Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

thor-lite bug CentOS 7.9 #35

Closed
n00bsteam opened this issue Nov 10, 2023 · 3 comments
Closed

thor-lite bug CentOS 7.9 #35

n00bsteam opened this issue Nov 10, 2023 · 3 comments

Comments

@n00bsteam
Copy link

Hey There!

Looks like here some bug, thor lite crashes at different hosts, last output mostly the same:

Debug Open File ID: 648 PATH: pipe:[3885913416]
FILE_DESCRIPTOR: 18 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913417]
FILE_DESCRIPTOR: 19 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913418]
FILE_DESCRIPTOR: 20 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913419]
FILE_DESCRIPTOR: 21 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913420]
FILE_DESCRIPTOR: 22 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913421]
FILE_DESCRIPTOR: 23 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913422]
FILE_DESCRIPTOR: 24 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913423]
FILE_DESCRIPTOR: 25 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913424]
FILE_DESCRIPTOR: 26 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913425]
FILE_DESCRIPTOR: 27 USER: root
[22%] PID 366                                          [#######################################>____________________________________________________________________________________________________________________________________________]fatal error: unexpected signal during runtime execution
[signal SIGSEGV: segmentation violation code=0x1 addr=0xffffffffffffffff pc=0x13eb509]

runtime stack:
runtime.throw({0x169d187?, 0x7fffd0854060?})
        /3rdparty/_3rdparty/tgt/golang/src/runtime/panic.go:1047 +0x5d fp=0x7fffd0853f68 sp=0x7fffd0853f38 pc=0x43827d
runtime.sigpanic()
        /3rdparty/_3rdparty/tgt/golang/src/runtime/signal_unix.go:825 +0x3e9 fp=0x7fffd0853fc8 sp=0x7fffd0853f68 pc=0x44f709

goroutine 1 [syscall]:
non-Go function
        pc=0x13eb509
runtime.cgocall(0x10bc84f, 0xc0004c49c8)
        /3rdparty/_3rdparty/tgt/golang/src/runtime/cgocall.go:157 +0x5c fp=0xc0004c49a0 sp=0xc0004c4968 pc=0x4054bc
github.com/hillu/go-yara/v4._Cfunc_yr_scanner_scan_proc(0x43258020b40, 0x288)
        _cgo_gotypes.go:1827 +0x4c fp=0xc0004c49c8 sp=0xc0004c49a0 pc=0x72ea4c
github.com/hillu/go-yara/v4.(*Scanner).ScanProc.func2(0xc000d03830?, 0x288)
@secDre4mer
Copy link

Hello! Thanks for the report, can you give me some more information on the process that's being scanned when THOR crashes? From the output, it was PID 648 in this case.
Also, which version of THOR are you using?

@n00bsteam
Copy link
Author

Hello!
Thanks for fast reply!

It's different process each running time, docker, postfix and etc.

I'm using latest Thor-lite version:
Version 10.7.11 (2023-11-03 15:13:41)

@secDre4mer
Copy link

Thanks for the information. I think I've managed to track this down. Ultimately, I think it boils down to a YARA issue where the mmap() return value isn't checked correctly; see VirusTotal/yara#2003.
I'll add a patch for THOR Lite for this to cover the time until a fixed YARA version is released, which will be part of the next THOR Lite release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@n00bsteam @secDre4mer