New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
canPack@p_lx_elf.cpp:2571 BufferOverflow (both latest release version and devel version) #421
Comments
|
Any updates to fix this bug? |
|
If you are running a fuzzer then please concentrate on fuzzing |
markus-oberhumer
pushed a commit
that referenced
this issue
Aug 17, 2022
#421 modified: p_lx_elf.cpp
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What's the problem (or question)?
An issue was discovered in upx 3.96(devel branch), There is an illegal memory access in function canPack at p_lx_elf.cpp:2571.
I also check the newest release version meet the same crash, lies at p_lx_elf.cpp:2490.
What should have happened?
no illegal memory access (crash)
Do you have an idea for a solution?
check the relocation_offset and do not access the illegal memory
How can we reproduce the issue?
export BUILD_TYPE_SANITIZE=1; make allupx.out pocand get crashdownload the poc here.
source
the source code didn't check the rel_off so get an illegal rp
debug
bug report
ASAN:SIGSEGV ================================================================= ==65507==ERROR: AddressSanitizer: SEGV on unknown address 0x6300004013e8 (pc 0x00000055aff0 bp 0x0c3600003e31 sp 0x7ffc8f9b7378 T0) #0 0x55afef in get_le64(void const*) /home/wanghao/upx_dev/src/bele_policy.h:193 #1 0x55afef in N_BELE_RTP::LEPolicy::get64(void const*) const /home/wanghao/upx_dev/src/bele_policy.h:194 #2 0x49dfe2 in Packer::get_te64(void const*) const /home/wanghao/upx_dev/src/packer.h:297 #3 0x49dfe2 in PackLinuxElf64::canPack() /home/wanghao/upx_dev/src/p_lx_elf.cpp:2571 #4 0x5240a6 in try_pack /home/wanghao/upx_dev/src/packmast.cpp:91 #5 0x52518f in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /home/wanghao/upx_dev/src/packmast.cpp:194 #6 0x526d19 in PackMaster::getPacker(InputFile*) /home/wanghao/upx_dev/src/packmast.cpp:240 #7 0x526e3c in PackMaster::pack(OutputFile*) /home/wanghao/upx_dev/src/packmast.cpp:260 #8 0x55bede in do_one_file(char const*, char*) /home/wanghao/upx_dev/src/work.cpp:158 #9 0x55c3ae in do_files(int, int, char**) /home/wanghao/upx_dev/src/work.cpp:271 #10 0x403dbe in main /home/wanghao/upx_dev/src/main.cpp:1538 #11 0x7f702527783f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)Please tell us details about your environment.
upx 3.96(devel)andupx 3.96 release):The text was updated successfully, but these errors were encountered: