int yr_parser_reduce_string_identifier(
yyscan_t yyscanner,
const char* identifier,
int8_t instruction)
{
YR_STRING* string;
YR_COMPILER* compiler = yyget_extra(yyscanner);
if (strcmp(identifier, "$") == 0)
{
if (compiler->loop_depth > 0)
{
yr_parser_emit_with_arg(
yyscanner,
PUSH_M,
LOOP_LOCAL_VARS * (compiler->loop_depth - 1),
NULL);
yr_parser_emit(yyscanner, instruction, NULL);
if (instruction != SFOUND)
{
string = compiler->current_rule_strings;
while(!STRING_IS_NULL(string))
{
string->g_flags &= ~STRING_GFLAGS_SINGLE_MATCH;
string = yr_arena_next_address(
compiler->strings_arena,
string,
sizeof(YR_STRING));
}
}
}
else
{
compiler->last_result = ERROR_MISPLACED_ANONYMOUS_STRING;
}
}
else
{
string = yr_parser_lookup_string(yyscanner, identifier);
if (string != NULL)
{
yr_parser_emit_with_arg_reloc(
yyscanner,
PUSH,
PTR_TO_UINT64(string),
NULL);
if (instruction != SFOUND)
string->g_flags &= ~STRING_GFLAGS_SINGLE_MATCH;
yr_parser_emit(yyscanner, instruction, NULL);
string->g_flags |= STRING_GFLAGS_REFERENCED;
}
}
return compiler->last_result;
}
int yr_parser_reduce_string_identifier(
yyscan_t yyscanner,
const char* identifier,
uint8_t instruction,
uint64_t at_offset)
{
YR_STRING* string;
YR_COMPILER* compiler = yyget_extra(yyscanner);
if (strcmp(identifier, "$") == 0) // is an anonymous string ?
{
if (compiler->loop_for_of_mem_offset >= 0) // inside a loop ?
{
yr_parser_emit_with_arg(
yyscanner,
OP_PUSH_M,
compiler->loop_for_of_mem_offset,
NULL,
NULL);
yr_parser_emit(yyscanner, instruction, NULL);
string = compiler->current_rule->strings;
while(!STRING_IS_NULL(string))
{
if (instruction != OP_FOUND)
string->g_flags &= ~STRING_GFLAGS_SINGLE_MATCH;
if (instruction == OP_FOUND_AT)
{
// Avoid overwriting any previous fixed offset
if (string->fixed_offset == UNDEFINED)
string->fixed_offset = at_offset;
// If a previous fixed offset was different, disable
// the STRING_GFLAGS_FIXED_OFFSET flag because we only
// have room to store a single fixed offset value
if (string->fixed_offset != at_offset)
string->g_flags &= ~STRING_GFLAGS_FIXED_OFFSET;
}
else
{
string->g_flags &= ~STRING_GFLAGS_FIXED_OFFSET;
}
string = (YR_STRING*) yr_arena_next_address(
compiler->strings_arena,
string,
sizeof(YR_STRING));
}
}
else
{
// Anonymous strings not allowed outside of a loop
compiler->last_result = ERROR_MISPLACED_ANONYMOUS_STRING;
}
}
else
{
string = yr_parser_lookup_string(yyscanner, identifier);
if (string != NULL)
{
yr_parser_emit_with_arg_reloc(
yyscanner,
OP_PUSH,
PTR_TO_INT64(string),
NULL,
NULL);
if (instruction != OP_FOUND)
string->g_flags &= ~STRING_GFLAGS_SINGLE_MATCH;
if (instruction == OP_FOUND_AT)
{
// Avoid overwriting any previous fixed offset
if (string->fixed_offset == UNDEFINED)
string->fixed_offset = at_offset;
// If a previous fixed offset was different, disable
// the STRING_GFLAGS_FIXED_OFFSET flag because we only
// have room to store a single fixed offset value
if (string->fixed_offset == UNDEFINED ||
string->fixed_offset != at_offset)
{
string->g_flags &= ~STRING_GFLAGS_FIXED_OFFSET;
}
}
else
{
string->g_flags &= ~STRING_GFLAGS_FIXED_OFFSET;
}
yr_parser_emit(yyscanner, instruction, NULL);
string->g_flags |= STRING_GFLAGS_REFERENCED;
}
}
return compiler->last_result;
}
int yr_parser_reduce_rule_declaration_phase_2(
yyscan_t yyscanner,
YR_RULE* rule)
{
uint32_t max_strings_per_rule;
uint32_t strings_in_rule = 0;
uint8_t* nop_inst_addr = NULL;
int result;
YR_FIXUP *fixup;
YR_STRING* string;
YR_COMPILER* compiler = yyget_extra(yyscanner);
yr_get_configuration(
YR_CONFIG_MAX_STRINGS_PER_RULE,
(void*) &max_strings_per_rule);
// Show warning if the rule is generating too many atoms. The warning is
// shown if the number of atoms is greater than 20 times the maximum number
// of strings allowed for a rule, as 20 is minimum number of atoms generated
// for a string using *nocase*, *ascii* and *wide* modifiers simultaneosly.
if (rule->num_atoms > YR_ATOMS_PER_RULE_WARNING_THRESHOLD)
{
yywarning(
yyscanner,
"rule %s is slowing down scanning",
rule->identifier);
}
// Check for unreferenced (unused) strings.
string = rule->strings;
while (!STRING_IS_NULL(string))
{
// Only the heading fragment in a chain of strings (the one with
// chained_to == NULL) must be referenced. All other fragments
// are never marked as referenced.
if (!STRING_IS_REFERENCED(string) &&
string->chained_to == NULL)
{
yr_compiler_set_error_extra_info(compiler, string->identifier);
return ERROR_UNREFERENCED_STRING;
}
strings_in_rule++;
if (strings_in_rule > max_strings_per_rule)
{
yr_compiler_set_error_extra_info(compiler, rule->identifier);
return ERROR_TOO_MANY_STRINGS;
}
string = (YR_STRING*) yr_arena_next_address(
compiler->strings_arena,
string,
sizeof(YR_STRING));
}
result = yr_parser_emit_with_arg_reloc(
yyscanner,
OP_MATCH_RULE,
rule,
NULL,
NULL);
// Generate a do-nothing instruction (NOP) in order to get its address
// and use it as the destination for the OP_INIT_RULE skip jump. We can not
// simply use the address of the OP_MATCH_RULE instruction +1 because we
// can't be sure that the instruction following the OP_MATCH_RULE is going to
// be in the same arena page. As we don't have a reliable way of getting the
// address of the next instruction we generate the OP_NOP.
if (result == ERROR_SUCCESS)
result = yr_parser_emit(yyscanner, OP_NOP, &nop_inst_addr);
fixup = compiler->fixup_stack_head;
*(void**)(fixup->address) = (void*) nop_inst_addr;
compiler->fixup_stack_head = fixup->next;
yr_free(fixup);
return result;
}
int yr_parser_reduce_operation(
yyscan_t yyscanner,
const char* op,
EXPRESSION left_operand,
EXPRESSION right_operand)
{
YR_COMPILER* compiler = yyget_extra(yyscanner);
if ((left_operand.type == EXPRESSION_TYPE_INTEGER ||
left_operand.type == EXPRESSION_TYPE_FLOAT) &&
(right_operand.type == EXPRESSION_TYPE_INTEGER ||
right_operand.type == EXPRESSION_TYPE_FLOAT))
{
if (left_operand.type != right_operand.type)
{
// One operand is double and the other is integer,
// cast the integer to double
compiler->last_result = yr_parser_emit_with_arg(
yyscanner,
OP_INT_TO_DBL,
(left_operand.type == EXPRESSION_TYPE_INTEGER) ? 2 : 1,
NULL,
NULL);
}
if (compiler->last_result == ERROR_SUCCESS)
{
int expression_type = EXPRESSION_TYPE_FLOAT;
if (left_operand.type == EXPRESSION_TYPE_INTEGER &&
right_operand.type == EXPRESSION_TYPE_INTEGER)
{
expression_type = EXPRESSION_TYPE_INTEGER;
}
compiler->last_result = yr_parser_emit(
yyscanner,
_yr_parser_operator_to_opcode(op, expression_type),
NULL);
}
}
else if (left_operand.type == EXPRESSION_TYPE_STRING &&
right_operand.type == EXPRESSION_TYPE_STRING)
{
int opcode = _yr_parser_operator_to_opcode(op, EXPRESSION_TYPE_STRING);
if (opcode != OP_ERROR)
{
compiler->last_result = yr_parser_emit(
yyscanner,
opcode,
NULL);
}
else
{
yr_compiler_set_error_extra_info_fmt(
compiler, "strings don't support \"%s\" operation", op);
compiler->last_result = ERROR_WRONG_TYPE;
}
}
else
{
yr_compiler_set_error_extra_info(compiler, "type mismatch");
compiler->last_result = ERROR_WRONG_TYPE;
}
return compiler->last_result;
}
int yr_parser_reduce_rule_declaration_phase_1(
yyscan_t yyscanner,
int32_t flags,
const char* identifier,
YR_RULE** rule)
{
YR_FIXUP *fixup;
YR_INIT_RULE_ARGS *init_rule_args;
YR_COMPILER* compiler = yyget_extra(yyscanner);
*rule = NULL;
if (yr_hash_table_lookup(
compiler->rules_table,
identifier,
compiler->current_namespace->name) != NULL ||
yr_hash_table_lookup(
compiler->objects_table,
identifier,
NULL) != NULL)
{
// A rule or variable with the same identifier already exists, return the
// appropriate error.
yr_compiler_set_error_extra_info(compiler, identifier);
return ERROR_DUPLICATED_IDENTIFIER;
}
FAIL_ON_ERROR(yr_arena_allocate_struct(
compiler->rules_arena,
sizeof(YR_RULE),
(void**) rule,
offsetof(YR_RULE, identifier),
offsetof(YR_RULE, tags),
offsetof(YR_RULE, strings),
offsetof(YR_RULE, metas),
offsetof(YR_RULE, ns),
EOL))
(*rule)->g_flags = flags;
(*rule)->ns = compiler->current_namespace;
(*rule)->num_atoms = 0;
#ifdef PROFILING_ENABLED
(*rule)->time_cost = 0;
memset(
(*rule)->time_cost_per_thread, 0, sizeof((*rule)->time_cost_per_thread));
#endif
FAIL_ON_ERROR(yr_arena_write_string(
compiler->sz_arena,
identifier,
(char**) &(*rule)->identifier));
FAIL_ON_ERROR(yr_parser_emit(
yyscanner,
OP_INIT_RULE,
NULL));
FAIL_ON_ERROR(yr_arena_allocate_struct(
compiler->code_arena,
sizeof(YR_INIT_RULE_ARGS),
(void**) &init_rule_args,
offsetof(YR_INIT_RULE_ARGS, rule),
offsetof(YR_INIT_RULE_ARGS, jmp_addr),
EOL));
init_rule_args->rule = *rule;
// jmp_addr holds the address to jump to when we want to skip the code for
// the rule. It is iniatialized as NULL at this point because we don't know
// the address until emmiting the code for the rule's condition. The address
// is set in yr_parser_reduce_rule_declaration_phase_2.
init_rule_args->jmp_addr = NULL;
// Create a fixup entry for the jump and push it in the stack
fixup = (YR_FIXUP*) yr_malloc(sizeof(YR_FIXUP));
if (fixup == NULL)
return ERROR_INSUFFICIENT_MEMORY;
fixup->address = (void*) &(init_rule_args->jmp_addr);
fixup->next = compiler->fixup_stack_head;
compiler->fixup_stack_head = fixup;
// Clean strings_table as we are starting to parse a new rule.
yr_hash_table_clean(compiler->strings_table, NULL);
FAIL_ON_ERROR(yr_hash_table_add(
compiler->rules_table,
identifier,
compiler->current_namespace->name,
(void*) *rule));
compiler->current_rule = *rule;
return ERROR_SUCCESS;
}
