heap-buffer-overflow in dex_parse in virustotal/yara

Valid

Reported on

Jun 11th 2022


Description

There exists a heap based out of bounds read vulnerability in dex_parse

      set_integer(
          yr_le16toh(map_item->type),
          dex->object,
          "map_list.map_item[%i].type",
          i);

Reproduction

Build the fuzz target with address sanitizer enabled + optional libfuzzer and run the test case from here

$ git rev-parse HEAD
3484fcb60b746eace99999c1c9541a3bad46ad0a
$ export CFLAGS="-g -O0 -fsanitize=address,fuzzer"; export CXXFLAGS="-g -O0 -fsanitize=address,fuzzer"; export CC=$(which clang-10); export CXX=$(which clang++-10)
$ ./configure --enable-dex --without-crypto
$ make -j 8
$ clang++-10 -g -fsanitize=address,fuzzer -std=c++11 -I . -I libyara/include ./tests/oss-fuzz/dex_fuzzer.cc -o dexf ./libyara/.libs/libyara.a
$ ./dexf /tmp/0c34834e3bbbb5d51c50d690407bde56361615c6
INFO: Seed: 2959956394
INFO: Loaded 1 modules   (9 inline 8-bit counters): 9 [0x9af340, 0x9af349),
INFO: Loaded 1 PC tables (9 PCs): 9 [0x74ad18,0x74ada8),
./dexf: Running 1 inputs 1 time(s) each.
Running: /tmp/minout-3
=================================================================
==25296==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000744 at pc 0x00000062d83d bp 0x7ffe3b0a1a30 sp 0x7ffe3b0a1a28
READ of size 2 at 0x612000000744 thread T0
    #0 0x62d83c in dex_parse /home/sudhakar/fuzz/yara/libyara/modules/dex/dex.c:1127:7
    #1 0x632c0c in dex__load /home/sudhakar/fuzz/yara/libyara/modules/dex/dex.c:1483:7
    #2 0x56eb3e in yr_modules_load /home/sudhakar/fuzz/yara/libyara/modules.c:158:16
    #3 0x68a716 in yr_execute_code /home/sudhakar/fuzz/yara/libyara/exec.c:1735:16
    #4 0x57f27b in yr_scanner_scan_mem_blocks /home/sudhakar/fuzz/yara/libyara/scanner.c:515:3
    #5 0x580edb in yr_scanner_scan_mem /home/sudhakar/fuzz/yara/libyara/scanner.c:659:16
    #6 0x579c8f in yr_rules_scan_mem /home/sudhakar/fuzz/yara/libyara/rules.c:223:12
    #7 0x5507e8 in LLVMFuzzerTestOneInput /home/sudhakar/fuzz/yara/./tests/oss-fuzz/dex_fuzzer.cc:43:3
    #8 0x458821 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/sudhakar/fuzz/yara/dexf+0x458821)
    #9 0x443f92 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/sudhakar/fuzz/yara/dexf+0x443f92)
    #10 0x449a46 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/sudhakar/fuzz/yara/dexf+0x449a46)
    #11 0x472702 in main (/home/sudhakar/fuzz/yara/dexf+0x472702)
    #12 0x7f1277222c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #13 0x41e659 in _start (/home/sudhakar/fuzz/yara/dexf+0x41e659)

0x612000000744 is located 0 bytes to the right of 260-byte region [0x612000000640,0x612000000744)
allocated by thread T0 here:
    #0 0x51e38d in malloc (/home/sudhakar/fuzz/yara/dexf+0x51e38d)
    #1 0x432a47 in operator new(unsigned long) (/home/sudhakar/fuzz/yara/dexf+0x432a47)
    #2 0x443f92 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/sudhakar/fuzz/yara/dexf+0x443f92)
    #3 0x449a46 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/sudhakar/fuzz/yara/dexf+0x449a46)
    #4 0x472702 in main (/home/sudhakar/fuzz/yara/dexf+0x472702)
    #5 0x7f1277222c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/sudhakar/fuzz/yara/libyara/modules/dex/dex.c:1127:7 in dex_parse
Shadow bytes around the buggy address:
  0x0c247fff8090: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff80b0: 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa
  0x0c247fff80c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff80e0: 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa
  0x0c247fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==25296==ABORTING

This output is from a fuzzing session that included afl++ and libfuzzer working with a shared corpus. I'll have to work on the analysis but seeing that its only an out of bounds read - doesn't feel worth it.

Impact

The impact is pretty low - this can only read out of the bounds of an array, so maybe used to leak some memory and then used with another primitive to make it useful.

We are processing your report and will contact the virustotal/yara team within 24 hours. 2 months ago
Sudhakar Verma
2 months ago

Researcher


Additional crashes were observed with this trace - PoC here

$ ./dexf /tmp/d9533b9fe22625e6d3b67f5b9a20ef6979027b3d                                                                                                             14:11:30  ☁  master ☂ ⚡ ✭
=================================================================
==17743==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000214c at pc 0x000000498c47 bp 0x7ffdb8a53ab0 sp 0x7ffdb8a53278
READ of size 4 at 0x62500000214c thread T0
    #0 0x498c46 in __asan_memcpy (/home/sudhakar/fuzz/yara/dexf+0x498c46)
    #1 0x4e9d15 in yr_object_set_string /home/sudhakar/fuzz/yara/libyara/object.c:1047:5
    #2 0x55419f in dex_parse /home/sudhakar/fuzz/yara/libyara/modules/dex/dex.c:969:5
    #3 0x559244 in dex__load /home/sudhakar/fuzz/yara/libyara/modules/dex/dex.c:1483:7
    #4 0x4e7299 in yr_modules_load /home/sudhakar/fuzz/yara/libyara/modules.c:158:16
    #5 0x58aba7 in yr_execute_code /home/sudhakar/fuzz/yara/libyara/exec.c:1735:16
    #6 0x4f4a47 in yr_scanner_scan_mem_blocks /home/sudhakar/fuzz/yara/libyara/scanner.c:515:3
    #7 0x4f5cf6 in yr_scanner_scan_mem /home/sudhakar/fuzz/yara/libyara/scanner.c:659:16
    #8 0x4f0793 in yr_rules_scan_mem /home/sudhakar/fuzz/yara/libyara/rules.c:223:12
    #9 0x4ce2e2 in LLVMFuzzerTestOneInput /home/sudhakar/fuzz/yara/./tests/oss-fuzz/dex_fuzzer.cc:44:3
    #10 0x4ce2e2 in main /home/sudhakar/fuzz/yara/./tests/oss-fuzz/dex_fuzzer.cc:89:5
    #11 0x7f373ad3ec86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #12 0x41d0d9 in _start (/home/sudhakar/fuzz/yara/dexf+0x41d0d9)

0x62500000214c is located 0 bytes to the right of 8268-byte region [0x625000000100,0x62500000214c)
allocated by thread T0 here:
    #0 0x49988d in malloc (/home/sudhakar/fuzz/yara/dexf+0x49988d)
    #1 0x4ce27a in main /home/sudhakar/fuzz/yara/./tests/oss-fuzz/dex_fuzzer.cc:77:23

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/sudhakar/fuzz/yara/dexf+0x498c46) in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c4a7fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8420: 00 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa
  0x0c4a7fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17743==ABORTING
Sudhakar Verma
2 months ago

Researcher


Another crash with a related stack trace - PoC here

./dexf /tmp/38c970e5f3756125dc11a8f93b534a0844423e7c
=================================================================
==19372==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000021f8 at pc 0x000000558a90 bp 0x7ffd73baf8b0 sp 0x7ffd73baf8a8
READ of size 4 at 0x6250000021f8 thread T0
    #0 0x558a8f in dex_parse /home/sudhakar/fuzz/yara/libyara/modules/dex/dex.c:1137:7
    #1 0x559244 in dex__load /home/sudhakar/fuzz/yara/libyara/modules/dex/dex.c:1483:7
    #2 0x4e7299 in yr_modules_load /home/sudhakar/fuzz/yara/libyara/modules.c:158:16
    #3 0x58aba7 in yr_execute_code /home/sudhakar/fuzz/yara/libyara/exec.c:1735:16
    #4 0x4f4a47 in yr_scanner_scan_mem_blocks /home/sudhakar/fuzz/yara/libyara/scanner.c:515:3
    #5 0x4f5cf6 in yr_scanner_scan_mem /home/sudhakar/fuzz/yara/libyara/scanner.c:659:16
    #6 0x4f0793 in yr_rules_scan_mem /home/sudhakar/fuzz/yara/libyara/rules.c:223:12
    #7 0x4ce2e2 in LLVMFuzzerTestOneInput /home/sudhakar/fuzz/yara/./tests/oss-fuzz/dex_fuzzer.cc:44:3
    #8 0x4ce2e2 in main /home/sudhakar/fuzz/yara/./tests/oss-fuzz/dex_fuzzer.cc:89:5
    #9 0x7fe17f84bc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41d0d9 in _start (/home/sudhakar/fuzz/yara/dexf+0x41d0d9)

0x6250000021f8 is located 0 bytes to the right of 8440-byte region [0x625000000100,0x6250000021f8)
allocated by thread T0 here:
    #0 0x49988d in malloc (/home/sudhakar/fuzz/yara/dexf+0x49988d)
    #1 0x4ce27a in main /home/sudhakar/fuzz/yara/./tests/oss-fuzz/dex_fuzzer.cc:77:23

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/sudhakar/fuzz/yara/libyara/modules/dex/dex.c:1137:7 in dex_parse
Shadow bytes around the buggy address:
  0x0c4a7fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x0c4a7fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19372==ABORTING
Sudhakar Verma
2 months ago

Researcher


Another crash with a related stacktrace - PoC here

$ ./dexf /tmp/847b6cb07656cd1148f4064f3f52aed6d768c72e
=================================================================
==10504==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000021ff at pc 0x000000558aca bp 0x7ffea0a01d90 sp 0x7ffea0a01d88
READ of size 4 at 0x6250000021ff thread T0
    #0 0x558ac9 in dex_parse /home/sudhakar/fuzz/yara/libyara/modules/dex/dex.c:1142:7
    #1 0x559244 in dex__load /home/sudhakar/fuzz/yara/libyara/modules/dex/dex.c:1483:7
    #2 0x4e7299 in yr_modules_load /home/sudhakar/fuzz/yara/libyara/modules.c:158:16
    #3 0x58aba7 in yr_execute_code /home/sudhakar/fuzz/yara/libyara/exec.c:1735:16
    #4 0x4f4a47 in yr_scanner_scan_mem_blocks /home/sudhakar/fuzz/yara/libyara/scanner.c:515:3
    #5 0x4f5cf6 in yr_scanner_scan_mem /home/sudhakar/fuzz/yara/libyara/scanner.c:659:16
    #6 0x4f0793 in yr_rules_scan_mem /home/sudhakar/fuzz/yara/libyara/rules.c:223:12
    #7 0x4ce2e2 in LLVMFuzzerTestOneInput /home/sudhakar/fuzz/yara/./tests/oss-fuzz/dex_fuzzer.cc:44:3
    #8 0x4ce2e2 in main /home/sudhakar/fuzz/yara/./tests/oss-fuzz/dex_fuzzer.cc:89:5
    #9 0x7f39f51c0c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #10 0x41d0d9 in _start (/home/sudhakar/fuzz/yara/dexf+0x41d0d9)

0x6250000021ff is located 2 bytes to the right of 8445-byte region [0x625000000100,0x6250000021fd)
allocated by thread T0 here:
    #0 0x49988d in malloc (/home/sudhakar/fuzz/yara/dexf+0x49988d)
    #1 0x4ce27a in main /home/sudhakar/fuzz/yara/./tests/oss-fuzz/dex_fuzzer.cc:77:23

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/sudhakar/fuzz/yara/libyara/modules/dex/dex.c:1142:7 in dex_parse
Shadow bytes around the buggy address:
  0x0c4a7fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[05]
  0x0c4a7fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10504==ABORTING
Sudhakar Verma
2 months ago

