Null pointer dereference was discovered in upx in the latest commit of the devel branch. [2638bee]
During the pointer 'p' points to 0x0 in func get_ne32(). The issue can be triggered by different places, which can cause a denial of service.
ASAN reports:
File size Ratio Format Name
-------------------- ------ ----------- -----------
p_lx_elf.cpp:2406:54: runtime error: member access within null pointer of type 'const Elf64_Phdr' (aka 'const Phdr<ElfITypes<LE16, LE32, LE64, LE64, LE64>>')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior p_lx_elf.cpp:2406:54 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3546154==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000082a541 bp 0x7fffe268e150 sp 0x7fffe268e140 T0)
==3546154==The signal is caused by a READ memory access.
==3546154==Hint: address points to the zero page.
#0 0x82a541 in get_ne32(void const*) /home/upx/src/./bele.h:48:5
#1 0x82a541 in get_le32(void const*) /home/upx/src/./bele.h:136:50
#2 0x82a541 in N_BELE_RTP::LEPolicy::get32(void const*) const /home/upx/src/./bele_policy.h:168:48
#3 0x58717f in PackLinuxElf64::canUnpack() /home/upx/src/p_lx_elf.cpp:2406:38
#4 0x79c0e1 in try_unpack(Packer*, void*) /home/upx/src/packmast.cpp:114:20
#5 0x7955d2 in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /home/upx/src/packmast.cpp:194:9
#6 0x79bdda in PackMaster::getUnpacker(InputFile*) /home/upx/src/packmast.cpp:248:18
#7 0x79c768 in PackMaster::unpack(OutputFile*) /home/upx/src/packmast.cpp:266:9
#8 0x82bd8c in do_one_file(char const*, char*) /home/upx/src/work.cpp:157:12
#9 0x82d684 in do_files(int, int, char**) /home/upx/src/work.cpp:269:13
#10 0x50e805 in upx_main(int, char**) /home/upx/src/main.cpp:1516:9
#11 0x510e85 in main /home/upx/src/main.cpp:1584:13
#12 0x7fbe9660a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#13 0x41d93d in _start (/home/upx/upx.out+0x41d93d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/upx/src/./bele.h:48:5 in get_ne32(void const*)
==3546154==ABORTING
This bug is coursed by upx_memcpy_inline(&v, p, sizeof(v)); , the pointer isn't sanitized. Strengthen the sanitize of all pointer used in upx_memcpy_inline may helpful reduce the .
What's the problem (or question)?
Null pointer dereference was discovered in upx in the latest commit of the devel branch. [2638bee]
During the pointer 'p' points to 0x0 in func get_ne32(). The issue can be triggered by different places, which can cause a denial of service.
ASAN reports:
debug info
What should have happened?
Decompress a crafted/suspicious file.
Do you have an idea for a solution?
This bug is coursed by
upx_memcpy_inline(&v, p, sizeof(v));, the pointer isn't sanitized. Strengthen the sanitize of all pointer used in upx_memcpy_inline may helpful reduce the .How can we reproduce the issue?
upx.out -d $PoC
poc zipped
null_pointer_01_get32.zip
Please tell us details about your environment.
upx --version):same as Host
same as Host
reporter: chiba of Topsec alphalab
The text was updated successfully, but these errors were encountered: