Skip to content

Alignment in 32-bits. Again #2070

New issue
New issue
Open
Open
Alignment in 32-bits. Again#2070
Labels
bug
@detrio333

Description

@detrio333
detrio333
opened on Apr 27, 2024

I faced problem which solved in 9c26038
Yara rules compiled by yara64.exe don't work with yara32.exe.
I saw the problem was solved by addition field 'uint32_t unused;', but I think it is non-persistent soltuion. Adding one more uint32_t raise the probem again

To Reproduce

  1. simple rule. file rules.yara
import "string"

rule StringLength
{
    condition:
        string.length("123") == 3
}
  1. yarac64.exe "D:\rules.yara" d:\rules.yarac
  2. 64 bit version run ok
yara64.exe -C "D:\rules.yarac" "D:\1.txt"
StringLength D:\1.txt
  1. 32 bit version don't work
yara32.exe -C "D:\rules.yarac" "D:\1.txt"

I obtain in debug mode rule_table is collapsed
image
5) Ubuntu compiled version run as expected for 32 and 64 bit both

Please complete the following information:

  • OS: Win10, Ubuntu 22.04
  • YARA version: 4.5.0 release

Additional context
I can see problem with aligment in macro

#define DECLARE_REFERENCE(type, name) \
  union                               \
  {                                   \
    type name;                        \
    YR_ARENA_REF name##_;             \
  } YR_ALIGN(8)

when

#if defined(__GNUC__)
#define YR_ALIGN(n) __attribute__((aligned(n)))
#elif defined(_MSC_VER)
#define YR_ALIGN(n) __declspec(align(n))
#else
#define YR_ALIGN(n)
#endif

According microsoft documentaion https://learn.microsoft.com/en-us/cpp/cpp/align-cpp?view=msvc-170 aling command must go before struct or union declarion. For gcc __attribute__((aligned(n))) can be wriiten before and after both.

Using YR_ALIGN everywhere except DECLARE_REFERENCE is before struct, union. For example

struct YR_EXTERNAL_VARIABLE
{
  int32_t type;

  YR_ALIGN(8) union
  {
    int64_t i;
    double f;
    char* s;
  } value;

  DECLARE_REFERENCE(const char*, identifier);
};

It work nice.
I think there were no problems before because YR_RULE contained 2 int32_t field. Adding uint32_t required_strings caues misalining in rule loading. 'uint32_t unused;' is non-persistent soltuion, because another new field also break the loading. I suggest to move YR_ALIGN(8) to try avoid same problem in future

#define DECLARE_REFERENCE(type, name) \
  YR_ALIGN(8) union                   \
  {                                   \
    type name;                        \
    YR_ARENA_REF name##_;             \
  }

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions