Use indexes within a table of functions instead of putting function pointers directly in the YARA's VM stack.

plusvic · plusvic · commit f90cd22379b7 · 2022-08-08T12:29:22.000+02:00
This helps increasing the security of the VM machine.
diff --git a/libyara/exec.c b/libyara/exec.c
@@ -364,6 +364,24 @@ static int iter_string_set_next(YR_ITERATOR* self, YR_VALUE_STACK* stack)
   return ERROR_SUCCESS;
 }
 
+// Global table that contains the "next" function for different types of
+// iterators. The reason for using this table is to avoid storing pointers
+// in the YARA's VM stack. Instead of the pointers we store an index within
+// this table.
+static YR_ITERATOR_NEXT_FUNC iter_next_func_table[] = {
+    iter_array_next,
+    iter_dict_next,
+    iter_int_range_next,
+    iter_int_enum_next,
+    iter_string_set_next,
+};
+
+#define ITER_NEXT_ARRAY      0
+#define ITER_NEXT_DICT       1
+#define ITER_NEXT_INT_RANGE  2
+#define ITER_NEXT_INT_ENUM   3
+#define ITER_NEXT_STRING_SET 4
+
 int yr_execute_code(YR_SCAN_CONTEXT* context)
 {
   YR_DEBUG_FPRINTF(2, stderr, "+ %s() {\n", __FUNCTION__);
@@ -466,7 +484,7 @@ int yr_execute_code(YR_SCAN_CONTEXT* context)
         pop(r1);
         r2.it->array_it.array = r1.o;
         r2.it->array_it.index = 0;
-        r2.it->next = iter_array_next;
+        r2.it->next_func_idx = ITER_NEXT_ARRAY;
         push(r2);
       }
 
@@ -487,7 +505,7 @@ int yr_execute_code(YR_SCAN_CONTEXT* context)
         pop(r1);
         r2.it->dict_it.dict = r1.o;
         r2.it->dict_it.index = 0;
-        r2.it->next = iter_dict_next;
+        r2.it->next_func_idx = ITER_NEXT_DICT;
         push(r2);
       }
 
@@ -511,7 +529,7 @@ int yr_execute_code(YR_SCAN_CONTEXT* context)
         pop(r1);
         r3.it->int_range_it.next = r1.i;
         r3.it->int_range_it.last = r2.i;
-        r3.it->next = iter_int_range_next;
+        r3.it->next_func_idx = ITER_NEXT_INT_RANGE;
         push(r3);
       }
 
@@ -537,7 +555,7 @@ int yr_execute_code(YR_SCAN_CONTEXT* context)
       {
         r3.it->int_enum_it.count = r1.i;
         r3.it->int_enum_it.next = 0;
-        r3.it->next = iter_int_enum_next;
+        r3.it->next_func_idx = ITER_NEXT_INT_ENUM;
 
         for (int64_t i = r1.i; i > 0; i--)
         {
@@ -572,7 +590,7 @@ int yr_execute_code(YR_SCAN_CONTEXT* context)
       {
         r3.it->string_set_it.count = r1.i;
         r3.it->string_set_it.index = 0;
-        r3.it->next = iter_string_set_next;
+        r3.it->next_func_idx = ITER_NEXT_STRING_SET;
 
         for (int64_t i = r1.i; i > 0; i--)
         {
@@ -594,11 +612,22 @@ int yr_execute_code(YR_SCAN_CONTEXT* context)
       // Loads the iterator in r1, but leaves the iterator in the stack.
       pop(r1);
       push(r1);
-      // The iterator's next function is responsible for pushing the next
-      // item in the stack, and a boolean indicating if there are more items
-      // to retrieve. The boolean will be at the top of the stack after
-      // calling "next".
-      result = r1.it->next(r1.it, &stack);
+
+      if (r1.it->next_func_idx <
+          sizeof(iter_next_func_table) / sizeof(YR_ITERATOR_NEXT_FUNC))
+      {
+        // The iterator's next function is responsible for pushing the next
+        // item in the stack, and a boolean indicating if there are more items
+        // to retrieve. The boolean will be at the top of the stack after
+        // calling "next".
+        result = iter_next_func_table[r1.it->next_func_idx](r1.it, &stack);
+      }
+      else
+      {
+        // next_func_idx is outside the valid range, this should not happend.
+        result = ERROR_INTERNAL_FATAL_ERROR;
+      }
+
       stop = (result != ERROR_SUCCESS);
       break;
 
diff --git a/libyara/include/yara/types.h b/libyara/include/yara/types.h
@@ -397,7 +397,6 @@ struct RE_AST
 #pragma warning(disable : 4200)
 #endif
 
-
 // The RE structure is embedded in the YARA's VM instruction flow, which
 // means that its alignment is not guaranteed. For this reason the it must
 // be a "packed" structure, in order to prevent alignment issues in platforms
@@ -999,7 +998,8 @@ struct YR_STRING_SET_ITERATOR
 
 struct YR_ITERATOR
 {
-  YR_ITERATOR_NEXT_FUNC next;
+  // Index of the next function within the iter_next_func_table global array.
+  int next_func_idx;
 
   union
   {

Original file line number	Diff line number	Diff line change
`@@ -397,7 +397,6 @@ struct RE_AST`
`397`	`397`	`#pragma warning(disable : 4200)`
`398`	`398`	`#endif`
`399`	`399`
`400`		`-`
`401`	`400`	`// The RE structure is embedded in the YARA's VM instruction flow, which`
`402`	`401`	`// means that its alignment is not guaranteed. For this reason the it must`
`403`	`402`	`// be a "packed" structure, in order to prevent alignment issues in platforms`
`@@ -999,7 +998,8 @@ struct YR_STRING_SET_ITERATOR`
`999`	`998`
`1000`	`999`	`struct YR_ITERATOR`
`1001`	`1000`	`{`
`1002`		`- YR_ITERATOR_NEXT_FUNC next;`
	`1001`	`+ // Index of the next function within the iter_next_func_table global array.`
	`1002`	`+ int next_func_idx;`
`1003`	`1003`
`1004`	`1004`	`union`
`1005`	`1005`	`{`