Heap buffer overflow in get_le64

[strongcourage]

What's the problem (or question)?

A heap buffer overflow bug was discovered in the latest commit 294ed1b of the devel branch, in get_le64(), that can cause a denial of service.

What should have happened?

Decompress a crafted/suspicious file.

Do you have an idea for a solution?

Add bound checks.

How can we reproduce the issue?

upx.out -df PoC -o /dev/null

ASAN says:

==16655==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000024bb0 at pc 0x000000556c9d bp 0x7ffc86ca5dd0 sp 0x7ffc86ca5dc0
READ of size 8 at 0x631000024bb0 thread T0
    #0 0x556c9c in get_le64(void const*) /home/dungnguyen/fuzz/upx_asan/src/bele.h:182
    #1 0x556c9c in N_BELE_RTP::LEPolicy::get64(void const*) const /home/dungnguyen/fuzz/upx_asan/src/bele_policy.h:194
    #2 0x497a62 in Packer::get_te64(void const*) const /home/dungnguyen/fuzz/upx_asan/src/packer.h:297
    #3 0x497a62 in PackLinuxElf64::unpack(OutputFile*) /home/dungnguyen/fuzz/upx_asan/src/p_lx_elf.cpp:4678
    #4 0x517739 in Packer::doUnpack(OutputFile*) /home/dungnguyen/fuzz/upx_asan/src/packer.cpp:107
    #5 0x557b96 in do_one_file(char const*, char*) /home/dungnguyen/fuzz/upx_asan/src/work.cpp:160
    #6 0x55804e in do_files(int, int, char**) /home/dungnguyen/fuzz/upx_asan/src/work.cpp:271
    #7 0x403dbe in main /home/dungnguyen/fuzz/upx_asan/src/main.cpp:1538
    #8 0x7f50332fa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x404b18 in _start (/home/dungnguyen/PoCs/upx_294ed1b/upx.out+0x404b18)

Please tell us details about your environment.

• UPX version used (upx --version): 4.0.0-git-294ed1b4ba35
• Host Operating System and version: Ubuntu 16.04 64-bit
• Host CPU architecture: Intel Xeon CPU E3-1505M v6 @ 3.00GHz CPU with 32GB RAM
• Target Operating System and version: same as Host
• Target CPU architecture: same as Host

[jreiser]

Fixed on devel branch.