fix: fix UB in the scan mem blocks API

vthib · vthib · commit 801ab5f1360a · 2023-10-29T22:55:10.000+01:00
The iterators on memory blocks is unsafe as it uses pointers on freed
objects.

The `mem_block_iterator_first` and `mem_block_iterator_next` both
have this code:

```
let mut mem_block = ...;
match mem_block.as_mut() {
    Some(mem_block) {
        context.mem_block.write(mem_block.as_yara());
        context.mem_block.as_mut_ptr()
    }
    ...
}
```

This is unsafe because the "as_yara" method creates an object that keeps
a pointer to the mem_block object, which is freed just afterwards.

This can be seen easily by running the tests in valgrind, where the
tests using the mem blocks api have this error:

```
==23549== Invalid read of size 8
==23549==    at 0x1CAAD4: yara::internals::iterator::mem_block_fetch_data (iterator.rs:160)
==23549==    by 0x1E8A06: yr_scanner_scan_mem_blocks (scanner.c:479)
==23549==    by 0x152458: yara::internals::scan::scanner_scan_mem_blocks_inner (scan.rs:269)
==23549==    by 0x1521BF: yara::internals::scan::scanner_scan_mem_blocks (scan.rs:248)
...
```

The `mem_block_fetch_data` dereferences the pointer to the freed object,
leading to an invalid read.

This is fixed in this commit by avoiding to keep this pointer, and
instead directly storing the pointer to the slice data, since this is
the value we want to return in `mem_block_fetch_data`.

I won't pretend that this makes this API **safe**, since this has to use
the yara memory block iterator API, which is very unsafe in how it is
declared, and its safety depends on knowledge on how those objects are
used internally in YARA. But at least valgrind no longer complains :)
diff --git a/src/internals/iterator.rs b/src/internals/iterator.rs
@@ -16,18 +16,16 @@ impl<'a> MemoryBlock<'a> {
         Self { base, data }
     }
 
-    fn as_yara(&mut self) -> YR_MEMORY_BLOCK {
-        let fetch_data = if self.data.is_empty() {
-            mem_block_fetch_data_null
-        } else {
-            mem_block_fetch_data
-        };
-
+    fn into_yara(self) -> YR_MEMORY_BLOCK {
         YR_MEMORY_BLOCK {
             base: self.base,
             size: self.data.len() as _,
-            context: self as *mut MemoryBlock as *mut std::os::raw::c_void,
-            fetch_data: Some(fetch_data),
+            context: if self.data.is_empty() {
+                std::ptr::null_mut()
+            } else {
+                self.data.as_ptr() as *const _ as *mut _
+            },
+            fetch_data: Some(mem_block_fetch_data),
         }
     }
 }
@@ -119,10 +117,10 @@ unsafe extern "C" fn mem_block_iterator_first<T: MemoryBlockIterator>(
     iter: *mut YR_MEMORY_BLOCK_ITERATOR,
 ) -> *mut YR_MEMORY_BLOCK {
     let context = &mut *((*iter).context as *mut WrapperMemoryBlockIterator<T>);
-    let mut mem_block = context.iter.first();
-    match mem_block.as_mut() {
+    let mem_block = context.iter.first();
+    match mem_block {
         Some(mem_block) => {
-            context.mem_block.write(mem_block.as_yara());
+            context.mem_block.write(mem_block.into_yara());
             context.mem_block.as_mut_ptr()
         }
         None => ptr::null_mut(),
@@ -134,10 +132,10 @@ unsafe extern "C" fn mem_block_iterator_next<T: MemoryBlockIterator>(
 ) -> *mut YR_MEMORY_BLOCK {
     let context = &mut *((*iter).context as *mut WrapperMemoryBlockIterator<T>);
     let _ = context.mem_block.assume_init();
-    let mut mem_block = context.iter.next();
-    match mem_block.as_mut() {
+    let mem_block = context.iter.next();
+    match mem_block {
         Some(mem_block) => {
-            context.mem_block.write(mem_block.as_yara());
+            context.mem_block.write(mem_block.into_yara());
             context.mem_block.as_mut_ptr()
         }
         None => ptr::null_mut(),
@@ -151,11 +149,6 @@ unsafe extern "C" fn mem_block_iterator_file_size<T: MemoryBlockIteratorSized>(
     context.iter.file_size()
 }
 
-unsafe extern "C" fn mem_block_fetch_data_null(_: *mut YR_MEMORY_BLOCK) -> *const u8 {
-    ptr::null()
-}
-
 unsafe extern "C" fn mem_block_fetch_data(mem_block: *mut YR_MEMORY_BLOCK) -> *const u8 {
-    let mem_block = &mut *((*mem_block).context as *mut MemoryBlock);
-    mem_block.data.as_ptr()
+    (*mem_block).context as *const u8
 }
