You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An Invalid Pointer Read occur in PackLinuxElf64::unpack() while decompressing a crafted binary.
ASAN reports:
➜ origin ./upx --version
upx 3.94-git-d31947e1f016
UCL data compression library 1.03
zlib data compression library 1.2.8
LZMA SDK version 4.43
Copyright (C) 1996-2017 Markus Franz Xaver Johannes Oberhumer
Copyright (C) 1996-2017 Laszlo Molnar
Copyright (C) 2000-2017 John F. Reiser
Copyright (C) 2002-2017 Jens Medoch
Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler
Copyright (C) 1999-2006 Igor Pavlov
UPX comes with ABSOLUTELY NO WARRANTY; for details type 'upx -L'.
➜ origin ./upx -d -o /dev/null -f POC1
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2017
UPX git-d31947 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017
File size Ratio Format Name
-------------------- ------ ----------- -----------
=================================================================
==18371==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00000bf10 at pc 0x00000068ab40 bp 0x7ffcdf76a020 sp 0x7ffcdf76a018
READ of size 4 at 0x61a00000bf10 thread T0
#0 0x68ab3f in get_le32(void const*) /home/bm/Desktop/Origin/upx/src/./bele.h:164:12
#1 0x68ab3f in N_BELE_RTP::LEPolicy::get32(void const*) const /home/bm/Desktop/Origin/upx/src/./bele_policy.h:192
#2 0x5a6041 in Packer::get_te32(void const*) const /home/bm/Desktop/Origin/upx/src/./packer.h:296:59
#3 0x5a6041 in PackLinuxElf64::elf_find_ptype(unsigned int, N_Elf64::Phdr<N_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const*, unsigned int) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:1410
#4 0x5a6041 in PackLinuxElf64::unpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:3834
#5 0x6315e3 in Packer::doUnpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/packer.cpp:107:5
#6 0x68b916 in do_one_file(char const*, char*) /home/bm/Desktop/Origin/upx/src/work.cpp:173:9
#7 0x68c479 in do_files(int, int, char**) /home/bm/Desktop/Origin/upx/src/work.cpp:300:13
#8 0x561f3c in main /home/bm/Desktop/Origin/upx/src/main.cpp:1535:5
#9 0x7fedb781782f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41a418 in _start (/home/bm/Desktop/fuzz_upx/origin/upx+0x41a418)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bm/Desktop/Origin/upx/src/./bele.h:164:12 in get_le32(void const*)
Shadow bytes around the buggy address:
0x0c347fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c347fff97e0: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18371==ABORTING
➜ origin ./upx -d -o /dev/null -f POC2
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2017
UPX git-d31947 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017
File size Ratio Format Name
-------------------- ------ ----------- -----------
ASAN:DEADLYSIGNAL
=================================================================
==18378==ERROR: AddressSanitizer: SEGV on unknown address 0x71200000bf10 (pc 0x00000068ab25 bp 0x7ffcf86a73d0 sp 0x7ffcf86a73d0 T0)
#0 0x68ab24 in get_le32(void const*) /home/bm/Desktop/Origin/upx/src/./bele.h:164:12
#1 0x68ab24 in N_BELE_RTP::LEPolicy::get32(void const*) const /home/bm/Desktop/Origin/upx/src/./bele_policy.h:192
#2 0x5a6041 in Packer::get_te32(void const*) const /home/bm/Desktop/Origin/upx/src/./packer.h:296:59
#3 0x5a6041 in PackLinuxElf64::elf_find_ptype(unsigned int, N_Elf64::Phdr<N_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const*, unsigned int) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:1410
#4 0x5a6041 in PackLinuxElf64::unpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:3834
#5 0x6315e3 in Packer::doUnpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/packer.cpp:107:5
#6 0x68b916 in do_one_file(char const*, char*) /home/bm/Desktop/Origin/upx/src/work.cpp:173:9
#7 0x68c479 in do_files(int, int, char**) /home/bm/Desktop/Origin/upx/src/work.cpp:300:13
#8 0x561f3c in main /home/bm/Desktop/Origin/upx/src/main.cpp:1535:5
#9 0x7f267df9982f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41a418 in _start (/home/bm/Desktop/fuzz_upx/origin/upx+0x41a418)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bm/Desktop/Origin/upx/src/./bele.h:164:12 in get_le32(void const*)
==18378==ABORTING
➜ origin ./upx -d -o /dev/null -f POC3
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2017
UPX git-d31947 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017
File size Ratio Format Name
-------------------- ------ ----------- -----------
ASAN:DEADLYSIGNAL
=================================================================
==18385==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000068ab25 bp 0x7ffd0ddfd550 sp 0x7ffd0ddfd550 T0)
#0 0x68ab24 in get_le32(void const*) /home/bm/Desktop/Origin/upx/src/./bele.h:164:12
#1 0x68ab24 in N_BELE_RTP::LEPolicy::get32(void const*) const /home/bm/Desktop/Origin/upx/src/./bele_policy.h:192
#2 0x5a6041 in Packer::get_te32(void const*) const /home/bm/Desktop/Origin/upx/src/./packer.h:296:59
#3 0x5a6041 in PackLinuxElf64::elf_find_ptype(unsigned int, N_Elf64::Phdr<N_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const*, unsigned int) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:1410
#4 0x5a6041 in PackLinuxElf64::unpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:3834
#5 0x6315e3 in Packer::doUnpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/packer.cpp:107:5
#6 0x68b916 in do_one_file(char const*, char*) /home/bm/Desktop/Origin/upx/src/work.cpp:173:9
#7 0x68c479 in do_files(int, int, char**) /home/bm/Desktop/Origin/upx/src/work.cpp:300:13
#8 0x561f3c in main /home/bm/Desktop/Origin/upx/src/main.cpp:1535:5
#9 0x7f7db42da82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41a418 in _start (/home/bm/Desktop/fuzz_upx/origin/upx+0x41a418)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bm/Desktop/Origin/upx/src/./bele.h:164:12 in get_le32(void const*)
==18385==ABORTING
➜ origin
An Invalid Pointer Read occur in PackLinuxElf64::unpack() while decompressing a crafted binary.
ASAN reports:
POC.zip
The text was updated successfully, but these errors were encountered: