)->prototype_item = NULL;
break;
case OBJECT_TYPE_DICTIONARY:
object_as_dictionary(object->parent)->prototype_item = NULL;
break;
case OBJECT_TYPE_FUNCTION:
object_as_function(object->parent)->return_obj = NULL;
break;
}
}
// end of new code
yr_free((void*) object->identifier);
yr_free(object);
}
The text was updated successfully, but these errors were encountered:
There is a lack of additional cleanup of an object if it was not fully constructed in
yr_object_function_create()and is being destroyed byyr_object_destroy()in theFAIL_ON_ERROR_WITH_CLEANUP()macro:yara/libyara/object.c
Lines 217 to 224 in d7e8be3
There are 3 objects:
parent,oandreturn_obj, and when we successfully created theoobject, someparentfield became a reference too:yara/libyara/object.c
Lines 142 to 163 in d7e8be3
But when we fail to create a
return_obj, we doyr_object_destroy(o)as a cleanup action, which only affects the data of theoobject, not theparentobject.In this case, the
object_as_structure(parent)->memberspointer is no longer valid.We get several functions that can perform the UAF of this pointer in the same way:
yara/libyara/object.c
Lines 323 to 333 in d7e8be3
yara/libyara/object.c
Lines 393 to 401 in d7e8be3
Detected by the Application Verifier (Windows) with the low resource simulation feature:
The fix could be to additionally check the
object->parentfield at the end of the object destruction inyr_object_destroy()and fix the fields according to the initialization of the parentyr_object_create():The text was updated successfully, but these errors were encountered: