| Beschreibung | ## Description
[upx](https://github.com/upx/upx) has heap-buffer-overflow /src/upx/src/p_lx_elf.cpp:7944:26 in find_dt_ndx
## version
```shell
commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d
```
## harnss
From https://github.com/google/oss-fuzz/blob/master/projects/upx/fuzzers/list_packed_file_fuzzer.cpp
```c++
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include "../src/headers.h"
#include "../src/conf.h"
#include "../src/file.h"
#include "../src/packmast.h"
enum OpenMode { RO_MUST_EXIST, WO_MUST_EXIST_TRUNCATE, WO_MUST_CREATE, WO_CREATE_OR_TRUNCATE };
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
char infilename[256];
char outfilename[256];
snprintf(infilename, 256, "/tmp/libfuzzer.%d", getpid());
snprintf(outfilename, 256, "/tmp/libfuzzer.%d.decompressed", getpid());
FILE *fp = fopen(infilename, "wb");
if (!fp) {
return 0;
}
fwrite(data, size, 1, fp);
fclose(fp);
char argv_progname[4] = "upx";
char argv_list_packed_files[3] = "-l";
char* argv_data[] = {argv_progname, argv_list_packed_files, infilename};
try {
upx_main(3, argv_data);
} catch(...) {
}
unlink(infilename);
unlink(outfilename);
return 0;
}
```
## Proof of Concept
The poc can be obtained from Google Drive: https://drive.google.com/drive/folders/1qlUXvycOzGJygfkdQB9dGO6VwNRRZoih?usp=sharing
```shell
$ ./list_packed_file_fuzzer 0d5d1202-8bfc-49a4-92fe-4180dedef3a4
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 622433156
INFO: Loaded 1 modules (39313 inline 8-bit counters): 39313 [0xd3a4d8, 0xd43e69),
INFO: Loaded 1 PC tables (39313 PCs): 39313 [0xbbbac8,0xc553d8),
./list_packed_file_fuzzer: Running 1 inputs 1 time(s) each.
Running: 0d5d1202-8bfc-49a4-92fe-4180dedef3a4
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2024
UPX git-8f7578+ Markus Oberhumer, Laszlo Molnar & John Reiser Jan 24th 2024
File size Ratio Format Name
-------------------- ------ ----------- -----------
=================================================================
==1039472==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000003b4 at pc 0x00000074c9c0 bp 0x7fffffffb990 sp 0x7fffffffb988
READ of size 4 at 0x6060000003b4 thread T0
#0 0x74c9bf in find_dt_ndx /src/upx/src/p_lx_elf.cpp:7944:26
#1 0x74c9bf in PackLinuxElf64::elf_find_table_size(unsigned int, unsigned int) /src/upx/src/p_lx_elf.cpp:7972:38
#2 0x6f60f1 in PackLinuxElf64::invert_pt_dynamic(N_Elf::Dyn<N_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const*, unsigned long long) /src/upx/src/p_lx_elf.cpp:8037:18
#3 0x6f4528 in PackLinuxElf64::PackLinuxElf64help1(InputFile*) /src/upx/src/p_lx_elf.cpp:1071:13
#4 0x6f9cb4 in PackLinuxElf64Le /src/upx/src/p_lx_elf.h:477:9
#5 0x6f9cb4 in PackLinuxElf64amd::PackLinuxElf64amd(InputFile*) /src/upx/src/p_lx_elf.cpp:1289:7
#6 0x8568c9 in PackMaster::visitAllPackers(upx::TriBool<int, false> (*)(PackerBase*, void*), InputFile*, Options const*, void*) /src/upx/src/packmast.cpp:198:9
#7 0x85bc47 in getUnpacker /src/upx/src/packmast.cpp:247:22
#8 0x85bc47 in PackMaster::list() /src/upx/src/packmast.cpp:277:14
#9 0x8e71d4 in do_one_file(char const*, char*) /src/upx/src/work.cpp:337:12
#10 0x8e8b08 in do_files(int, int, char**) /src/upx/src/work.cpp:421:13
#11 0x6c0d6e in upx_main(int, char**) /src/upx/src/main.cpp:1303:9
#12 0x58865c in LLVMFuzzerTestOneInput /src/upx/fuzzers/list_packed_file_fuzzer.cpp:43:5
#13 0x459d13 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#14 0x434ea2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6
#15 0x43ff81 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9
#16 0x4740b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#17 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
#18 0x42b06d in _start (/home/zhangwei28/80result/upx/list_packed_file_fuzzer+0x42b06d)
0x6060000003b4 is located 0 bytes to the right of 52-byte region [0x606000000380,0x6060000003b4)
allocated by thread T0 here:
#0 0x54af86 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x8bc305 in MemBuffer::alloc(unsigned long long) /src/upx/src/util/membuffer.cpp:179:24
#2 0x74bb51 in PackLinuxElf64::sort_DT64_offsets(N_Elf::Dyn<N_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const*) /src/upx/src/p_lx_elf.cpp:7904:19
#3 0x6f5d29 in PackLinuxElf64::invert_pt_dynamic(N_Elf::Dyn<N_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const*, unsigned long long) /src/upx/src/p_lx_elf.cpp:8015:5
#4 0x6f4528 in PackLinuxElf64::PackLinuxElf64help1(InputFile*) /src/upx/src/p_lx_elf.cpp:1071:13
#5 0x6f9cb4 in PackLinuxElf64Le /src/upx/src/p_lx_elf.h:477:9
#6 0x6f9cb4 in PackLinuxElf64amd::PackLinuxElf64amd(InputFile*) /src/upx/src/p_lx_elf.cpp:1289:7
#7 0x8568c9 in PackMaster::visitAllPackers(upx::TriBool<int, false> (*)(PackerBase*, void*), InputFile*, Options const*, void*) /src/upx/src/packmast.cpp:198:9
#8 0x85bc47 in getUnpacker /src/upx/src/packmast.cpp:247:22
#9 0x85bc47 in PackMaster::list() /src/upx/src/packmast.cpp:277:14
#10 0x8e71d4 in do_one_file(char const*, char*) /src/upx/src/work.cpp:337:12
#11 0x8e8b08 in do_files(int, int, char**) /src/upx/src/work.cpp:421:13
#12 0x6c0d6e in upx_main(int, char**) /src/upx/src/main.cpp:1303:9
#13 0x58865c in LLVMFuzzerTestOneInput /src/upx/fuzzers/list_packed_file_fuzzer.cpp:43:5
#14 0x459d13 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#15 0x434ea2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6
#16 0x43ff81 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9
#17 0x4740b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#18 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/upx/src/p_lx_elf.cpp:7944:26 in find_dt_ndx
Shadow bytes around the buggy address:
0x0c0c7fff8020: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff8030: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c7fff8040: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c7fff8050: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
0x0c0c7fff8060: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c0c7fff8070: 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa fa
0x0c0c7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1039472==ABORTING
``` |
|---|