NextronSystems/thor-lite

thor-lite bug CentOS 7.9

Closed this issue · 3 comments

Hey There!

Looks like here some bug, thor lite crashes at different hosts, last output mostly the same:

Debug Open File ID: 648 PATH: pipe:[3885913416]
FILE_DESCRIPTOR: 18 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913417]
FILE_DESCRIPTOR: 19 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913418]
FILE_DESCRIPTOR: 20 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913419]
FILE_DESCRIPTOR: 21 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913420]
FILE_DESCRIPTOR: 22 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913421]
FILE_DESCRIPTOR: 23 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913422]
FILE_DESCRIPTOR: 24 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913423]
FILE_DESCRIPTOR: 25 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913424]
FILE_DESCRIPTOR: 26 USER: root
Debug Open File ID: 648 PATH: pipe:[3885913425]
FILE_DESCRIPTOR: 27 USER: root
[22%] PID 366                                          [#######################################>____________________________________________________________________________________________________________________________________________]fatal error: unexpected signal during runtime execution
[signal SIGSEGV: segmentation violation code=0x1 addr=0xffffffffffffffff pc=0x13eb509]

runtime stack:
runtime.throw({0x169d187?, 0x7fffd0854060?})
        /3rdparty/_3rdparty/tgt/golang/src/runtime/panic.go:1047 +0x5d fp=0x7fffd0853f68 sp=0x7fffd0853f38 pc=0x43827d
runtime.sigpanic()
        /3rdparty/_3rdparty/tgt/golang/src/runtime/signal_unix.go:825 +0x3e9 fp=0x7fffd0853fc8 sp=0x7fffd0853f68 pc=0x44f709

goroutine 1 [syscall]:
non-Go function
        pc=0x13eb509
runtime.cgocall(0x10bc84f, 0xc0004c49c8)
        /3rdparty/_3rdparty/tgt/golang/src/runtime/cgocall.go:157 +0x5c fp=0xc0004c49a0 sp=0xc0004c4968 pc=0x4054bc
github.com/hillu/go-yara/v4._Cfunc_yr_scanner_scan_proc(0x43258020b40, 0x288)
        _cgo_gotypes.go:1827 +0x4c fp=0xc0004c49c8 sp=0xc0004c49a0 pc=0x72ea4c
github.com/hillu/go-yara/v4.(*Scanner).ScanProc.func2(0xc000d03830?, 0x288)

Hello! Thanks for the report, can you give me some more information on the process that's being scanned when THOR crashes? From the output, it was PID 648 in this case.
Also, which version of THOR are you using?

Hello!
Thanks for fast reply!

It's different process each running time, docker, postfix and etc.

I'm using latest Thor-lite version:
Version 10.7.11 (2023-11-03 15:13:41)

Thanks for the information. I think I've managed to track this down. Ultimately, I think it boils down to a YARA issue where the mmap() return value isn't checked correctly; see VirusTotal/yara#2003.
I'll add a patch for THOR Lite for this to cover the time until a fixed YARA version is released, which will be part of the next THOR Lite release.