Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in PackTmt::pack #632

Closed
MaggieCwj opened this issue Nov 24, 2022 · 1 comment
Closed

heap-buffer-overflow in PackTmt::pack #632

MaggieCwj opened this issue Nov 24, 2022 · 1 comment
Milestone

Comments

@MaggieCwj
Copy link

What's the problem (or question)?

MemBuffer is attempted to be allocated with 0 bytes, failing an assertion in mem.cpp.

ASAN

                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2022
UPX git-fdec47+ Markus Oberhumer, Laszlo Molnar & John Reiser   Nov 16th 2022

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
=================================================================
==11363==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ee15 at pc 0x00000051ca96 bp 0x7fffffffc800 sp 0x7fffffffc7f0
WRITE of size 4 at 0x60200000ee15 thread T0
    #0 0x51ca95 in set_ne32 /home/chen/upx/src/bele.h:66
    #1 0x51ca95 in set_le32(void*, unsigned int) /home/chen/upx/src/bele.h:143
    #2 0x51ca95 in PackTmt::pack(OutputFile*) /home/chen/upx/src/p_tmt.cpp:244
    #3 0x569704 in Packer::doPack(OutputFile*) /home/chen/upx/src/packer.cpp:96
    #4 0x61ca72 in do_one_file(char const*, char*) /home/chen/upx/src/work.cpp:157
    #5 0x61cf89 in do_files(int, int, char**) /home/chen/upx/src/work.cpp:271
    #6 0x45fe9f in upx_main(int, char**) /home/chen/upx/src/main.cpp:1266
    #7 0x407223 in main /home/chen/upx/src/main.cpp:1324
    #8 0x7ffff621f83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #9 0x409ef8 in _start (/home/chen/ifcut/upx/upx-asan+0x409ef8)

0x60200000ee15 is located 0 bytes to the right of 5-byte region [0x60200000ee10,0x60200000ee15)
allocated by thread T0 here:
    #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x5f3123 in MemBuffer::alloc(unsigned long long) /home/chen/upx/src/util/membuffer.cpp:181
    #2 0x51b6d2 in PackTmt::pack(OutputFile*) /home/chen/upx/src/p_tmt.cpp:219
    #3 0x569704 in Packer::doPack(OutputFile*) /home/chen/upx/src/packer.cpp:96
    #4 0x61ca72 in do_one_file(char const*, char*) /home/chen/upx/src/work.cpp:157
    #5 0x61cf89 in do_files(int, int, char**) /home/chen/upx/src/work.cpp:271
    #6 0x45fe9f in upx_main(int, char**) /home/chen/upx/src/main.cpp:1266
    #7 0x407223 in main /home/chen/upx/src/main.cpp:1324
    #8 0x7ffff621f83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/chen/upx/src/bele.h:66 set_ne32
Shadow bytes around the buggy address:
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9dc0: fa fa[05]fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9dd0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9de0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9df0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==11363==ABORTING

gdb

(gdb) BT
#0  0x00007ffff71a1438 in __GI_raise (sig=sig@entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x00007ffff71a303a in __GI_abort () at abort.c:89
#2  0x00007ffff7ae484d in __gnu_cxx::__verbose_terminate_handler() ()
   from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#3  0x00007ffff7ae26b6 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#4  0x00007ffff7ae16a9 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#5  0x00007ffff7ae2005 in __gxx_personality_v0 ()
   from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#6  0x00007ffff7545f83 in ?? () from /lib/x86_64-linux-gnu/libgcc_s.so.1
#7  0x00007ffff75462eb in _Unwind_RaiseException () from /lib/x86_64-linux-gnu/libgcc_s.so.1
#8  0x00007ffff7ae290c in __cxa_throw () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#9  0x000000000041574a in throwInternalError(char const*) ()
#10 0x00000000004b279d in MemBuffer::checkState() const ()
#11 0x00000000004b2a0f in MemBuffer::dealloc() ()
#12 0x000000000045f431 in PackTmt::pack(OutputFile*) ()
#13 0x000000000047d8c4 in Packer::doPack(OutputFile*) ()
#14 0x00000000004d0245 in do_one_file(char const*, char*) ()
#15 0x00000000004d048f in do_files(int, int, char**) ()
#16 0x0000000000422747 in upx_main(int, char**) ()
#17 0x0000000000405602 in main ()

What should have happened?

No failed assertions.

Do you have an idea for a solution?

How can we reproduce the issue?

  1. Build UPX 4.0.1 (the latest version)

  2. Run ./upx ./POC1
    zipped poc:
    POC1.zip

                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2022
UPX git-fdec47+ Markus Oberhumer, Laszlo Molnar & John Reiser   Nov 16th 2022

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
terminate called after throwing an instance of 'InternalError'                 
  what():  std::exception
Aborted

Please tell us details about your environment.

  • UPX version used (upx --version):
./upx --version
upx v4.0.1-dirty
UCL data compression library 1.03
zlib data compression library 1.2.13
LZMA SDK version 4.43
doctest C++ testing framework version 2.4.9
Copyright (C) 1996-2022 Markus Franz Xaver Johannes Oberhumer
Copyright (C) 1996-2022 Laszlo Molnar
Copyright (C) 2000-2022 John F. Reiser
Copyright (C) 2002-2022 Jens Medoch
Copyright (C) 1995-2022 Jean-loup Gailly and Mark Adler
Copyright (C) 1999-2006 Igor Pavlov
Copyright (C) 2016-2021 Viktor Kirilov
UPX comes with ABSOLUTELY NO WARRANTY; for details type 'upx -L'.
  • Host Operating System and version:
    Ubuntu 16.04 LTS
  • Host CPU architecture:
    11th Gen Intel® Core™ i5-11500 @ 2.70GHz × 8
  • Target Operating System and version:
    same as Host
  • Target CPU architecture:
    same as Host
jreiser added a commit that referenced this issue Nov 24, 2022
@jreiser
Copy link
Collaborator

jreiser commented Nov 24, 2022

Fixed by above commit on branch devel4. Diagnosis now is

upx: tmt/adam: bad header; imagesize=0x3  entry=0xf  relocsize=0x1
upx: POC1: UnknownExecutableFormatException

and later

upx: POC1: NotCompressibleException                                            

@jreiser jreiser changed the title heap-buffer-overflow on set_ne32 heap-buffer-overflow in PackTmt::pack Nov 24, 2022
markus-oberhumer pushed a commit that referenced this issue Nov 27, 2022
@markus-oberhumer markus-oberhumer added this to the v4.0.2 milestone Nov 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants