Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Another heap buffer overflow in get_le64() #368

Closed
strongcourage opened this issue Apr 14, 2020 · 1 comment
Closed

Another heap buffer overflow in get_le64() #368

strongcourage opened this issue Apr 14, 2020 · 1 comment

Comments

@strongcourage
Copy link

What's the problem (or question)?

A heap buffer overflow bug was discovered in the latest commit 294ed1b of the devel branch, in get_le64().

What should have happened?

Decompress or list a crafted/suspicious file.

Do you have an idea for a solution?

Add bound checks.

How can we reproduce the issue?

upx.out -df PoC -o /dev/null
upx.out -l PoC -o /dev/null

ASAN says:

==32685==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62600000eff0 at pc 0x0000004942fc bp 0x7ffc8c7eb670 sp 0x7ffc8c7eb660
READ of size 8 at 0x62600000eff0 thread T0
    #0 0x4942fb in get_le64(void const*) /home/dungnguyen/fuzz/upx_asan/src/bele.h:182
    #1 0x4942fb in LE64::operator unsigned long long() const /home/dungnguyen/fuzz/upx_asan/src/bele.h:434
    #2 0x4942fb in PackLinuxElf64::elf_find_dynamic(unsigned int) const /home/dungnguyen/fuzz/upx_asan/src/p_lx_elf.cpp:5227
    #3 0x49d99c in PackLinuxElf64::PackLinuxElf64help1(InputFile*) /home/dungnguyen/fuzz/upx_asan/src/p_lx_elf.cpp:801
    #4 0x49e305 in PackLinuxElf64Be::PackLinuxElf64Be(InputFile*) /home/dungnguyen/fuzz/upx_asan/src/p_lx_elf.h:419
    #5 0x49e305 in PackLinuxElf64ppc::PackLinuxElf64ppc(InputFile*) /home/dungnguyen/fuzz/upx_asan/src/p_lx_elf.cpp:981
    #6 0x521148 in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /home/dungnguyen/fuzz/upx_asan/src/packmast.cpp:199
    #7 0x522c09 in PackMaster::getUnpacker(InputFile*) /home/dungnguyen/fuzz/upx_asan/src/packmast.cpp:248
    #8 0x522d2f in PackMaster::unpack(OutputFile*) /home/dungnguyen/fuzz/upx_asan/src/packmast.cpp:266
    #9 0x557b96 in do_one_file(char const*, char*) /home/dungnguyen/fuzz/upx_asan/src/work.cpp:160
    #10 0x55804e in do_files(int, int, char**) /home/dungnguyen/fuzz/upx_asan/src/work.cpp:271
    #11 0x403dbe in main /home/dungnguyen/fuzz/upx_asan/src/main.cpp:1538
    #12 0x7efd5e6cd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x404b18 in _start (/home/dungnguyen/PoCs/upx_294ed1b/upx.out+0x404b18)

Please tell us details about your environment.

  • UPX version used (upx --version): 4.0.0-git-294ed1b4ba35
  • Host Operating System and version: Ubuntu 16.04 64-bit
  • Host CPU architecture: Intel Xeon CPU E3-1505M v6 @ 3.00GHz CPU with 32GB RAM
  • Target Operating System and version: same as Host
  • Target CPU architecture: same as Host
jreiser added a commit that referenced this issue Apr 15, 2020
@jreiser
check_pt_dynamic() checks PT_DYNAMIC.p_memsz
81944f3 
#368
	modified:   p_lx_elf.cpp
@jreiser
Copy link
Collaborator

jreiser commented Apr 15, 2020

Fixed on devel branch.

@14isnot40 14isnot40 mentioned this issue May 23, 2020
Closed
markus-oberhumer pushed a commit that referenced this issue Aug 17, 2022
@jreiser @markus-oberhumer
check_pt_dynamic() checks PT_DYNAMIC.p_memsz
4cb4bd3 
#368
	modified:   p_lx_elf.cpp
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@strongcourage @jreiser