New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[bug] segv fault in get_le64() #381
Comments
|
Fixed on |
markus-oberhumer
pushed a commit
that referenced
this issue
Aug 17, 2022
#381 modified: p_lx_elf.cpp
|
Verified closed in official release upx-4.0.2 of Jan.30, 2023: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What's the problem (or question)?
A heap-based buffer overflow was discovered in upx, during the genric pointer 'p' points to an inaccessible address in func get_le64(). The issue can cause a denial of service. The issue is diff from issue367 and issue368
ASAN reports:
ASAN:SIGSEGV ================================================================= ==113201==ERROR: AddressSanitizer: SEGV on unknown address 0x630011d04b20 (pc 0x0000005292e0 bp 0x000000000022 sp 0x7ffebc640bc8 T0) #0 0x5292df in get_le64(void const*) /home/test/Desktop/EVAULATION/upx/src/bele_policy.h:193 #1 0x5292df in N_BELE_RTP::LEPolicy::get64(void const*) const /home/test/Desktop/EVAULATION/upx/src/bele_policy.h:194 #2 0x45784b in Packer::get_te64(void const*) const /home/test/Desktop/EVAULATION/upx/src/packer.h:297 #3 0x45784b in PackLinuxElf64::elf_lookup(char const*) const /home/test/Desktop/EVAULATION/upx/src/p_lx_elf.cpp:5423 #4 0x46f7eb in PackLinuxElf64::PackLinuxElf64help1(InputFile*) /home/test/Desktop/EVAULATION/upx/src/p_lx_elf.cpp:805 #5 0x470479 in PackLinuxElf64Le::PackLinuxElf64Le(InputFile*) /home/test/Desktop/EVAULATION/upx/src/p_lx_elf.h:407 #6 0x470479 in PackLinuxElf64amd::PackLinuxElf64amd(InputFile*) /home/test/Desktop/EVAULATION/upx/src/p_lx_elf.cpp:1008 #7 0x4f34b2 in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:194 #8 0x4f50f9 in PackMaster::getUnpacker(InputFile*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:248 #9 0x4f521f in PackMaster::unpack(OutputFile*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:266 #10 0x52a1e6 in do_one_file(char const*, char*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:160 #11 0x52a69e in do_files(int, int, char**) /home/test/Desktop/EVAULATION/upx/src/work.cpp:271 #12 0x403ace in main /home/test/Desktop/EVAULATION/upx/src/main.cpp:1538 #13 0x7fc4129b682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #14 0x404828 in _start (/home/test/Desktop/EVAULATION/upx/src/upx.out+0x404828) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/test/Desktop/EVAULATION/upx/src/bele_policy.h:193 get_le64(void const*) ==113201==ABORTINGThe essential cause of the bug is at PackLinuxElf64 :: elf_lookup () at p_lx_elf: 5423:
What should have happened?
Decompress a crafted/suspicious file.
Do you have an idea for a solution?
We are very grateful to @jreiser for patching the bucket in p_lx_elf.cpp in the issue 367. However, in fact, all places involving get_te64 () should be strengthened in upx, especially in p_lx_elf.cpp. The position we reported should be patched at least:
position in PackLinuxElf64::elf_lookup() at p_lx_elf:5423
How can we reproduce the issue?
upx.out -df $PoC -o /dev/nullPoc can be found here.
Please tell us details about your environment.
upx --version):Ubuntu 16.04 64-bit
Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz with 8GB
same as Host
same as Host
The text was updated successfully, but these errors were encountered: