Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A crafted input will lead to crash in p_lx_elf.cpp.cpp at UPX 3.95(latest version,git clone from master)
Triggered by ./upx.out -d -f POC
OS: Ubuntu 18.04.3 LTS
CPU architecture: x86_64
Poc 004
The ASAN information is as follows:
./upx.out -d -f 004 Ultimate Packer for eXecutables Copyright (C) 1996 - 2018 UPX git-7a3637 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 26th 2018 File size Ratio Format Name -------------------- ------ ----------- ----------- ASAN:DEADLYSIGNAL ================================================================= ==25694==ERROR: AddressSanitizer: FPE on unknown address 0x56546ce3bc42 (pc 0x56546ce3bc42 bp 0x0c3800000076 sp 0x7ffd4ae6cf90 T0) #0 0x56546ce3bc41 in PackLinuxElf::elf_hash(char const*) /home/liuz/upx-asan/upx/src/p_lx_elf.cpp:4569 #1 0x56546ce3bc41 in PackLinuxElf32::elf_lookup(char const*) const /home/liuz/upx-asan/upx/src/p_lx_elf.cpp:4586 #2 0x56546ce5e1ae in PackLinuxElf32::PackLinuxElf32help1(InputFile*) /home/liuz/upx-asan/upx/src/p_lx_elf.cpp:310 #3 0x56546ce5f54c in PackLinuxElf32Le::PackLinuxElf32Le(InputFile*) /home/liuz/upx-asan/upx/src/p_lx_elf.h:383 #4 0x56546ce5f54c in PackLinuxElf32x86::PackLinuxElf32x86(InputFile*) /home/liuz/upx-asan/upx/src/p_lx_elf.cpp:4238 #5 0x56546ce5f54c in PackBSDElf32x86::PackBSDElf32x86(InputFile*) /home/liuz/upx-asan/upx/src/p_lx_elf.cpp:4255 #6 0x56546ce5f54c in PackFreeBSDElf32x86::PackFreeBSDElf32x86(InputFile*) /home/liuz/upx-asan/upx/src/p_lx_elf.cpp:4266 #7 0x56546cef7e96 in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /home/liuz/upx-asan/upx/src/packmast.cpp:190 #8 0x56546cef9e70 in PackMaster::getUnpacker(InputFile*) /home/liuz/upx-asan/upx/src/packmast.cpp:248 #9 0x56546cef9f8f in PackMaster::unpack(OutputFile*) /home/liuz/upx-asan/upx/src/packmast.cpp:266 #10 0x56546cf360ae in do_one_file(char const*, char*) /home/liuz/upx-asan/upx/src/work.cpp:160 #11 0x56546cf3655f in do_files(int, int, char**) /home/liuz/upx-asan/upx/src/work.cpp:271 #12 0x56546cdceba6 in main /home/liuz/upx-asan/upx/src/main.cpp:1539 #13 0x7f3c78a17b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #14 0x56546cdcfca9 in _start (/home/liuz/upx-asan/upx/src/upx.out+0x5bca9) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /home/liuz/upx-asan/upx/src/p_lx_elf.cpp:4569 in PackLinuxElf::elf_hash(char const*) ==25694==ABORTING
The text was updated successfully, but these errors were encountered:
Fixed on tip of devel branch.
devel
$ sha256sum 004 2c679253077ab90e96909bf4012b25cb7ef338240da8a388e179642802d5cf18 004 $ upx.out -d -f -o foo 004 Ultimate Packer for eXecutables Copyright (C) 1996 - 2019 UPX git-e2833c+ Markus Oberhumer, Laszlo Molnar & John Reiser Feb 24th 2019 File size Ratio Format Name -------------------- ------ ----------- ----------- upx.out: 004: CantUnpackException: bad PT_DYNAMIC phdr[4]
Sorry, something went wrong.
$ readelf --segments 004 readelf: 004: Error: Reading 1000 bytes extends past end of file for section headers ## expected because compessed Elf file type is DYN (Shared object file) Entry point 0x0 There are 7 program headers, starting at offset 52 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align PHDR 0x000034 0x00000034 0x00000034 0x000e0 0x000e0 R 0x4 <unknown>: fa0 0x000113 0x00000114 0x00000114 0x00013 0x00013 R 0x1 ## corrupted LOAD 0x000000 0x00000000 0x00000000 0x00374 0x00374 R E 0x1000 LOAD 0x000ed0 0x00001ed0 0x00001ed0 0x00134 0x00134 RW 0x1000 DYNAMIC 0x000ee0 0x00001ee0 0x30303030 0x30303030 0x30303030 0x30303030 ## corrupted readelf: 004: Error: the dynamic segment offset + size exceeds the size of the file <unknown>: 303 0x30303030 0x30303030 0x30303030 0x30303030 0x30303030 0x30303030 <unknown>: 303 0x30303030 0x30303030 0x30303030 0x30303030 0x30303030 WE 0xcbcbcbcb
CVE-2019-20051 was assigned for this issue.
No branches or pull requests
A crafted input will lead to crash in p_lx_elf.cpp.cpp at UPX 3.95(latest version,git clone from master)
Triggered by
./upx.out -d -f POC
OS: Ubuntu 18.04.3 LTS
CPU architecture: x86_64
Poc
004
The ASAN information is as follows:
The text was updated successfully, but these errors were encountered: