[Forensics-changes] [yara] 103/368: Fix multiple integer overflow bugs reported by @_icewall
Hilko Bengen
bengen at moszumanska.debian.org
Sat Jul 1 10:30:17 UTC 2017
This is an automated email from the git hooks/post-receive script.
bengen pushed a commit to annotated tag v3.5.0
in repository yara.
commit 5d6d8b1e9f3b4fc2b51857366048a7e9f8bd3708
Author: Victor M. Alvarez <plusvic at gmail.com>
Date: Fri Oct 30 19:23:40 2015 +0100
Fix multiple integer overflow bugs reported by @_icewall
---
libyara/include/yara/elf.h | 10 +++++++---
libyara/modules/elf.c | 15 ++++++++++-----
libyara/modules/pe.c | 24 +++++++++++++++---------
3 files changed, 32 insertions(+), 17 deletions(-)
diff --git a/libyara/include/yara/elf.h b/libyara/include/yara/elf.h
index 78d063b..2d6181a 100644
--- a/libyara/include/yara/elf.h
+++ b/libyara/include/yara/elf.h
@@ -87,21 +87,25 @@ typedef uint64_t elf64_xword_t;
#define ELF_SHF_ALLOC 0x2 // Section is present during execution
#define ELF_SHF_EXECINSTR 0x4 // Section contains executable instructions
+#define ELF_SHN_LORESERVE 0xFF00
+
#define ELF_PT_NULL 0 // The array element is unused
-#define ELF_PT_LOAD 1 // Loadable segment
+#define ELF_PT_LOAD 1 // Loadable segment
#define ELF_PT_DYNAMIC 2 // Segment contains dynamic linking info
#define ELF_PT_INTERP 3 // Contains interpreter pathname
#define ELF_PT_NOTE 4 // Location & size of auxiliary info
#define ELF_PT_SHLIB 5 // Reserved, unspecified semantics
#define ELF_PT_PHDR 6 // Location and size of program header table
-#define ELF_PT_TLS 7 // Thread-Local Storage
+#define ELF_PT_TLS 7 // Thread-Local Storage
#define ELF_PT_GNU_EH_FRAME 0x6474e550
#define ELF_PT_GNU_STACK 0x6474e551
-
+
#define ELF_PF_X 0x1 // Segment is executable
#define ELF_PF_W 0x2 // Segment is writable
#define ELF_PF_R 0x4 // Segment is readable
+#define ELF_PN_XNUM 0xffff
+
#pragma pack(push,1)
typedef struct
diff --git a/libyara/modules/elf.c b/libyara/modules/elf.c
index 30a3ed3..05b9045 100644
--- a/libyara/modules/elf.c
+++ b/libyara/modules/elf.c
@@ -84,8 +84,9 @@ uint64_t elf_rva_to_offset_##bits( \
{ \
if (section->type != ELF_SHT_NULL && \
section->type != ELF_SHT_NOBITS && \
+ section->size <= elf_size && \
rva >= section->addr && \
- rva < section->addr + section->size) \
+ rva < section->addr + section->size) \
{ \
return section->offset + (rva - section->addr); \
} \
@@ -127,7 +128,8 @@ void parse_elf_header_##bits( \
elf_obj, "entry_point"); \
} \
\
- if (elf->sh_str_table_index < elf->sh_entry_count && \
+ if (elf->sh_entry_count < ELF_SHN_LORESERVE && \
+ elf->sh_str_table_index < elf->sh_entry_count && \
elf->sh_offset < elf_size && \
elf->sh_offset + elf->sh_entry_count * \
sizeof(elf##bits##_section_header_t) <= elf_size) \
@@ -147,7 +149,8 @@ void parse_elf_header_##bits( \
set_integer(section->size, elf_obj, "sections[%i].size", i); \
set_integer(section->offset, elf_obj, "sections[%i].offset", i); \
\
- if (str_table != NULL && \
+ if (section->name < elf_size && \
+ str_table > (char*) elf && \
str_table + section->name < (char*) elf + elf_size) \
{ \
set_string(str_table + section->name, elf_obj, "sections[%i].name", i);\
@@ -157,8 +160,10 @@ void parse_elf_header_##bits( \
} \
} \
\
- if(elf->ph_entry_count && \
- elf->ph_offset + elf->ph_entry_count * \
+ if (elf->ph_entry_count > 0 && \
+ elf->ph_entry_count < ELF_PN_XNUM && \
+ elf->ph_offset < elf_size && \
+ elf->ph_offset + elf->ph_entry_count * \
sizeof(elf##bits##_program_header_t) <= elf_size) \
{ \
segment = (elf##bits##_program_header_t*) \
diff --git a/libyara/modules/pe.c b/libyara/modules/pe.c
index d8b4aa1..bd9de21 100644
--- a/libyara/modules/pe.c
+++ b/libyara/modules/pe.c
@@ -94,9 +94,9 @@ limitations under the License.
#define fits_in_pe(pe, pointer, size) \
- (size <= pe->data_size && \
- (uint8_t*)(pointer) >= pe->data && \
- (uint8_t*)(pointer) <= pe->data + pe->data_size - size)
+ ((size_t) size <= pe->data_size && \
+ (uint8_t*) (pointer) >= pe->data && \
+ (uint8_t*) (pointer) <= pe->data + pe->data_size - size)
#define struct_fits_in_pe(pe, pointer, struct_type) \
@@ -1097,7 +1097,7 @@ IMPORTED_DLL* pe_parse_imports(
void pe_parse_certificates(
PE* pe)
{
- int i, counter = 0;
+ int i, counter = 0;
uint8_t* eod;
PWIN_CERTIFICATE win_cert;
@@ -1134,7 +1134,10 @@ void pe_parse_certificates(
//
while (struct_fits_in_pe(pe, win_cert, WIN_CERTIFICATE) &&
+ fits_in_pe(pe, win_cert->Certificate, win_cert->Length) &&
+ win_cert->Length >= 8 &&
(uint8_t*) win_cert + sizeof(WIN_CERTIFICATE) <= eod &&
+ (uint8_t*) win_cert->Certificate < eod &&
(uint8_t*) win_cert->Certificate + win_cert->Length - 8 <= eod)
{
BIO* cert_bio;
@@ -1207,7 +1210,10 @@ void pe_parse_certificates(
serial = X509_get_serialNumber(cert);
- if (serial->length > 0)
+ // According to X.509 specification the maximum length for the serial
+ // number is 20 octets.
+
+ if (serial->length > 0 && serial->length <= 20)
{
// Convert serial number to "common" string format: 00:01:02:03:04...
// For each byte in the integer to convert to hexlified format we
@@ -1415,7 +1421,7 @@ define_function(section_index_addr)
int64_t i;
int64_t offset;
int64_t size;
-
+
int64_t addr = integer_argument(1);
int64_t n = get_integer(module, "number_of_sections");
@@ -1451,7 +1457,7 @@ define_function(section_index_name)
int64_t n = get_integer(module, "number_of_sections");
int64_t i;
-
+
if (is_undefined(module, "number_of_sections"))
return_integer(UNDEFINED);
@@ -1566,7 +1572,7 @@ define_function(imphash)
dll = pe->imported_dlls;
while (dll)
- {
+ {
IMPORTED_FUNCTION* func;
size_t dll_name_len;
@@ -1755,7 +1761,7 @@ define_function(locale)
{
YR_OBJECT* module = module();
PE* pe = (PE*) module->data;
-
+
uint64_t locale = integer_argument(1);
int64_t n, i;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git
More information about the forensics-changes
mailing list