VirusTotal
[bug?][timeout] infinite reading of empty pseudo-file
During the system scan I noticed a strange behavior. When scanning (reading) kernel pseudo-files that block the stream until data arrives, a blocking occurs.
The timeout parameter (-a or --timeout ) does not help in this case.
I understand that I am publishing an error for the previous version of yara yr -V
yara-x-cli 1.3.0
yr scan rules/index.yar /sys/kernel/tracing/ -p 30 -r -a 500
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
82 file(s) scanned in 554.2s. 0 file(s) matched.
╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶╶
/sys/kernel/tracing/per_cpu/cpu11/snapshot_raw 554.2s
/sys/kernel/tracing/per_cpu/cpu11/trace_pipe_raw 554.2s
/sys/kernel/tracing/per_cpu/cpu11/trace_pipe 554.2s
/sys/kernel/tracing/per_cpu/cpu10/snapshot_raw 554.2s
/sys/kernel/tracing/per_cpu/cpu10/trace_pipe_raw 554.2s
/sys/kernel/tracing/per_cpu/cpu10/trace_pipe 554.2s
/sys/kernel/tracing/per_cpu/cpu9/snapshot_raw 554.2s
/sys/kernel/tracing/per_cpu/cpu9/trace_pipe_raw 554.2s
/sys/kernel/tracing/per_cpu/cpu9/trace_pipe 554.2s
/sys/kernel/tracing/per_cpu/cpu8/snapshot_raw 554.2s
/sys/kernel/tracing/per_cpu/cpu8/trace_pipe_raw 554.2s
/sys/kernel/tracing/per_cpu/cpu8/trace_pipe 554.2s
/sys/kernel/tracing/per_cpu/cpu7/snapshot_raw 554.2s
/sys/kernel/tracing/per_cpu/cpu7/trace_pipe_raw 554.2s
/sys/kernel/tracing/per_cpu/cpu7/trace_pipe 554.2s
/sys/kernel/tracing/per_cpu/cpu6/snapshot_raw 554.2s
/sys/kernel/tracing/per_cpu/cpu6/trace_pipe_raw 554.0s
/sys/kernel/tracing/per_cpu/cpu6/trace_pipe 554.0s
/sys/kernel/tracing/per_cpu/cpu5/snapshot_raw 554.0s
/sys/kernel/tracing/per_cpu/cpu5/trace_pipe_raw 554.0s
/sys/kernel/tracing/per_cpu/cpu5/trace_pipe 553.9s
/sys/kernel/tracing/per_cpu/cpu4/snapshot_raw 553.9s
/sys/kernel/tracing/per_cpu/cpu4/trace_pipe_raw 553.9s
/sys/kernel/tracing/per_cpu/cpu4/trace_pipe 553.8s
/sys/kernel/tracing/per_cpu/cpu3/snapshot_raw 553.8s
/sys/kernel/tracing/per_cpu/cpu3/trace_pipe_raw 553.8s
/sys/kernel/tracing/per_cpu/cpu3/trace_pipe 553.7s
/sys/kernel/tracing/per_cpu/cpu2/snapshot_raw 553.7s
/sys/kernel/tracing/per_cpu/cpu2/trace_pipe_raw 553.4s
/sys/kernel/tracing/per_cpu/cpu2/trace_pipe 552.8s
(CTRL+C) ^C
data:
#include <fcntl.h> // open()
#include <unistd.h> // read(), write(), close()
int main() {
int fd = open("/sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw", O_RDONLY);
if (fd == -1) {
const char *msg = "Error: Failed to open file\n";
write(2, msg, 25); // 2 — stderr
return 1;
}
char buffer[500];
ssize_t bytes_read = read(fd, buffer, sizeof(buffer));
if (bytes_read == -1) {
const char *msg = "Error: Failed to read file\n";
write(2, msg, 25);
close(fd);
return 1;
}
close(fd);
write(1, buffer, bytes_read); // 1 — stdout
return 0;
}
clang --static code.c
strace -ffff ./a.out
execve("./a.out", ["./a.out"], 0x7ffd88648ee8 /* 34 vars */) = 0
brk(NULL) = 0x2e442000
brk(0x2e442d40) = 0x2e442d40
arch_prctl(ARCH_SET_FS, 0x2e4423c0) = 0
set_tid_address(0x2e442690) = 106543
set_robust_list(0x2e4426a0, 24) = 0
rseq(0x2e442340, 0x20, 0, 0x53053053) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
readlinkat(AT_FDCWD, "/proc/self/exe", "/root/Documents/for_yara/kernel_"..., 4096) = 45
getrandom("\xad\x74\xed\x39\x49\x99\x04\xc1", 8, GRND_NONBLOCK) = 8
brk(NULL) = 0x2e442d40
brk(0x2e463d40) = 0x2e463d40
brk(0x2e464000) = 0x2e464000
mprotect(0x4a4000, 20480, PROT_READ) = 0
openat(AT_FDCWD, "/sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw", O_RDONLY) = 3
read(3, ^Cstrace: Process 106543 detached
<detached ...>
I'm afraid this is expected. Any other program (like cat) that tries to read those files exhibit the same behavior, they get blocked waiting for data to be read.
This doesn't happens with memory-mapped files, though. Trying to map one of those files into memory cause an error, and that's why the original YARA doesn't block.
[root@host ~]# ls -l /sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw
-r--r-----. 1 root root 0 Jul 10 23:15 /sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw
[root@host ~]# file /sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw
/sys/kernel/tracing/per_cpu/cpu0/trace_pipe_raw: empty
file len. == 0