Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segmentation fault (ASAN: SEGV on unknown address) in the PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::canUnpack() function of p_mach.cpp:1539 #314

Closed
gutiniao opened this issue Nov 14, 2019 · 2 comments
Milestone

Comments

@gutiniao
Copy link

gutiniao commented Nov 14, 2019

A crafted input will lead to crash in p_mach.cpp at UPX 3.95(latest version,git clone from branch devel)

Triggered by
./upx.out -d -f POC

OS: Ubuntu 18.04.3 LTS

CPU architecture: x86_64

Poc
001

The ASAN information is as follows:

./upx.out -d -f 001 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2019
UPX git-75a2cc  Markus Oberhumer, Laszlo Molnar & John Reiser   Feb 24th 2019

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
ASAN:DEADLYSIGNAL
=================================================================
==24757==ERROR: AddressSanitizer: SEGV on unknown address 0x61a0008012c8 (pc 0x56305de52dbc bp 0x000000000001 sp 0x7ffe0a5d8240 T0)
==24757==The signal is caused by a READ memory access.
    #0 0x56305de52dbb in get_le32(void const*) /home/liuz/upx-asan/upx_new/upx/src/bele.h:164
    #1 0x56305de52dbb in LE32::operator unsigned int() const /home/liuz/upx-asan/upx_new/upx/src/bele.h:416
    #2 0x56305de52dbb in PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::canUnpack() /home/liuz/upx-asan/upx_new/upx/src/p_mach.cpp:1539
    #3 0x56305dec45a6 in try_unpack /home/liuz/upx-asan/upx_new/upx/src/packmast.cpp:114
    #4 0x56305dec5ad5 in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /home/liuz/upx-asan/upx_new/upx/src/packmast.cpp:225
    #5 0x56305dec72b0 in PackMaster::getUnpacker(InputFile*) /home/liuz/upx-asan/upx_new/upx/src/packmast.cpp:248
    #6 0x56305dec73cf in PackMaster::unpack(OutputFile*) /home/liuz/upx-asan/upx_new/upx/src/packmast.cpp:266
    #7 0x56305df034ee in do_one_file(char const*, char*) /home/liuz/upx-asan/upx_new/upx/src/work.cpp:160
    #8 0x56305df0399f in do_files(int, int, char**) /home/liuz/upx-asan/upx_new/upx/src/work.cpp:271
    #9 0x56305dd943e6 in main /home/liuz/upx-asan/upx_new/upx/src/main.cpp:1543
    #10 0x7f4c28335b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #11 0x56305dd95549 in _start (/home/liuz/upx-asan/upx_new/upx/src/upx.out+0x5c549)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/liuz/upx-asan/upx_new/upx/src/bele.h:164 in get_le32(void const*)
==24757==ABORTING
@gutiniao gutiniao changed the title Segmentation fault (ASAN: SEGV on unknown address) in the PackLinuxElf32::elf_lookup function of p_lx_elf.cpp:4590 Segmentation fault (ASAN: SEGV on unknown address) in the PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::canUnpack() function of p_mach.cpp:1539 Nov 14, 2019
jreiser added a commit that referenced this issue Nov 16, 2019
@jreiser
Copy link
Collaborator

jreiser commented Nov 16, 2019

Fixed at tip of devel branch.

$ ../upx.out -d -f -o foo 001 --info
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2019
UPX git-819c33+ Markus Oberhumer, Laszlo Molnar & John Reiser   Feb 24th 2019

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
[WARNING] bad Mach_command[0]{@0x20,+0x560}: file_size=0x2055  cmdsize=0x800048

upx.out: 001: CantUnpackException: file corrupted

Omit the --info to suppress the details.

@jreiser jreiser closed this as completed Nov 29, 2019
@carnil
Copy link

carnil commented Dec 28, 2019

CVE-2019-20053 has been assigned for this issue.

@markus-oberhumer markus-oberhumer added this to the v3.96 milestone Jan 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants