New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Double free ( memory clobbered ) in PackLinuxElf64::unpack #207
Comments
|
poc here |
|
It looks like the behavior was changed in commit 9fddd: work in progress: de-compression of --android-shlib . Before the commit And after the commit, the above |
|
Markus, this is a bug in ucl-1.03. I have a patch, but the ucl-1.03 source has bitrot and cannot be compiled. The fix that I want to try for ucl-1.03 is: I believe that the "m_len + 1" in should match the "m_len + 1" in because it is the number of increments of olen in the copy step: Trying to re-build ucl-1.03 fails because: (./config.log) |
|
John, To compile ucl-1.03 you might want to apply 04-Static-assert.patch from https://sources.debian.org/src/ucl/1.03+repack-4/debian/patches/ Anyway I've just checked that after patching |
|
@roblub Yes, the 04-Static-assert.patch fixes the compile error during configuration. Thank you. Also, the complaint from upx "Exception: compressed data violation" is correct; the input file poc_free is from a fuzzer seeking to test the robustness of upx -d against malformed input. @markus-oberhumer The patch in #207 (comment) does fix the bug in ucl-1.03. The patches from roblub #207 (comment) also should be applied to update UCL to a more modern software environment. |
|
Was this issue ever addressed? Thanks in advance ! |
|
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. |
|
Fixed in devel4 branch. |
./upx.out --version
upx 3.95-git-d9288213ec15
this is a bug in decompression (upx -d or upx -t) , it's more significant that bugs in compression.
crash when try to free an invalid pointer , the mem.cpp detect invalid double free and throw an exception (SIGABRT)
#9 0x0000000000465a65 in throwInternalError (msg=msg@entry=0x67a348 "memory clobbered past end of allocated block") at except.cpp:155
#10 0x00000000004dacce in MemBuffer::checkState (this=0x7fffffffd360) at mem.cpp:180
#11 MemBuffer::dealloc (this=0x7fffffffd360) at mem.cpp:92
#12 MemBuffer::~MemBuffer (this=0x7fffffffd360, __in_chrg=) at mem.cpp:73
#13 0x00000000005045bc in PackLinuxElf64::unpack (this=, fo=) at p_lx_elf.cpp:3923
when an attacker could make a fake chunk in that pointer , it caused a double-free vulnerability
and attacker is able to make a code execution.
The text was updated successfully, but these errors were encountered: