| Beschreibung | ## Description
[upx](https://github.com/upx/upx) has heap-buffer-overflow /src/upx/src/util/../bele.h:117:5 in get_ne32<void, void>
## version
```shell
commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d
```
## harnss
From https://github.com/google/oss-fuzz/blob/master/projects/upx/fuzzers/list_packed_file_fuzzer.cpp
```c++
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include "../src/headers.h"
#include "../src/conf.h"
#include "../src/file.h"
#include "../src/packmast.h"
enum OpenMode { RO_MUST_EXIST, WO_MUST_EXIST_TRUNCATE, WO_MUST_CREATE, WO_CREATE_OR_TRUNCATE };
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
char infilename[256];
char outfilename[256];
snprintf(infilename, 256, "/tmp/libfuzzer.%d", getpid());
snprintf(outfilename, 256, "/tmp/libfuzzer.%d.decompressed", getpid());
FILE *fp = fopen(infilename, "wb");
if (!fp) {
return 0;
}
fwrite(data, size, 1, fp);
fclose(fp);
char argv_progname[4] = "upx";
char argv_list_packed_files[3] = "-l";
char* argv_data[] = {argv_progname, argv_list_packed_files, infilename};
try {
upx_main(3, argv_data);
} catch(...) {
}
unlink(infilename);
unlink(outfilename);
return 0;
}
```
## Proof of Concept
The poc can be obtained from Google Drive: https://drive.google.com/drive/folders/1qlUXvycOzGJygfkdQB9dGO6VwNRRZoih?usp=sharing
```shell
$ ./list_packed_file_fuzzer 53643cff-063a-45bf-8064-714927747304
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 2772128182
INFO: Loaded 1 modules (39313 inline 8-bit counters): 39313 [0xd3a4d8, 0xd43e69),
INFO: Loaded 1 PC tables (39313 PCs): 39313 [0xbbbac8,0xc553d8),
./list_packed_file_fuzzer: Running 1 inputs 1 time(s) each.
Running: 53643cff-063a-45bf-8064-714927747304
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2024
UPX git-8f7578+ Markus Oberhumer, Laszlo Molnar & John Reiser Jan 24th 2024
File size Ratio Format Name
-------------------- ------ ----------- -----------
=================================================================
==468045==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000002364 at pc 0x0000008e551d bp 0x7fffffffb7d0 sp 0x7fffffffb7c8
READ of size 4 at 0x61a000002364 thread T0
#0 0x8e551c in get_ne32<void, void> /src/upx/src/util/../bele.h:117:5
#1 0x8e551c in get_le32<void, void> /src/upx/src/util/../bele.h:224:59
#2 0x8e551c in N_BELE_RTP::LEPolicy::get32(void const*) const /src/upx/src/util/../bele_policy.h:174:48
#3 0x6e8809 in get_te32<LE32, LE32> /src/upx/src/packer.h:277:22
#4 0x6e8809 in PackLinuxElf32::elf_find_Phdr_for_va(unsigned int, N_Elf32::Phdr<N_Elf::ElfITypes<LE16, LE32, LE32, LE32, LE32> > const*, unsigned int) /src/upx/src/p_lx_elf.cpp:455:49
#5 0x6feabb in PackLinuxElf32::sort_DT32_offsets(N_Elf::Dyn<N_Elf::ElfITypes<LE16, LE32, LE32, LE32, LE32> > const*) /src/upx/src/p_lx_elf.cpp:2009:34
#6 0x6e52a4 in PackLinuxElf32::invert_pt_dynamic(N_Elf::Dyn<N_Elf::ElfITypes<LE16, LE32, LE32, LE32, LE32> > const*, unsigned int) /src/upx/src/p_lx_elf.cpp:2097:5
#7 0x6e387e in PackLinuxElf32::PackLinuxElf32help1(InputFile*) /src/upx/src/p_lx_elf.cpp:359:13
#8 0x748e7d in PackLinuxElf32Le /src/upx/src/p_lx_elf.h:465:9
#9 0x748e7d in PackLinuxElf32x86::PackLinuxElf32x86(InputFile*) /src/upx/src/p_lx_elf.cpp:7505:54
#10 0x749587 in PackBSDElf32x86 /src/upx/src/p_lx_elf.cpp:7530:50
#11 0x749587 in PackFreeBSDElf32x86::PackFreeBSDElf32x86(InputFile*) /src/upx/src/p_lx_elf.cpp:7541:58
#12 0x855584 in PackMaster::visitAllPackers(upx::TriBool<int, false> (*)(PackerBase*, void*), InputFile*, Options const*, void*) /src/upx/src/packmast.cpp:194:9
#13 0x85bc47 in getUnpacker /src/upx/src/packmast.cpp:247:22
#14 0x85bc47 in PackMaster::list() /src/upx/src/packmast.cpp:277:14
#15 0x8e71d4 in do_one_file(char const*, char*) /src/upx/src/work.cpp:337:12
#16 0x8e8b08 in do_files(int, int, char**) /src/upx/src/work.cpp:421:13
#17 0x6c0d6e in upx_main(int, char**) /src/upx/src/main.cpp:1303:9
#18 0x58865c in LLVMFuzzerTestOneInput /src/upx/fuzzers/list_packed_file_fuzzer.cpp:43:5
#19 0x459d13 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#20 0x434ea2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6
#21 0x43ff81 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9
#22 0x4740b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#23 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
#24 0x42b06d in _start (/home/zhangwei28/80result/upx/list_packed_file_fuzzer+0x42b06d)
0x61a000002364 is located 1 bytes to the right of 1251-byte region [0x61a000001e80,0x61a000002363)
allocated by thread T0 here:
#0 0x54af86 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x8bc305 in MemBuffer::alloc(unsigned long long) /src/upx/src/util/membuffer.cpp:179:24
#2 0x6e32a3 in PackLinuxElf32::PackLinuxElf32help1(InputFile*) /src/upx/src/p_lx_elf.cpp:331:9
#3 0x748e7d in PackLinuxElf32Le /src/upx/src/p_lx_elf.h:465:9
#4 0x748e7d in PackLinuxElf32x86::PackLinuxElf32x86(InputFile*) /src/upx/src/p_lx_elf.cpp:7505:54
#5 0x749587 in PackBSDElf32x86 /src/upx/src/p_lx_elf.cpp:7530:50
#6 0x749587 in PackFreeBSDElf32x86::PackFreeBSDElf32x86(InputFile*) /src/upx/src/p_lx_elf.cpp:7541:58
#7 0x855584 in PackMaster::visitAllPackers(upx::TriBool<int, false> (*)(PackerBase*, void*), InputFile*, Options const*, void*) /src/upx/src/packmast.cpp:194:9
#8 0x85bc47 in getUnpacker /src/upx/src/packmast.cpp:247:22
#9 0x85bc47 in PackMaster::list() /src/upx/src/packmast.cpp:277:14
#10 0x8e71d4 in do_one_file(char const*, char*) /src/upx/src/work.cpp:337:12
#11 0x8e8b08 in do_files(int, int, char**) /src/upx/src/work.cpp:421:13
#12 0x6c0d6e in upx_main(int, char**) /src/upx/src/main.cpp:1303:9
#13 0x58865c in LLVMFuzzerTestOneInput /src/upx/fuzzers/list_packed_file_fuzzer.cpp:43:5
#14 0x459d13 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#15 0x434ea2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6
#16 0x43ff81 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9
#17 0x4740b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#18 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/upx/src/util/../bele.h:117:5 in get_ne32<void, void>
Shadow bytes around the buggy address:
0x0c347fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff8460: 00 00 00 00 00 00 00 00 00 00 00 00[03]fa fa fa
0x0c347fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff8480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff8490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff84a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==468045==ABORTING
``` |
|---|