Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memory leak on yr_rules_scan_proc #1070

Closed
TJOSERAFAEL opened this issue May 29, 2019 · 5 comments · Fixed by #1075
Closed

Memory leak on yr_rules_scan_proc #1070

TJOSERAFAEL opened this issue May 29, 2019 · 5 comments · Fixed by #1075

Comments

@TJOSERAFAEL
Copy link

TJOSERAFAEL commented May 29, 2019
edited
Loading

YARA Version Platform
3.9.0, 3.10.0 Ubuntu 16.04

When running processes scan using yr_rules_scan_proc function, a struct doesn't get freed if it can not attach to the process.

Simple POC:

#include <stdio.h>
#include <yara.h>

#define MAX_PIDS 32568

int main(int argc, char **argv)
{

   if (yr_initialize())
   {
      perror("Error initializing yara library\n");
      exit(1);
   }

   YR_COMPILER *compiler = NULL;

   if (yr_compiler_create(&compiler) != ERROR_SUCCESS)
   {
      perror("Error initializing yara compiler\n");
      exit(1);
   }

   YR_RULES *rules = NULL;

   if (yr_compiler_add_string(compiler, "rule dummy { condition: true }", NULL) != 0)
   {
      perror("Error on yr_compiler_add_string\n");
      exit(1);
   }

   if (yr_compiler_get_rules(compiler, &rules) != ERROR_SUCCESS)
   {
      perror("Error on yr_compiler_get_rules\n");
      exit(1);
   }

   printf("Yara initialized\n");

   int z;
   for (z = 0; z < MAX_PIDS; z++) {
      yr_rules_scan_proc(rules,z,0,NULL,NULL,0);
   }

   printf("Yara finalized\n");

   yr_compiler_destroy(compiler);

   yr_finalize();

   return 0;
}

Valgrind output:

==11936== 
==11936== HEAP SUMMARY:
==11936==     in use at exit: 1,785,936 bytes in 32,393 blocks
==11936==   total heap usage: 103,273 allocs, 70,880 frees, 22,303,851 bytes allocated
==11936== 
==11936== 56 bytes in 1 blocks are possibly lost in loss record 2 of 7
==11936==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11936==    by 0x4E70454: yr_process_open_iterator (in /usr/local/lib/libyara.so.3.9.0)
==11936==    by 0x4E79AAD: yr_rules_scan_proc (in /usr/local/lib/libyara.so.3.9.0)
==11936==    by 0x400AD5: main (main2.c:41)
==11936== 
==11936== 13,472 bytes in 1 blocks are possibly lost in loss record 4 of 7
==11936==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11936==    by 0x4E58D23: yr_arena_duplicate (in /usr/local/lib/libyara.so.3.9.0)
==11936==    by 0x4E5DEF6: yr_compiler_get_rules (in /usr/local/lib/libyara.so.3.9.0)
==11936==    by 0x400A85: main (main2.c:31)
==11936== 
==11936== 16,808 (112 direct, 16,696 indirect) bytes in 1 blocks are definitely lost in loss record 6 of 7
==11936==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11936==    by 0x4E5DEDA: yr_compiler_get_rules (in /usr/local/lib/libyara.so.3.9.0)
==11936==    by 0x400A85: main (main2.c:31)
==11936== 
==11936== 1,755,600 bytes in 31,350 blocks are definitely lost in loss record 7 of 7
==11936==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11936==    by 0x4E70454: yr_process_open_iterator (in /usr/local/lib/libyara.so.3.9.0)
==11936==    by 0x4E79AAD: yr_rules_scan_proc (in /usr/local/lib/libyara.so.3.9.0)
==11936==    by 0x400AD5: main (main2.c:41)
==11936== 
==11936== LEAK SUMMARY:
==11936==    definitely lost: 1,755,712 bytes in 31,351 blocks
==11936==    indirectly lost: 16,696 bytes in 1,040 blocks
==11936==      possibly lost: 13,528 bytes in 2 blocks
==11936==    still reachable: 0 bytes in 0 blocks
==11936==         suppressed: 0 bytes in 0 blocks
==11936== 
==11936== For counts of detected and suppressed errors, rerun with: -v
==11936== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0)

Seems like this function doesn't free the iterator struct if the result fails:
https://github.com/VirusTotal/yara/blob/v3.10.0/libyara/rules.c#L361

Thank you!
@plusvic
Copy link
Member

plusvic commented May 31, 2019 via email

@TJOSERAFAEL
Copy link
Author

Hi @plusvic ,

the memory leak is still present even after calling yr_rules_destroy. Any thoughts on this?

Regards.

plusvic added a commit that referenced this issue Jun 5, 2019
@plusvic
Fix memory leak when _yr_process_attach fails.
3b5b6e6 
Closes #1070.
@plusvic plusvic mentioned this issue Jun 5, 2019
Merged
@plusvic
Copy link
Member

plusvic commented Jun 5, 2019

You're right, there was a memory leak when _yr_process_attach failed. The issue should be solved with #1075. Can you verify?

@TJOSERAFAEL
Copy link
Author

Hi @plusvic ,

the memory leak is fixed, thank you a lot!.
Do you have an ETA for including this on the https://github.com/VirusTotal/yara/tree/v3.10.0 tag?

Regards.

plusvic added a commit that referenced this issue Jun 6, 2019
@plusvic
Fix memory leak when _yr_process_attach fails. (#1075)
2b10f5c 
Closes #1070.
@plusvic
Copy link
Member

plusvic commented Jun 6, 2019

It has been merged in master and will be included in the next release, but I don't have an ETA for it.

tarterp pushed a commit to mandiant/yara that referenced this issue Mar 31, 2022
@plusvic
Fix memory leak when _yr_process_attach fails. (VirusTotal#1075)
33cd826 
Closes VirusTotal#1070.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix memory leak when _yr_process_attach fails. VirusTotal/yara
2 participants
@plusvic @TJOSERAFAEL