Submit #304575: UPX upx commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d heap buffer overflowinfo

TitleUPX upx commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d heap buffer overflow
Description## Description [upx](https://github.com/upx/upx) has heap-buffer-overflow /src/upx/src/util/../bele.h:124:5 in get_ne64<void, void> ## version ```shell commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d ``` ## harnss From https://github.com/google/oss-fuzz/blob/master/projects/upx/fuzzers/decompress_packed_file_fuzzer.cpp ```c++ #include <stddef.h> #include <stdint.h> #include <stdio.h> #include "../src/headers.h" #include "../src/conf.h" #include "../src/file.h" #include "../src/packmast.h" enum OpenMode { RO_MUST_EXIST, WO_MUST_EXIST_TRUNCATE, WO_MUST_CREATE, WO_CREATE_OR_TRUNCATE }; extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { char infilename[256]; char outfilename[256]; snprintf(infilename, 256, "/tmp/libfuzzer.%d", getpid()); snprintf(outfilename, 256, "/tmp/libfuzzer.%d.decompressed", getpid()); FILE *fp = fopen(infilename, "wb"); if (!fp) { return 0; } fwrite(data, size, 1, fp); fclose(fp); char argv_progname[4] = "upx"; char argv_decompression[3] = "-d"; char argv_output[3] = "-o"; char* argv_data[] = {argv_progname, argv_decompression, infilename, argv_output, outfilename}; try { upx_main(5, argv_data); } catch(...) { } unlink(infilename); unlink(outfilename); return 0; } ``` ## Proof of Concept The poc can be obtained from Google Drive: https://drive.google.com/drive/folders/1qlUXvycOzGJygfkdQB9dGO6VwNRRZoih?usp=sharing ```shell $ ./decompress_packed_file_fuzzer e50debd1-f539-49f2-8965-b9bed22d4a12 INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 1182468766 INFO: Loaded 1 modules (39313 inline 8-bit counters): 39313 [0xd3a518, 0xd43ea9), INFO: Loaded 1 PC tables (39313 PCs): 39313 [0xbbbb28,0xc55438), ./decompress_packed_file_fuzzer: Running 1 inputs 1 time(s) each. Running: e50debd1-f539-49f2-8965-b9bed22d4a12 Ultimate Packer for eXecutables Copyright (C) 1996 - 2024 UPX git-8f7578+ Markus Oberhumer, Laszlo Molnar & John Reiser Jan 24th 2024 File size Ratio Format Name -------------------- ------ ----------- ----------- ================================================================= ==426145==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b000001b20 at pc 0x0000008e55fe bp 0x7fffffffb750 sp 0x7fffffffb748 READ of size 8 at 0x61b000001b20 thread T0 #0 0x8e55fd in get_ne64<void, void> /src/upx/src/util/../bele.h:124:5 #1 0x8e55fd in get_le64<void, void> /src/upx/src/util/../bele.h:226:63 #2 0x8e55fd in N_BELE_RTP::LEPolicy::get64(void const*) const /src/upx/src/util/../bele_policy.h:175:52 #3 0x6e8a19 in get_te64<LE64, LE64> /src/upx/src/packer.h:281:22 #4 0x6e8a19 in PackLinuxElf64::elf_find_Phdr_for_va(unsigned long long, N_Elf64::Phdr<N_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const*, unsigned int) /src/upx/src/p_lx_elf.cpp:466:49 #5 0x74bede in PackLinuxElf64::sort_DT64_offsets(N_Elf::Dyn<N_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const*) /src/upx/src/p_lx_elf.cpp:7922:40 #6 0x6f5da9 in PackLinuxElf64::invert_pt_dynamic(N_Elf::Dyn<N_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const*, unsigned long long) /src/upx/src/p_lx_elf.cpp:8015:5 #7 0x6f45a8 in PackLinuxElf64::PackLinuxElf64help1(InputFile*) /src/upx/src/p_lx_elf.cpp:1071:13 #8 0x6f9d34 in PackLinuxElf64Le /src/upx/src/p_lx_elf.h:477:9 #9 0x6f9d34 in PackLinuxElf64amd::PackLinuxElf64amd(InputFile*) /src/upx/src/p_lx_elf.cpp:1289:7 #10 0x856949 in PackMaster::visitAllPackers(upx::TriBool<int, false> (*)(PackerBase*, void*), InputFile*, Options const*, void*) /src/upx/src/packmast.cpp:198:9 #11 0x85ba0c in getUnpacker /src/upx/src/packmast.cpp:247:22 #12 0x85ba0c in PackMaster::unpack(OutputFile*) /src/upx/src/packmast.cpp:265:14 #13 0x8e71fd in do_one_file(char const*, char*) /src/upx/src/work.cpp:333:12 #14 0x8e8b88 in do_files(int, int, char**) /src/upx/src/work.cpp:421:13 #15 0x6c0dee in upx_main(int, char**) /src/upx/src/main.cpp:1303:9 #16 0x5886d3 in LLVMFuzzerTestOneInput /src/upx/fuzzers/decompress_packed_file_fuzzer.cpp:44:5 #17 0x459d13 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #18 0x434ea2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6 #19 0x43ff81 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9 #20 0x4740b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #21 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 #22 0x42b06d in _start (/home/zhangwei28/80result/upx/decompress_packed_file_fuzzer+0x42b06d) 0x61b000001b20 is located 4 bytes to the right of 1436-byte region [0x61b000001580,0x61b000001b1c) allocated by thread T0 here: #0 0x54af86 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x8bc385 in MemBuffer::alloc(unsigned long long) /src/upx/src/util/membuffer.cpp:179:24 #2 0x6f3f6e in PackLinuxElf64::PackLinuxElf64help1(InputFile*) /src/upx/src/p_lx_elf.cpp:1042:9 #3 0x6f9d34 in PackLinuxElf64Le /src/upx/src/p_lx_elf.h:477:9 #4 0x6f9d34 in PackLinuxElf64amd::PackLinuxElf64amd(InputFile*) /src/upx/src/p_lx_elf.cpp:1289:7 #5 0x856949 in PackMaster::visitAllPackers(upx::TriBool<int, false> (*)(PackerBase*, void*), InputFile*, Options const*, void*) /src/upx/src/packmast.cpp:198:9 #6 0x85ba0c in getUnpacker /src/upx/src/packmast.cpp:247:22 #7 0x85ba0c in PackMaster::unpack(OutputFile*) /src/upx/src/packmast.cpp:265:14 #8 0x8e71fd in do_one_file(char const*, char*) /src/upx/src/work.cpp:333:12 #9 0x8e8b88 in do_files(int, int, char**) /src/upx/src/work.cpp:421:13 #10 0x6c0dee in upx_main(int, char**) /src/upx/src/main.cpp:1303:9 #11 0x5886d3 in LLVMFuzzerTestOneInput /src/upx/fuzzers/decompress_packed_file_fuzzer.cpp:44:5 #12 0x459d13 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #13 0x434ea2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6 #14 0x43ff81 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9 #15 0x4740b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #16 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /src/upx/src/util/../bele.h:124:5 in get_ne64<void, void> Shadow bytes around the buggy address: 0x0c367fff8310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff8320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff8330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff8340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c367fff8350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c367fff8360: 00 00 00 04[fa]fa fa fa fa fa fa fa fa fa fa fa 0x0c367fff8370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==426145==ABORTING ```
Source⚠️ https://drive.google.com/drive/folders/1qlUXvycOzGJygfkdQB9dGO6VwNRRZoih?usp=sharing
User
 Anonymous User
Submission03/26/2024 09:08 AM (1 Year ago)
Moderation04/02/2024 06:50 PM (7 days later)
StatusAccepted
VulDB Entry259055 [UPX up to 4.2.2 bele.h get_ne64 heap-based overflow]
Points20

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!