Researcher


Another crash with a bit different stack trace - PoC here

$ ./dexf /tmp/f204974c3e80f015da7a3c4b4d123a654456c2db
=================================================================
==32175==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000002200 at pc 0x000000553456 bp 0x7ffd2b14f3b0 sp 0x7ffd2b14f3a8
READ of size 4 at 0x625000002200 thread T0
    #0 0x553455 in load_encoded_method /home/sudhakar/fuzz/yara/libyara/modules/dex/dex.c:870:7
    #1 0x5567db in dex_parse /home/sudhakar/fuzz/yara/libyara/modules/dex/dex.c:1335:20
    #2 0x559244 in dex__load /home/sudhakar/fuzz/yara/libyara/modules/dex/dex.c:1483:7
    #3 0x4e7299 in yr_modules_load /home/sudhakar/fuzz/yara/libyara/modules.c:158:16
    #4 0x58aba7 in yr_execute_code /home/sudhakar/fuzz/yara/libyara/exec.c:1735:16
    #5 0x4f4a47 in yr_scanner_scan_mem_blocks /home/sudhakar/fuzz/yara/libyara/scanner.c:515:3
    #6 0x4f5cf6 in yr_scanner_scan_mem /home/sudhakar/fuzz/yara/libyara/scanner.c:659:16
    #7 0x4f0793 in yr_rules_scan_mem /home/sudhakar/fuzz/yara/libyara/rules.c:223:12
    #8 0x4ce2e2 in LLVMFuzzerTestOneInput /home/sudhakar/fuzz/yara/./tests/oss-fuzz/dex_fuzzer.cc:44:3
    #9 0x4ce2e2 in main /home/sudhakar/fuzz/yara/./tests/oss-fuzz/dex_fuzzer.cc:89:5
    #10 0x7f3f58929c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x41d0d9 in _start (/home/sudhakar/fuzz/yara/dexf+0x41d0d9)

0x625000002200 is located 0 bytes to the right of 8448-byte region [0x625000000100,0x625000002200)
allocated by thread T0 here:
    #0 0x49988d in malloc (/home/sudhakar/fuzz/yara/dexf+0x49988d)
    #1 0x4ce27a in main /home/sudhakar/fuzz/yara/./tests/oss-fuzz/dex_fuzzer.cc:77:23

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/sudhakar/fuzz/yara/libyara/modules/dex/dex.c:870:7 in load_encoded_method
Shadow bytes around the buggy address:
  0x0c4a7fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8440:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32175==ABORTING
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the virustotal/yara team and are waiting to hear back 2 months ago
virustotal/yara maintainer gave praise 2 months ago
We have received similar bug reports in the past (see: https://github.com/VirusTotal/yara/issues/950). The "dex" module is very immature and seems to have multiple issues like this one, and that's why we never included it in any official release, is not included by default when you build YARA, and is not mentioned in the documentation. I'm not sure which is going to be the future of this module, the original author is not contributing to it anymore, and I'm considering the complete removal of this module from the repository. So, for the time being a can not commit to fixing this issue. However I really appreciate your work and encourage you to keep looking for security issues in YARA, specially in the modules listed in https://yara.readthedocs.io/en/stable/modules.html.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Sudhakar Verma
2 months ago

Researcher


A fix is going in with this PR https://github.com/VirusTotal/yara/pull/1728

Sudhakar Verma
2 months ago

Researcher


The patch has gone in. @admin how to proceed here?

The commit message refers to this report

Jamie Slome
2 months ago

Admin


Please allow the maintainer some time to confirm the fix against the report 👍

virustotal/yara maintainer
2 months ago

Maintainer


We have committed a bug fix that should solve the reported issues. See:

https://github.com/VirusTotal/yara/commit/599481b9494ff9fa298ab26fa5e1cd50d70a871d

Could you confirm that the fixes work for you?

Sudhakar Verma
2 months ago

Researcher


I have built on the latest HEAD and I can't repro these above mentioned issues. So the fixes work! :thank_you:

Sudhakar Verma
2 months ago

Researcher


@admin Please don't open this bug for a while if possible?

Jamie Slome
2 months ago

Admin


It is up to the maintainer when they want to resolve the report 👍

We have sent a follow up to the virustotal/yara team. We will try again in 7 days. 2 months ago
virustotal/yara maintainer modified the Severity from Medium to Low 2 months ago
We have sent a second follow up to the virustotal/yara team. We will try again in 10 days. 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
virustotal/yara maintainer validated this vulnerability a month ago
Sudhakar Verma has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
virustotal/yara maintainer confirmed that a fix has been merged on 599481 a month ago
The fix bounty has been dropped
to join this conversation