Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Another heap buffer overflow in get_le32() #395

Closed
giantbranch opened this issue Jul 24, 2020 · 1 comment
Closed

Another heap buffer overflow in get_le32() #395

giantbranch opened this issue Jul 24, 2020 · 1 comment

Comments

@giantbranch
Copy link

giantbranch commented Jul 24, 2020

Author: giantbranch of NSFOCUS Security Team

What's the problem (or question)?

A heap buffer overflow read in the latest commit of the devel branch

ASAN reports:

==5614==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x624000007da0 at pc 0x000000757233 bp 0x7ffe125eb8e0 sp 0x7ffe125eb8d8
READ of size 4 at 0x624000007da0 thread T0
    #0 0x757232 in get_le32(void const*) /src/upx-multi/src/./bele.h:164:12
    #1 0x757232 in N_BELE_RTP::LEPolicy::get32(void const*) const /src/upx-multi/src/./bele_policy.h:192:18
    #2 0x58a45e in Packer::get_te32(void const*) const /src/upx-multi/src/./packer.h:296:65
    #3 0x58a45e in PackLinuxElf32::invert_pt_dynamic(N_Elf::Dyn<N_Elf::ElfITypes<LE16, LE32, LE32, LE32, LE32> > const*, unsignedint) /src/upx-multi/src/p_lx_elf.cpp:1610:32
    #4 0x588a1e in PackLinuxElf32::PackLinuxElf32help1(InputFile*) /src/upx-multi/src/p_lx_elf.cpp:305:13
    #5 0x5d6504 in PackLinuxElf32Le::PackLinuxElf32Le(InputFile*) /src/upx-multi/src/./p_lx_elf.h:395:9
    #6 0x5d6504 in PackLinuxElf32x86::PackLinuxElf32x86(InputFile*) /src/upx-multi/src/p_lx_elf.cpp:4847:54
    #7 0x5d6a4c in PackNetBSDElf32x86::PackNetBSDElf32x86(InputFile*) /src/upx-multi/src/p_lx_elf.cpp:4884:56
    #8 0x6e4df0 in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /src/upx-multi/src/packmast.cpp:191:9
    #9 0x6e9771 in PackMaster::getUnpacker(InputFile*) /src/upx-multi/src/packmast.cpp:248:18
    #10 0x6e9771 in PackMaster::unpack(OutputFile*) /src/upx-multi/src/packmast.cpp:266:9
    #11 0x7589f8 in do_one_file(char const*, char*) /src/upx-multi/src/work.cpp:160:12
    #12 0x759f42 in do_files(int, int, char**) /src/upx-multi/src/work.cpp:271:13
    #13 0x555afd in main /src/upx-multi/src/main.cpp:1538:5
    #14 0x7fc6ddc5d83f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291
    #15 0x41ce98 in _start (/out/upx-multi/upx-multi+0x41ce98)

0x624000007da2 is located 0 bytes to the right of 7330-byte region [0x624000006100,0x624000007da2)
allocated by thread T0 here:
    #0 0x49519d in malloc (/out/upx-multi/upx-multi+0x49519d)
    #1 0x5697b7 in MemBuffer::alloc(unsigned long long) /src/upx-multi/src/mem.cpp:194:42

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/upx-multi/src/./bele.h:164:12 in get_le32(void const*)
Shadow bytes around the buggy address:
  0x0c487fff8f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c487fff8f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c487fff8f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c487fff8f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c487fff8fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c487fff8fb0: 00 00 00 00[02]fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff8fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff8fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff8fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff8ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c487fff9000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==5614==ABORTING

What should have happened?

Check if the file is normal, exit if abnormal

Do you have an idea for a solution?

Add more checks

How can we reproduce the issue?

upx.out -d <poc_filename>

poc:
tests_192f7cabc11cc03830cccf5a14885865d1532c0d_.tar.gz

Please tell us details about your environment.

  • UPX version used (upx --version):
upx 4.0.0-git-8d1d605b3d8c+
UCL data compression library 1.03
zlib data compression library 1.2.8
LZMA SDK version 4.43
Copyright (C) 1996-2020 Markus Franz Xaver Johannes Oberhumer
Copyright (C) 1996-2020 Laszlo Molnar
Copyright (C) 2000-2020 John F. Reiser
Copyright (C) 2002-2020 Jens Medoch
Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler
Copyright (C) 1999-2006 Igor Pavlov
UPX comes with ABSOLUTELY NO WARRANTY; for details type 'upx-multi -L'.
  • Host Operating System and version: Ubuntu 16.04.2 LTS
  • Host CPU architecture: x86_64
  • Target Operating System and version: same as Host
  • Target CPU architecture: same as Host
jreiser added a commit that referenced this issue Jul 25, 2020
#395
	modified:   p_lx_elf.cpp
@jreiser
Copy link
Collaborator

jreiser commented Jul 25, 2020

Fixed on devel branch by above commit.

markus-oberhumer pushed a commit that referenced this issue Aug 17, 2022
#395
	modified:   p_lx_elf.cpp
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants