Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Floating-point exception abort (DoS) in PackLinuxElf::elf_hash() of p_lx_elf.cpp:4569 #313

Closed
gutiniao opened this issue Nov 13, 2019 · 3 comments
Milestone

Comments

@gutiniao
Copy link

A crafted input will lead to crash in p_lx_elf.cpp.cpp at UPX 3.95(latest version,git clone from master)

Triggered by
./upx.out -d -f POC

OS: Ubuntu 18.04.3 LTS

CPU architecture: x86_64

Poc
004

The ASAN information is as follows:

./upx.out -d -f 004
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2018
UPX git-7a3637  Markus Oberhumer, Laszlo Molnar & John Reiser   Aug 26th 2018

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
ASAN:DEADLYSIGNAL
=================================================================
==25694==ERROR: AddressSanitizer: FPE on unknown address 0x56546ce3bc42 (pc 0x56546ce3bc42 bp 0x0c3800000076 sp 0x7ffd4ae6cf90 T0)
    #0 0x56546ce3bc41 in PackLinuxElf::elf_hash(char const*) /home/liuz/upx-asan/upx/src/p_lx_elf.cpp:4569
    #1 0x56546ce3bc41 in PackLinuxElf32::elf_lookup(char const*) const /home/liuz/upx-asan/upx/src/p_lx_elf.cpp:4586
    #2 0x56546ce5e1ae in PackLinuxElf32::PackLinuxElf32help1(InputFile*) /home/liuz/upx-asan/upx/src/p_lx_elf.cpp:310
    #3 0x56546ce5f54c in PackLinuxElf32Le::PackLinuxElf32Le(InputFile*) /home/liuz/upx-asan/upx/src/p_lx_elf.h:383
    #4 0x56546ce5f54c in PackLinuxElf32x86::PackLinuxElf32x86(InputFile*) /home/liuz/upx-asan/upx/src/p_lx_elf.cpp:4238
    #5 0x56546ce5f54c in PackBSDElf32x86::PackBSDElf32x86(InputFile*) /home/liuz/upx-asan/upx/src/p_lx_elf.cpp:4255
    #6 0x56546ce5f54c in PackFreeBSDElf32x86::PackFreeBSDElf32x86(InputFile*) /home/liuz/upx-asan/upx/src/p_lx_elf.cpp:4266
    #7 0x56546cef7e96 in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /home/liuz/upx-asan/upx/src/packmast.cpp:190
    #8 0x56546cef9e70 in PackMaster::getUnpacker(InputFile*) /home/liuz/upx-asan/upx/src/packmast.cpp:248
    #9 0x56546cef9f8f in PackMaster::unpack(OutputFile*) /home/liuz/upx-asan/upx/src/packmast.cpp:266
    #10 0x56546cf360ae in do_one_file(char const*, char*) /home/liuz/upx-asan/upx/src/work.cpp:160
    #11 0x56546cf3655f in do_files(int, int, char**) /home/liuz/upx-asan/upx/src/work.cpp:271
    #12 0x56546cdceba6 in main /home/liuz/upx-asan/upx/src/main.cpp:1539
    #13 0x7f3c78a17b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #14 0x56546cdcfca9 in _start (/home/liuz/upx-asan/upx/src/upx.out+0x5bca9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/liuz/upx-asan/upx/src/p_lx_elf.cpp:4569 in PackLinuxElf::elf_hash(char const*)
==25694==ABORTING
@jreiser
Copy link
Collaborator

jreiser commented Nov 13, 2019

Fixed on tip of devel branch.

$ sha256sum 004
2c679253077ab90e96909bf4012b25cb7ef338240da8a388e179642802d5cf18  004
$ upx.out -d -f -o foo 004
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2019
UPX git-e2833c+ Markus Oberhumer, Laszlo Molnar & John Reiser   Feb 24th 2019

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx.out: 004: CantUnpackException: bad PT_DYNAMIC phdr[4]

@jreiser
Copy link
Collaborator

jreiser commented Nov 13, 2019

$ readelf --segments 004
readelf: 004: Error: Reading 1000 bytes extends past end of file for section headers   ## expected because compessed

Elf file type is DYN (Shared object file)
Entry point 0x0
There are 7 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  PHDR           0x000034 0x00000034 0x00000034 0x000e0 0x000e0 R   0x4
  <unknown>: fa0 0x000113 0x00000114 0x00000114 0x00013 0x00013 R   0x1   ## corrupted
  LOAD           0x000000 0x00000000 0x00000000 0x00374 0x00374 R E 0x1000
  LOAD           0x000ed0 0x00001ed0 0x00001ed0 0x00134 0x00134 RW  0x1000
  DYNAMIC        0x000ee0 0x00001ee0 0x30303030 0x30303030 0x30303030     0x30303030   ## corrupted
readelf: 004: Error: the dynamic segment offset + size exceeds the size of the file
  <unknown>: 303 0x30303030 0x30303030 0x30303030 0x30303030 0x30303030     0x30303030
  <unknown>: 303 0x30303030 0x30303030 0x30303030 0x30303030 0x30303030  WE 0xcbcbcbcb

@jreiser jreiser closed this as completed Nov 16, 2019
@carnil
Copy link

carnil commented Dec 28, 2019

CVE-2019-20051 was assigned for this issue.

@markus-oberhumer markus-oberhumer added this to the v3.96 milestone Jan 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants