yara icon indicating copy to clipboard operation
yara copied to clipboard
verified publisher icon VirusTotal

Crash when using pe module on wolfi-os

Open anuragsoni opened this issue 3 months ago • 4 comments

Describe the bug

I'm running yara within a container that uses wolfi as a base image (https://www.chainguard.dev/unchained/introducing-wolfi-the-first-linux-un-distro-designed-for-securing-the-software-supply-chain - docker hub link: https://hub.docker.com/r/chainguard/wolfi-base) and noticed quite a few core dumps in scanning some PE samples.

To Reproduce I tried to come up with a minimal viable reproduction case and was able to get a segmentation fault with the following rule:

import "pe"

rule test_rule {
    condition:
	true
}

I used an existing file on VirusTotal for testing: https://www.virustotal.com/gui/file/fa0fe54db0839ab74810ca46bd17c4b60ebbf4681557e93eba8b3f92c94dbdc3/details

Yara was compiled from source with --with-crypto --enable-magic --enable-debug flags enabled. I was able to get a backtrace from the core file:

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x000055aac546ec55 in pe_parse_exports (pe=0x55aad9f9b940) at libyara/modules/pe/pe.c:1708
1708	       if (yr_le16toh(ordinals[j]) == i && j < number_of_names)
(gdb) bt
#0  0x000055aac546ec55 in pe_parse_exports (pe=0x55aad9f9b940) at libyara/modules/pe/pe.c:1708
#1  pe__load (context=<optimized out>, module_object=<optimized out>, module_data=<optimized out>, module_data_size=<optimized out>) at libyara/modules/pe/pe.c:4404
#2  0x000055aac5450ece in yr_modules_load (module_name=0x7fbc2fc03018 "pe", context=context@entry=0x55aad9fa8740) at libyara/modules.c:157
#3  0x000055aac5491ccd in yr_execute_code (context=context@entry=0x55aad9fa8740) at libyara/exec.c:1955
#4  0x000055aac54555c8 in yr_scanner_scan_mem_blocks (scanner=scanner@entry=0x55aad9fa8740, iterator=iterator@entry=0x7ffcc6912a80) at libyara/scanner.c:570
#5  0x000055aac5455f18 in yr_scanner_scan_mem (scanner=0x55aad9fa8740, buffer=<optimized out>, buffer_size=<optimized out>) at libyara/scanner.c:749
#6  yr_scanner_scan_fd (scanner=scanner@entry=0x55aad9fa8740, fd=fd@entry=3) at libyara/scanner.c:785
#7  0x000055aac54477ff in scan_file (scanner=0x55aad9fa8740, filename=<optimized out>) at cli/yara.c:758
#8  main (argc=<optimized out>, argv=<optimized out>) at cli/yara.c:1718

Expected behavior No segmentation fault when running a scan against a rule that uses the pe module

Please complete the following information:

  • OS: Host os is Linux (x86_64 platform). Issue noticed on both Amazon Linux 2023 using kernel 6.1, and OpenSUSE Tumbleweed using kernel 6.17.1. Yara was running inside a container that was built on top of https://hub.docker.com/r/chainguard/wolfi-base
  • YARA version: 4.5.5 (But similar crash also noticed on 4.5.0). When testing against 4.4.0 I don't see a segmentation fault, but the yara process reports a failure with error code 4.

Additional context

Do let me know if there are other debugging steps I should perform, and/or if there's anything else I can do to perform more details that might help!

Best, Anurag

anuragsoni avatar Nov 11 '25 03:11 anuragsoni

I'll also add that this same rule works without issues with yara-x. We have plans to switch to yara-x eventually but I did want to report this as well!

anuragsoni avatar Nov 11 '25 03:11 anuragsoni

I've been trying to reproduce this issue without success. I've compiled YARA with the same options and scanned the same file, also with address-sanitizer enabled, and it didn't panic. A panic in if (yr_le16toh(ordinals[j]) == i && j < number_of_names) must be caused by out-of-bounds access to the ordinals, but I reviewed the code looking for possible flaws and didn't find anything.

plusvic avatar Nov 28 '25 14:11 plusvic

@plusvic Thank you for checking. I was only able to reproduce a crash when running within a wolfi-os container so maybe the issue is with their image specifically, I will try and prepare a bug report for them and apologies for the noise on yara's bug tracker!

anuragsoni avatar Dec 01 '25 21:12 anuragsoni

One additional data point, the pe files that caused a crash/segfault for us were ones that specify MajorSubsystemVersion of 10, and MajorOperatingSystemVersion of 10 as well. Pe samples that specify a lower version bound than these don't seem to result in a similar crash.

This seems fairly obscure as the crash only occurs on a very specific combination of container + host operating system, so not sure there's a lot to gain with keeping this bug report open 😅

Yara-x doesn't show a similar issue when using pe modules on these files so that's probably the best path forward for us!

anuragsoni avatar Dec 05 '25 19:12 anuragsoni

@plusvic I reported this issue to the wolfi project and I'm okay to close this as the crash looked related to GCC instead of yara itself (https://github.com/wolfi-dev/os/pull/75776)

anuragsoni avatar Dec 15 '25 15:12 anuragsoni