$ ../upx.out -o foo poc-buffer-overflow
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2019
UPX git-593a69+ Markus Oberhumer, Laszlo Molnar & John Reiser Feb 24th 2019
File size Ratio Format Name
-------------------- ------ ----------- -----------
upx.out: poc-buffer-overflow: UnknownExecutableFormatException
Packed 0 files.
WARNING: this is an unstable beta version - use for testing only! Really.
That might not be the best diagnosis, but at least it has no buffer overflow.
What's the problem (or question)?
An issue was discovered in upx 3.95, There is a/an buffer-overflow in function canUnpack at p_vmlinx.cpp:583
upx.out -l @@ /dev/null
What should have happened?
list compressed file
Do you have an idea for a solution?
check for buffer overflow correctly
How can we reproduce the issue?
upx.out -l @@ /dev/null
the poc is attached poc
source
debug
pwndbg> p shstrtab $5 = 0x611000009f00 "\200" pwndbg> p p->sh_name $6 = { d = "\377\377\377\377" } pwndbg> p sizeof(p->sh_name ) $7 = 4 pwndbg> p/x p->sh_name $8 = { d = {0xff, 0xff, 0xff, 0xff} } pwndbg>bug report
ASAN:SIGSEGV ================================================================= ==8931==ERROR: AddressSanitizer: SEGV on unknown address 0x611100009eff (pc 0x7f66aca7d05e bp 0x7fff0bf97d90 sp 0x7fff0bf97520 T0) #0 0x7f66aca7d05d (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x4705d) #1 0x6d3087 in PackVmlinuxBase<N_Elf::ElfClass_32<N_BELE_CTP::LEPolicy> >::canUnpack() /home/jl/work/projects/upx/upx/src/p_vmlinx.cpp:583 #2 0x7a7e1d in try_unpack /home/jl/work/projects/upx/upx/src/packmast.cpp:114 #3 0x7ac2e4 in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /home/jl/work/projects/upx/upx/src/packmast.cpp:178 #4 0x7b5282 in PackMaster::getUnpacker(InputFile*) /home/jl/work/projects/upx/upx/src/packmast.cpp:248 #5 0x7b694b in PackMaster::list() /home/jl/work/projects/upx/upx/src/packmast.cpp:279 #6 0x8604db in do_one_file(char const*, char*) /home/jl/work/projects/upx/upx/src/work.cpp:164 #7 0x8615fa in do_files(int, int, char**) /home/jl/work/projects/upx/upx/src/work.cpp:271 #8 0x468b28 in main /home/jl/work/projects/upx/upx/src/main.cpp:1539 #9 0x7f66ab1cd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #10 0x4030f8 in _start (/home/jl/work/up_projects/fuzz-upx/crashes/upx.out.debug+0x4030f8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 ?? ==8931==ABORTINGPlease tell us details about your environment.
upx --3.95):The text was updated successfully, but these errors were encountered: