Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid pointer in set_le64() #364

Closed
strongcourage opened this issue Apr 13, 2020 · 2 comments
Closed

Invalid pointer in set_le64() #364

strongcourage opened this issue Apr 13, 2020 · 2 comments

Comments

@strongcourage
Copy link

What's the problem (or question)?

An invalid pointer dereference was discovered in the latest version 3.96, in set_le64(), that can cause a denial of service.

What should have happened?

Decompress a crafted/suspicious file.

Do you have an idea for a solution?

Add a proper sanity check when dereferencing pointers in the bug trace

How can we reproduce the issue?

upx.out -df PoC -o /dev/null
PoC: poc_set_le64.tar.gz

ASAN says:

==10916==ERROR: AddressSanitizer: SEGV on unknown address 0x630fffe080e0 (pc 0x000000556a20 bp 0x7ffebacfb550 sp 0x7ffebacfb1d8 T0)
    #0 0x556a1f in set_le64(void*, unsigned long long) /home/dungnguyen/fuzz/upx_asan/src/bele_policy.h:202
    #1 0x556a1f in N_BELE_RTP::LEPolicy::set64(void*, unsigned long long) const /home/dungnguyen/fuzz/upx_asan/src/bele_policy.h:203
    #2 0x497d3a in Packer::set_te64(void*, unsigned long long) const /home/dungnguyen/fuzz/upx_asan/src/packer.h:300
    #3 0x497d3a in PackLinuxElf64::unpack(OutputFile*) /home/dungnguyen/fuzz/upx_asan/src/p_lx_elf.cpp:4691
    #4 0x517409 in Packer::doUnpack(OutputFile*) /home/dungnguyen/fuzz/upx_asan/src/packer.cpp:107
    #5 0x557816 in do_one_file(char const*, char*) /home/dungnguyen/fuzz/upx_asan/src/work.cpp:160
    #6 0x557cce in do_files(int, int, char**) /home/dungnguyen/fuzz/upx_asan/src/work.cpp:271
    #7 0x403dbe in main /home/dungnguyen/fuzz/upx_asan/src/main.cpp:1539
    #8 0x7f38f7ab482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x404b18 in _start (/home/dungnguyen/PoCs/upx_d7ba31c/upx.out+0x404b18)

Please tell us details about your environment.

  • UPX version used (upx --version): upx 3.96-git-d7ba31cab8ce
  • Host Operating System and version: Ubuntu 16.04 64-bit
  • Host CPU architecture: Intel Xeon CPU E3-1505M v6 @ 3.00GHz CPU with 32GB RAM
  • Target Operating System and version: same as Host
  • Target CPU architecture: same as Host
jreiser added a commit that referenced this issue Apr 14, 2020
@jreiser
More bounds checking for DT_INIT (etc.) in shlib
294ed1b 
#364
	modified:   p_lx_elf.cpp
@jreiser
Copy link
Collaborator

jreiser commented Apr 14, 2020

Fixed on devel branch in commit 294ed1b.

@strongcourage
Copy link
Author

Thanks for the patch, the bug was fixed.

markus-oberhumer pushed a commit that referenced this issue Aug 17, 2022
@jreiser @markus-oberhumer
More bounds checking for DT_INIT (etc.) in shlib
c67a5d6 
#364
	modified:   p_lx_elf.cpp
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@strongcourage @jreiser