Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Macho segment bug #1272

Merged
merged 2 commits into from
May 11, 2020
Merged

Macho segment bug #1272

merged 2 commits into from
May 11, 2020

Conversation

knightsc
Copy link
Contributor

@knightsc knightsc commented May 4, 2020

See #1263

This PR updates the previous PR on top of the latest merged Mach-O parsing changes.

This also includes a test case for the bug condition.

@knightsc
Create test case for uninitialized number_of_segments
cdd12e4 
The current Mach-O parsing code attempts to call macho_rva_to_offset
while parsing load commands and before it has set number_of_segments.
Since macho_rva_to_offset uses number_of_segments this can result
in it using a number_of_segments that is uninitialized and is just a random
large number. In turn yara runs a really long time.

This adds a test binary based on this post

https://codegolf.stackexchange.com/questions/102471/smallest-possible-runnable-mach-o-executable/154685#154685

It has two load commands. The first is a LC_UNIXTHREAD command and
the second is a LC_SEGMENT command. It's a valid 386 Mach-O binary.
It reproduces this error.
@knightsc
Parse number_of_segments completely before other CMDs
77771c8
@knightsc knightsc mentioned this pull request May 4, 2020
Closed
@plusvic plusvic merged commit d01084b into VirusTotal:master May 11, 2020
This was referenced May 18, 2020
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@plusvic plusvic plusvic approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@knightsc @plusvic