Invia #304574: UPX upx commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d buffer overflowinformazioni

TitoloUPX upx commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d buffer overflow
Descrizione## Description [upx](https://github.com/upx/upx) has heap-buffer-overflow in acc_safe_hread(int, void*, long) /src/miniacc.h:7151:24 ## version ```shell commit 06b0de9c77551cd4e856d453e094d8a0b6ef0d6d ``` ## harnss From https://github.com/google/oss-fuzz/blob/master/projects/upx/fuzzers/decompress_packed_file_fuzzer.cpp ```c++ #include <stddef.h> #include <stdint.h> #include <stdio.h> #include "../src/headers.h" #include "../src/conf.h" #include "../src/file.h" #include "../src/packmast.h" enum OpenMode { RO_MUST_EXIST, WO_MUST_EXIST_TRUNCATE, WO_MUST_CREATE, WO_CREATE_OR_TRUNCATE }; extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { char infilename[256]; char outfilename[256]; snprintf(infilename, 256, "/tmp/libfuzzer.%d", getpid()); snprintf(outfilename, 256, "/tmp/libfuzzer.%d.decompressed", getpid()); FILE *fp = fopen(infilename, "wb"); if (!fp) { return 0; } fwrite(data, size, 1, fp); fclose(fp); char argv_progname[4] = "upx"; char argv_decompression[3] = "-d"; char argv_output[3] = "-o"; char* argv_data[] = {argv_progname, argv_decompression, infilename, argv_output, outfilename}; try { upx_main(5, argv_data); } catch(...) { } unlink(infilename); unlink(outfilename); return 0; } ``` ## Proof of Concept The poc can be obtained from Google Drive: https://drive.google.com/drive/folders/1qlUXvycOzGJygfkdQB9dGO6VwNRRZoih?usp=sharing ```shell $ ./decompress_packed_file_fuzzer ff83b274-f388-416f-a5c4-4d9f7bf7906f INFO: Running with entropic power schedule (0xFF, 100). INFO: Seed: 1488372209 INFO: Loaded 1 modules (39313 inline 8-bit counters): 39313 [0xd3a518, 0xd43ea9), INFO: Loaded 1 PC tables (39313 PCs): 39313 [0xbbbb28,0xc55438), ./decompress_packed_file_fuzzer: Running 1 inputs 1 time(s) each. Running: ff83b274-f388-416f-a5c4-4d9f7bf7906f Ultimate Packer for eXecutables Copyright (C) 1996 - 2024 UPX git-8f7578+ Markus Oberhumer, Laszlo Molnar & John Reiser Jan 24th 2024 File size Ratio Format Name -------------------- ------ ----------- ----------- ================================================================= ==438977==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ffff38f7d08 at pc 0x0000004e4ffc bp 0x7fffffffb0b0 sp 0x7fffffffa888 WRITE of size 295535 at 0x7ffff38f7d08 thread T0 #0 0x4e4ffb in __interceptor_read /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1025:16 #1 0x8d1ba4 in acc_safe_hread(int, void*, long) /src/upx/src/util/../miniacc.h:7151:24 #2 0x6765a7 in InputFile::read(XSpan::PtrOrSpan<void>, long long) /src/upx/src/file.cpp:193:14 #3 0x6767f4 in InputFile::readx(XSpan::PtrOrSpan<void>, long long) /src/upx/src/file.cpp:200:19 #4 0x7e9494 in PackUnix::unpackExtent(unsigned int, OutputFile*, unsigned int&, unsigned int&, bool, int) /src/upx/src/p_unix.cpp:496:13 #5 0x73c62e in PackLinuxElf32::un_shlib_1(OutputFile*, MemBuffer&, unsigned int&, unsigned int&, unsigned int) /src/upx/src/p_lx_elf.cpp:6716:32 #6 0x750787 in PackLinuxElf32::unpack(OutputFile*) /src/upx/src/p_lx_elf.cpp:8443:9 #7 0x83ac1f in Packer::doUnpack(OutputFile*) /src/upx/src/packer.cpp:98:5 #8 0x8e71fd in do_one_file(char const*, char*) /src/upx/src/work.cpp:333:12 #9 0x8e8b88 in do_files(int, int, char**) /src/upx/src/work.cpp:421:13 #10 0x6c0dee in upx_main(int, char**) /src/upx/src/main.cpp:1303:9 #11 0x5886d3 in LLVMFuzzerTestOneInput /src/upx/fuzzers/decompress_packed_file_fuzzer.cpp:44:5 #12 0x459d13 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #13 0x434ea2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6 #14 0x43ff81 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9 #15 0x4740b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #16 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 #17 0x42b06d in _start (/home/zhangwei28/80result/upx/decompress_packed_file_fuzzer+0x42b06d) 0x7ffff38f7d08 is located 0 bytes to the right of 1651976-byte region [0x7ffff3764800,0x7ffff38f7d08) allocated by thread T0 here: #0 0x54af86 in __interceptor_malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3 #1 0x8bc385 in MemBuffer::alloc(unsigned long long) /src/upx/src/util/membuffer.cpp:179:24 #2 0x74ffd2 in PackLinuxElf32::unpack(OutputFile*) /src/upx/src/p_lx_elf.cpp:8413:10 #3 0x83ac1f in Packer::doUnpack(OutputFile*) /src/upx/src/packer.cpp:98:5 #4 0x8e71fd in do_one_file(char const*, char*) /src/upx/src/work.cpp:333:12 #5 0x8e8b88 in do_files(int, int, char**) /src/upx/src/work.cpp:421:13 #6 0x6c0dee in upx_main(int, char**) /src/upx/src/main.cpp:1303:9 #7 0x5886d3 in LLVMFuzzerTestOneInput /src/upx/fuzzers/decompress_packed_file_fuzzer.cpp:44:5 #8 0x459d13 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15 #9 0x434ea2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:337:6 #10 0x43ff81 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:1053:9 #11 0x4740b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #12 0x7ffff7c43082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /src/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1025:16 in __interceptor_read Shadow bytes around the buggy address: 0x10007e716f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007e716f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007e716f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007e716f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007e716f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10007e716fa0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007e716fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007e716fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007e716fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007e716fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x10007e716ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==438977==ABORTING ```
Fonte⚠️ https://drive.google.com/drive/folders/1qlUXvycOzGJygfkdQB9dGO6VwNRRZoih?usp=sharing
Utente
 Anonymous User
Sottomissione26/03/2024 09:08 (2 anni fa)
Moderazione02/04/2024 20:10 (7 days later)
StatoDuplicato
Voce VulDB259055 [UPX fino a 4.2.2 bele.h get_ne64 buffer overflow]
Punti0

PrecedenteVisione D'ensembleIl prossimo

Might our Artificial Intelligence support you?

Check our Alexa App!