Invalid Pointer Read in PackLinuxElf64::unpack()

[hongphipham95]

An Invalid Pointer Read occur in PackLinuxElf64::unpack() while decompressing a crafted binary.
ASAN reports:

➜  origin ./upx --version
upx 3.94-git-d31947e1f016
UCL data compression library 1.03
zlib data compression library 1.2.8
LZMA SDK version 4.43
Copyright (C) 1996-2017 Markus Franz Xaver Johannes Oberhumer
Copyright (C) 1996-2017 Laszlo Molnar
Copyright (C) 2000-2017 John F. Reiser
Copyright (C) 2002-2017 Jens Medoch
Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler
Copyright (C) 1999-2006 Igor Pavlov
UPX comes with ABSOLUTELY NO WARRANTY; for details type 'upx -L'.
➜  origin ./upx -d -o /dev/null -f POC1
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2017
UPX git-d31947  Markus Oberhumer, Laszlo Molnar & John Reiser   May 12th 2017

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
=================================================================
==18371==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00000bf10 at pc 0x00000068ab40 bp 0x7ffcdf76a020 sp 0x7ffcdf76a018
READ of size 4 at 0x61a00000bf10 thread T0
    #0 0x68ab3f in get_le32(void const*) /home/bm/Desktop/Origin/upx/src/./bele.h:164:12
    #1 0x68ab3f in N_BELE_RTP::LEPolicy::get32(void const*) const /home/bm/Desktop/Origin/upx/src/./bele_policy.h:192
    #2 0x5a6041 in Packer::get_te32(void const*) const /home/bm/Desktop/Origin/upx/src/./packer.h:296:59
    #3 0x5a6041 in PackLinuxElf64::elf_find_ptype(unsigned int, N_Elf64::Phdr<N_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const*, unsigned int) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:1410
    #4 0x5a6041 in PackLinuxElf64::unpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:3834
    #5 0x6315e3 in Packer::doUnpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/packer.cpp:107:5
    #6 0x68b916 in do_one_file(char const*, char*) /home/bm/Desktop/Origin/upx/src/work.cpp:173:9
    #7 0x68c479 in do_files(int, int, char**) /home/bm/Desktop/Origin/upx/src/work.cpp:300:13
    #8 0x561f3c in main /home/bm/Desktop/Origin/upx/src/main.cpp:1535:5
    #9 0x7fedb781782f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #10 0x41a418 in _start (/home/bm/Desktop/fuzz_upx/origin/upx+0x41a418)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bm/Desktop/Origin/upx/src/./bele.h:164:12 in get_le32(void const*)
Shadow bytes around the buggy address:
  0x0c347fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c347fff97e0: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18371==ABORTING
➜  origin ./upx -d -o /dev/null -f POC2
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2017
UPX git-d31947  Markus Oberhumer, Laszlo Molnar & John Reiser   May 12th 2017

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
ASAN:DEADLYSIGNAL
=================================================================
==18378==ERROR: AddressSanitizer: SEGV on unknown address 0x71200000bf10 (pc 0x00000068ab25 bp 0x7ffcf86a73d0 sp 0x7ffcf86a73d0 T0)
    #0 0x68ab24 in get_le32(void const*) /home/bm/Desktop/Origin/upx/src/./bele.h:164:12
    #1 0x68ab24 in N_BELE_RTP::LEPolicy::get32(void const*) const /home/bm/Desktop/Origin/upx/src/./bele_policy.h:192
    #2 0x5a6041 in Packer::get_te32(void const*) const /home/bm/Desktop/Origin/upx/src/./packer.h:296:59
    #3 0x5a6041 in PackLinuxElf64::elf_find_ptype(unsigned int, N_Elf64::Phdr<N_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const*, unsigned int) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:1410
    #4 0x5a6041 in PackLinuxElf64::unpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:3834
    #5 0x6315e3 in Packer::doUnpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/packer.cpp:107:5
    #6 0x68b916 in do_one_file(char const*, char*) /home/bm/Desktop/Origin/upx/src/work.cpp:173:9
    #7 0x68c479 in do_files(int, int, char**) /home/bm/Desktop/Origin/upx/src/work.cpp:300:13
    #8 0x561f3c in main /home/bm/Desktop/Origin/upx/src/main.cpp:1535:5
    #9 0x7f267df9982f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #10 0x41a418 in _start (/home/bm/Desktop/fuzz_upx/origin/upx+0x41a418)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bm/Desktop/Origin/upx/src/./bele.h:164:12 in get_le32(void const*)
==18378==ABORTING
➜  origin ./upx -d -o /dev/null -f POC3
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2017
UPX git-d31947  Markus Oberhumer, Laszlo Molnar & John Reiser   May 12th 2017

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
ASAN:DEADLYSIGNAL
=================================================================
==18385==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000068ab25 bp 0x7ffd0ddfd550 sp 0x7ffd0ddfd550 T0)
    #0 0x68ab24 in get_le32(void const*) /home/bm/Desktop/Origin/upx/src/./bele.h:164:12
    #1 0x68ab24 in N_BELE_RTP::LEPolicy::get32(void const*) const /home/bm/Desktop/Origin/upx/src/./bele_policy.h:192
    #2 0x5a6041 in Packer::get_te32(void const*) const /home/bm/Desktop/Origin/upx/src/./packer.h:296:59
    #3 0x5a6041 in PackLinuxElf64::elf_find_ptype(unsigned int, N_Elf64::Phdr<N_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const*, unsigned int) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:1410
    #4 0x5a6041 in PackLinuxElf64::unpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:3834
    #5 0x6315e3 in Packer::doUnpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/packer.cpp:107:5
    #6 0x68b916 in do_one_file(char const*, char*) /home/bm/Desktop/Origin/upx/src/work.cpp:173:9
    #7 0x68c479 in do_files(int, int, char**) /home/bm/Desktop/Origin/upx/src/work.cpp:300:13
    #8 0x561f3c in main /home/bm/Desktop/Origin/upx/src/main.cpp:1535:5
    #9 0x7f7db42da82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #10 0x41a418 in _start (/home/bm/Desktop/fuzz_upx/origin/upx+0x41a418)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bm/Desktop/Origin/upx/src/./bele.h:164:12 in get_le32(void const*)
==18385==ABORTING
➜  origin

POC.zip

[carnil]

This issue has been assigned CVE-2017-15056