[Forensics-changes] [yara] 135/192: Linux Memory Scan Can Leave Process In Stopped State (#622)

[Hilko Bengen]

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.6.0
in repository yara.

commit 68ffbbcdc992e3f1969d0aa37d3d0b1568b5514b
Author: Jacob Baines <baines.jacob at gmail.com>
Date:   Mon Mar 20 02:17:24 2017 -0700

    Linux Memory Scan Can Leave Process In Stopped State (#622)
    
    * Wait for process to stop
    
    * Specify which process to wait for
---
 libyara/proc.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/libyara/proc.c b/libyara/proc.c
index 4a7dd4b..3871687 100644
--- a/libyara/proc.c
+++ b/libyara/proc.c
@@ -352,6 +352,7 @@ int _yr_process_attach(
     int pid,
     YR_PROC_ITERATOR_CTX* context)
 {
+  int status;
   char buffer[256];
 
   context->pid = pid;
@@ -386,6 +387,22 @@ int _yr_process_attach(
     return ERROR_COULD_NOT_ATTACH_TO_PROCESS;
   }
 
+  status = 0;
+  if (waitpid(pid, &status, 0) == -1)
+  {
+    // this is a strange error state where we attached but the proc didn't
+    // stop. Try to detach and clean up.
+    ptrace(PTRACE_DETACH, context->pid, NULL, 0);
+
+    fclose(context->maps);
+    context->maps = NULL;
+
+    close(context->mem_fd);
+    context->mem_fd = -1;
+
+    return ERROR_COULD_NOT_ATTACH_TO_PROCESS;
+  }
+
   return ERROR_SUCCESS;
 }
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git