An Invalid Pointer Read occur in PackLinuxElf64::unpack() while decompressing a crafted binary.
ASAN reports:
➜ origin ./upx --version
upx 3.94-git-d31947e1f016
UCL data compression library 1.03
zlib data compression library 1.2.8
LZMA SDK version 4.43
Copyright (C) 1996-2017 Markus Franz Xaver Johannes Oberhumer
Copyright (C) 1996-2017 Laszlo Molnar
Copyright (C) 2000-2017 John F. Reiser
Copyright (C) 2002-2017 Jens Medoch
Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler
Copyright (C) 1999-2006 Igor Pavlov
UPX comes with ABSOLUTELY NO WARRANTY; for details type 'upx -L'.
➜ origin ./upx -d -o /dev/null -f POC1
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2017
UPX git-d31947 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017
File size Ratio Format Name
-------------------- ------ ----------- -----------
=================================================================
==18371==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00000bf10 at pc 0x00000068ab40 bp 0x7ffcdf76a020 sp 0x7ffcdf76a018
READ of size 4 at 0x61a00000bf10 thread T0
#0 0x68ab3f in get_le32(void const*) /home/bm/Desktop/Origin/upx/src/./bele.h:164:12
#1 0x68ab3f in N_BELE_RTP::LEPolicy::get32(void const*) const /home/bm/Desktop/Origin/upx/src/./bele_policy.h:192
#2 0x5a6041 in Packer::get_te32(void const*) const /home/bm/Desktop/Origin/upx/src/./packer.h:296:59
#3 0x5a6041 in PackLinuxElf64::elf_find_ptype(unsigned int, N_Elf64::Phdr<N_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const*, unsigned int) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:1410
#4 0x5a6041 in PackLinuxElf64::unpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:3834
#5 0x6315e3 in Packer::doUnpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/packer.cpp:107:5
#6 0x68b916 in do_one_file(char const*, char*) /home/bm/Desktop/Origin/upx/src/work.cpp:173:9
#7 0x68c479 in do_files(int, int, char**) /home/bm/Desktop/Origin/upx/src/work.cpp:300:13
#8 0x561f3c in main /home/bm/Desktop/Origin/upx/src/main.cpp:1535:5
#9 0x7fedb781782f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41a418 in _start (/home/bm/Desktop/fuzz_upx/origin/upx+0x41a418)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bm/Desktop/Origin/upx/src/./bele.h:164:12 in get_le32(void const*)
Shadow bytes around the buggy address:
0x0c347fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c347fff97e0: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18371==ABORTING
➜ origin ./upx -d -o /dev/null -f POC2
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2017
UPX git-d31947 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017
File size Ratio Format Name
-------------------- ------ ----------- -----------
ASAN:DEADLYSIGNAL
=================================================================
==18378==ERROR: AddressSanitizer: SEGV on unknown address 0x71200000bf10 (pc 0x00000068ab25 bp 0x7ffcf86a73d0 sp 0x7ffcf86a73d0 T0)
#0 0x68ab24 in get_le32(void const*) /home/bm/Desktop/Origin/upx/src/./bele.h:164:12
#1 0x68ab24 in N_BELE_RTP::LEPolicy::get32(void const*) const /home/bm/Desktop/Origin/upx/src/./bele_policy.h:192
#2 0x5a6041 in Packer::get_te32(void const*) const /home/bm/Desktop/Origin/upx/src/./packer.h:296:59
#3 0x5a6041 in PackLinuxElf64::elf_find_ptype(unsigned int, N_Elf64::Phdr<N_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const*, unsigned int) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:1410
#4 0x5a6041 in PackLinuxElf64::unpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:3834
#5 0x6315e3 in Packer::doUnpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/packer.cpp:107:5
#6 0x68b916 in do_one_file(char const*, char*) /home/bm/Desktop/Origin/upx/src/work.cpp:173:9
#7 0x68c479 in do_files(int, int, char**) /home/bm/Desktop/Origin/upx/src/work.cpp:300:13
#8 0x561f3c in main /home/bm/Desktop/Origin/upx/src/main.cpp:1535:5
#9 0x7f267df9982f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41a418 in _start (/home/bm/Desktop/fuzz_upx/origin/upx+0x41a418)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bm/Desktop/Origin/upx/src/./bele.h:164:12 in get_le32(void const*)
==18378==ABORTING
➜ origin ./upx -d -o /dev/null -f POC3
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2017
UPX git-d31947 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017
File size Ratio Format Name
-------------------- ------ ----------- -----------
ASAN:DEADLYSIGNAL
=================================================================
==18385==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000068ab25 bp 0x7ffd0ddfd550 sp 0x7ffd0ddfd550 T0)
#0 0x68ab24 in get_le32(void const*) /home/bm/Desktop/Origin/upx/src/./bele.h:164:12
#1 0x68ab24 in N_BELE_RTP::LEPolicy::get32(void const*) const /home/bm/Desktop/Origin/upx/src/./bele_policy.h:192
#2 0x5a6041 in Packer::get_te32(void const*) const /home/bm/Desktop/Origin/upx/src/./packer.h:296:59
#3 0x5a6041 in PackLinuxElf64::elf_find_ptype(unsigned int, N_Elf64::Phdr<N_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const*, unsigned int) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:1410
#4 0x5a6041 in PackLinuxElf64::unpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/p_lx_elf.cpp:3834
#5 0x6315e3 in Packer::doUnpack(OutputFile*) /home/bm/Desktop/Origin/upx/src/packer.cpp:107:5
#6 0x68b916 in do_one_file(char const*, char*) /home/bm/Desktop/Origin/upx/src/work.cpp:173:9
#7 0x68c479 in do_files(int, int, char**) /home/bm/Desktop/Origin/upx/src/work.cpp:300:13
#8 0x561f3c in main /home/bm/Desktop/Origin/upx/src/main.cpp:1535:5
#9 0x7f7db42da82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#10 0x41a418 in _start (/home/bm/Desktop/fuzz_upx/origin/upx+0x41a418)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/bm/Desktop/Origin/upx/src/./bele.h:164:12 in get_le32(void const*)
==18385==ABORTING
➜ origin
An Invalid Pointer Read occur in PackLinuxElf64::unpack() while decompressing a crafted binary.
ASAN reports:
POC.zip
The text was updated successfully, but these errors were encountered: