Submit #304577: UPX upx commit 06b0de heap buffer-overflowinfo

TitelUPX upx commit 06b0de heap buffer-overflow
Beschreibung## Description [upx](https://github.com/upx/upx) has stack-buffer-overflow /src/upx/src/p_lx_elf.cpp:8613:32 in PackLinuxElf32::unpack(OutputFile*) ## version ```shell commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d ``` ## harnss From https://github.com/google/oss-fuzz/blob/master/projects/upx/fuzzers/test_packed_file_fuzzer.cpp ```c++ #include <stddef.h> #include <stdint.h> #include <stdio.h> #include "../src/headers.h" #include "../src/conf.h" #include "../src/file.h" #include "../src/packmast.h" enum OpenMode { RO_MUST_EXIST, WO_MUST_EXIST_TRUNCATE, WO_MUST_CREATE, WO_CREATE_OR_TRUNCATE }; extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { char infilename[256]; char outfilename[256]; snprintf(infilename, 256, "/tmp/libfuzzer.%d", getpid()); snprintf(outfilename, 256, "/tmp/libfuzzer.%d.decompressed", getpid()); FILE *fp = fopen(infilename, "wb"); if (!fp) { return 0; } fwrite(data, size, 1, fp); fclose(fp); char argv_progname[4] = "upx"; char argv_test_file[3] = "-t"; char* argv_data[] = {argv_progname, argv_test_file, infilename}; try { upx_main(3, argv_data); } catch(...) { } unlink(infilename); unlink(outfilename); return 0; } ``` ## Proof of Concept The poc can be obtained from Google Drive: https://drive.google.com/drive/folders/1qlUXvycOzGJygfkdQB9dGO6VwNRRZoih?usp=sharing ```shell $ ./test_packed_file_fuzzer 68c92d83-092f-4485-b5a8-e85fc37e264f INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 316691342 INFO: Loaded 1 modules (39313 inline 8-bit counters): 39313 [0xd3a4d8, 0xd43e69), INFO: Loaded 1 PC tables (39313 PCs): 39313 [0xbbbac8,0xc553d8), ./test_packed_file_fuzzer: Running 1 inputs 1 time(s) each. Running: 68c92d83-092f-4485-b5a8-e85fc37e264f Ultimate Packer for eXecutables Copyright (C) 1996 - 2024 UPX git-8f7578+ Markus Oberhumer, Laszlo Molnar & John Reiser Jan 24th 2024 [WARNING] bad b_info at 0x6ae24 ================================================================= ==1029132==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffc011 at pc 0x000000753f6a bp 0x7fffffffbc10 sp 0x7fffffffbc08 READ of size 1 at 0x7fffffffc011 thread T0 #0 0x753f69 in PackLinuxElf32::unpack(OutputFile*) /src/upx/src/p_lx_elf.cpp:8613:32 #1 0x83ac61 in Packer::doTest() /src/upx/src/packer.cpp:104:5 #2 0x8e71aa in do_one_file(char const*, char*) /src/upx/src/work.cpp:335:12 #3 0x8e8b08 in do_files(int, int, char**) /src/upx/src/work.cpp:421:13 #4 0x6c0d6e in upx_main(int, char**) /src/upx/src/main.cpp:1303:9 #5 0x58865c in LLVMFuzzerTestOneInput /src/upx/fuzzers/test_packed_file_fuzzer.cpp:43:5 #6 0x459d13 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #7 0x434ea2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6 #8 0x43ff81 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9 #9 0x4740b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #10 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 #11 0x42b06d in _start (/home/zhangwei28/80result/upx/test_packed_file_fuzzer+0x42b06d) Address 0x7fffffffc011 is located in stack of thread T0 at offset 1009 in frame #0 0x74f5ff in PackLinuxElf32::unpack(OutputFile*) /src/upx/src/p_lx_elf.cpp:8367 This frame has 21 object(s): [32, 56) 'agg.tmp' [96, 120) 'agg.tmp38' [160, 172) 'hbuf' (line 8406) [192, 216) 'agg.tmp58' [256, 268) 'bhdr' (line 8414) [288, 312) 'agg.tmp78' [352, 368) 'u' (line 8424) [384, 388) 'c_adler' (line 8429) [400, 404) 'u_adler' (line 8430) [416, 432) 'o_elfhdrs' (line 8434) [448, 472) 'agg.tmp151' [512, 536) 'agg.tmp160' [576, 600) 'agg.tmp163' [640, 664) 'd_info' (line 8513) [704, 744) 'msg' (line 8520) [784, 808) 'agg.tmp417' [848, 860) 'b_peek' (line 8577) [880, 904) 'agg.tmp509' [944, 1008) 'peek_arr' (line 8592) <== Memory access at offset 1009 overflows this variable [1040, 1064) 'agg.tmp558' [1104, 1128) 'agg.tmp675' HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /src/upx/src/p_lx_elf.cpp:8613:32 in PackLinuxElf32::unpack(OutputFile*) Shadow bytes around the buggy address: 0x10007fff77b0: 00 00 f2 f2 04 f2 04 f2 00 00 f2 f2 00 00 00 f2 0x10007fff77c0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 f2 0x10007fff77d0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 f8 f8 f8 f8 0x10007fff77e0: f8 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 04 0x10007fff77f0: f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 =>0x10007fff7800: 00 00[f2]f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 0x10007fff7810: 00 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 0x10007fff7820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1029132==ABORTING ```
Quelle⚠️ https://drive.google.com/drive/folders/1qlUXvycOzGJygfkdQB9dGO6VwNRRZoih?usp=sharing
Benutzer
 Anonymous User
Einreichung26.03.2024 09:09 (vor 2 Jahren)
Moderieren02.04.2024 18:50 (7 days later)
StatusDuplikat
VulDB Eintrag259055 [UPX bis 4.2.2 bele.h get_ne64 Pufferüberlauf]
Punkte0

ZurückÜbersichtWeiter

Interested in the pricing of exploits?

See the underground prices here!