Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

yr_scanner_scan_file Using mmap is a dangerous operation #119

Open
pandaWall opened this issue May 24, 2023 · 9 comments
Open

yr_scanner_scan_file Using mmap is a dangerous operation #119

pandaWall opened this issue May 24, 2023 · 9 comments

Comments

@pandaWall
Copy link

When yara maps a file of size using mmap, SIGBUS is triggered when the file size is cleared to zero before yr_scanner_scan_mem is called.
So is there any solution other than to read files into memory in advance。
@hillu
Copy link
Owner

hillu commented May 27, 2023

YARA itself tries to catch that signal unless explicitly instructed otherwise, so you should just see a failed scan. See the YR_TRYCATCH macro in exception.h for details.
Does your Go program panic after getting that SIGBUS signal?

@hillu
Copy link
Owner

hillu commented Jun 7, 2023

@pandaWall ping?

1 similar comment
@hillu
Copy link
Owner

hillu commented Jun 26, 2023

@pandaWall ping?

@hillu hillu mentioned this issue Jun 28, 2023
Merged
@pandaWall
Copy link
Author

Sorry to see your reply just now, I saw that the source code supports the YR_TRYCATCH macro definition, which only captures the signal when SIGBUS is triggered to ensure that the program will not crash. However, I hope that the library can change the calling method of mmap and add an interface to read a certain length of buffer for detection by means of read.

@pandaWall
Copy link
Author

pandaWall commented Jul 7, 2023
edited
Loading

Sorry to see your reply just now, I saw that the source code supports the YR_TRYCATCH macro definition, which only captures the signal when SIGBUS is triggered to ensure that the program will not crash. However, I hope that the library can change the calling method of mmap and add an interface to read a certain length of buffer for detection by means of read.

@hillu Looking forward to your reply

@hillu
Copy link
Owner

hillu commented Jul 7, 2023

@pandaWall The YR_TRYCATCH macro is used within libyara unless the SCAN_FLAGS_NO_TRYCATCH flag has been passed to any of the yr_scan_*. After learning ((#124) that catching signals may interefere with the Go runtime, I'm inclined to add that flag to all thee Scan* functions.

I'm afraid that we can't call mmap in specific ways to avoid SIGBUS being raised.

@pandaWall
Copy link
Author

@hillu Thank you for your reply, my friend。So it looks like that, but what I'm doing is I'm reading a piece of content and I'm using scan_mem to detect it.

@hillu
Copy link
Owner

hillu commented Jul 17, 2023

At this point, a minimal reproducer would be useful, I think.

@plusvic
Copy link
Contributor

plusvic commented Nov 29, 2023

This issue is related to #137

That PR addresses the issue of YARA's signal handler interfering with Golang's runtime, at least for the ScanMem function which doesn't actually needs the handler at all.

For the ScanFile function things get more complicated because it relies on memory-mapped files as already discussed. I need to investigate further and check if

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hillu @plusvic @pandaWall