Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap buffer overflow in getElfSections() #363

Closed
strongcourage opened this issue Apr 13, 2020 · 4 comments
Closed

Heap buffer overflow in getElfSections() #363

strongcourage opened this issue Apr 13, 2020 · 4 comments

Comments

@strongcourage
Copy link

What's the problem (or question)?

A heap buffer overflow was discovered in the latest version 3.96, in getElfSections().

What should have happened?

Decompress a crafted/suspicious file.

Do you have an idea for a solution?

Check pointer Shdr const *p.

How can we reproduce the issue?

upx.out -df PoC -o /dev/null
PoC: hbo_getElfSections.tar.gz

ASAN says:

==2451==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efff at pc 0x7fe970f2c2ed bp 0x7ffef3d8f600 sp 0x7ffef3d8eda8
READ of size 1 at 0x60200000efff thread T0
    #0 0x7fe970f2c2ec  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x472ec)
    #1 0x4ec8fd in PackVmlinuxBase<N_Elf::ElfClass_32<N_BELE_CTP::LEPolicy> >::getElfSections() /home/dungnguyen/fuzz/upx_asan/src/p_vmlinx.cpp:125
    #2 0x4ed529 in PackVmlinuxBase<N_Elf::ElfClass_32<N_BELE_CTP::LEPolicy> >::canUnpack() /home/dungnguyen/fuzz/upx_asan/src/p_vmlinx.cpp:571
    #3 0x51fe46 in try_unpack /home/dungnguyen/fuzz/upx_asan/src/packmast.cpp:114
    #4 0x520751 in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /home/dungnguyen/fuzz/upx_asan/src/packmast.cpp:173
    #5 0x5228d9 in PackMaster::getUnpacker(InputFile*) /home/dungnguyen/fuzz/upx_asan/src/packmast.cpp:248
    #6 0x5229ff in PackMaster::unpack(OutputFile*) /home/dungnguyen/fuzz/upx_asan/src/packmast.cpp:266
    #7 0x557816 in do_one_file(char const*, char*) /home/dungnguyen/fuzz/upx_asan/src/work.cpp:160
    #8 0x557cce in do_files(int, int, char**) /home/dungnguyen/fuzz/upx_asan/src/work.cpp:271
    #9 0x403dbe in main /home/dungnguyen/fuzz/upx_asan/src/main.cpp:1539
    #10 0x7fe97032682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x404b18 in _start (/home/dungnguyen/PoCs/upx_d7ba31c/upx.out+0x404b18)

0x60200000efff is located 14 bytes to the right of 1-byte region [0x60200000eff0,0x60200000eff1)
allocated by thread T0 here:
    #0 0x7fe970f7e712 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99712)
    #1 0x4ec755 in PackVmlinuxBase<N_Elf::ElfClass_32<N_BELE_CTP::LEPolicy> >::getElfSections() /home/dungnguyen/fuzz/upx_asan/src/p_vmlinx.cpp:121

Please tell us details about your environment.

  • UPX version used (upx --version): upx 3.96-git-d7ba31cab8ce
  • Host Operating System and version: Ubuntu 16.04 64-bit
  • Host CPU architecture: Intel Xeon CPU E3-1505M v6 @ 3.00GHz CPU with 32GB RAM
  • Target Operating System and version: same as Host
  • Target CPU architecture: same as Host
@jreiser
Copy link
Collaborator

jreiser commented Apr 13, 2020

Works correctly in the latest devel branch

commit cfa7d1e497915954d00ce048672bf165c100eed7 (HEAD -> devel, origin/devel)
Merge: b72eac69 fc3d2719
Date:   Sun Apr 12 09:51:51 2020 -0700

@strongcourage
Copy link
Author

Please recheck, I think this bug is still there in cfa7d1e and the latest 294ed1b of devel branch. Also, completely fixing this bug will probably fix other invalid pointer dereferencing bug in the same function getElfSections(). Thanks.

PoC: poc1; poc2

ASAN says:

==3055==ERROR: AddressSanitizer: SEGV on unknown address 0x61200001b9c1 (pc 0x7f6bee4bd04e bp 0x7ffe6fca1250 sp 0x7ffe6fca09e0 T0)
    #0 0x7f6bee4bd04d  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x4704d)
    #1 0x4ed20f in PackVmlinuxBase<N_Elf::ElfClass_64<N_BELE_CTP::LEPolicy> >::getElfSections() /home/dungnguyen/fuzz/upx_asan/src/p_vmlinx.cpp:125
    #2 0x4ee2dc in PackVmlinuxBase<N_Elf::ElfClass_64<N_BELE_CTP::LEPolicy> >::canUnpack() /home/dungnguyen/fuzz/upx_asan/src/p_vmlinx.cpp:571
    #3 0x520176 in try_unpack /home/dungnguyen/fuzz/upx_asan/src/packmast.cpp:114
    #4 0x520c7d in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /home/dungnguyen/fuzz/upx_asan/src/packmast.cpp:177
    #5 0x522c09 in PackMaster::getUnpacker(InputFile*) /home/dungnguyen/fuzz/upx_asan/src/packmast.cpp:248
    #6 0x522d2f in PackMaster::unpack(OutputFile*) /home/dungnguyen/fuzz/upx_asan/src/packmast.cpp:266
    #7 0x557b96 in do_one_file(char const*, char*) /home/dungnguyen/fuzz/upx_asan/src/work.cpp:160
    #8 0x55804e in do_files(int, int, char**) /home/dungnguyen/fuzz/upx_asan/src/work.cpp:271
    #9 0x403dbe in main /home/dungnguyen/fuzz/upx_asan/src/main.cpp:1538
    #10 0x7f6bed8b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x404b18 in _start (/home/dungnguyen/fuzz/upx_asan/src/upx.out+0x404b18)

jreiser added a commit that referenced this issue Apr 15, 2020
@jreiser
getElfSections concentrates on _Shdr[.e_shstrndx]
910090e 
#363
	modified:   p_vmlinx.cpp
@jreiser
Copy link
Collaborator

jreiser commented Apr 15, 2020

Fixed on devel branch.

@strongcourage
Copy link
Author

Thanks, the bug is fixed.

markus-oberhumer pushed a commit that referenced this issue Aug 17, 2022
@jreiser @markus-oberhumer
getElfSections concentrates on _Shdr[.e_shstrndx]
6868ca7 
#363
	modified:   p_vmlinx.cpp
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@strongcourage @jreiser