Headline
CVE-2021-43316: [bug] segv fault in get_le64() · Issue #381 · upx/upx
A heap-based buffer overflow was discovered in upx, during the generic pointer ‘p’ points to an inaccessible address in func get_le64().
What’s the problem (or question)?
A heap-based buffer overflow was discovered in upx, during the genric pointer ‘p’ points to an inaccessible address in func get_le64(). The issue can cause a denial of service. The issue is diff from issue367 and issue368
ASAN reports:
ASAN:SIGSEGV
==113201==ERROR: AddressSanitizer: SEGV on unknown address 0x630011d04b20 (pc 0x0000005292e0 bp 0x000000000022 sp 0x7ffebc640bc8 T0) #0 0x5292df in get_le64(void const*) /home/test/Desktop/EVAULATION/upx/src/bele_policy.h:193 #1 0x5292df in N_BELE_RTP::LEPolicy::get64(void const*) const /home/test/Desktop/EVAULATION/upx/src/bele_policy.h:194 #2 0x45784b in Packer::get_te64(void const*) const /home/test/Desktop/EVAULATION/upx/src/packer.h:297 #3 0x45784b in PackLinuxElf64::elf_lookup(char const*) const /home/test/Desktop/EVAULATION/upx/src/p_lx_elf.cpp:5423 #4 0x46f7eb in PackLinuxElf64::PackLinuxElf64help1(InputFile*) /home/test/Desktop/EVAULATION/upx/src/p_lx_elf.cpp:805 #5 0x470479 in PackLinuxElf64Le::PackLinuxElf64Le(InputFile*) /home/test/Desktop/EVAULATION/upx/src/p_lx_elf.h:407 #6 0x470479 in PackLinuxElf64amd::PackLinuxElf64amd(InputFile*) /home/test/Desktop/EVAULATION/upx/src/p_lx_elf.cpp:1008 #7 0x4f34b2 in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:194 #8 0x4f50f9 in PackMaster::getUnpacker(InputFile*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:248 #9 0x4f521f in PackMaster::unpack(OutputFile*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:266 #10 0x52a1e6 in do_one_file(char const*, char*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:160 #11 0x52a69e in do_files(int, int, char**) /home/test/Desktop/EVAULATION/upx/src/work.cpp:271 #12 0x403ace in main /home/test/Desktop/EVAULATION/upx/src/main.cpp:1538 #13 0x7fc4129b682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #14 0x404828 in _start (/home/test/Desktop/EVAULATION/upx/src/upx.out+0x404828)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/test/Desktop/EVAULATION/upx/src/bele_policy.h:193 get_le64(void const*) ==113201==ABORTING
The essential cause of the bug is at PackLinuxElf64 :: elf_lookup () at p_lx_elf: 5423:
upx_uint64_t const w = get_te64(&bitmask[(n_bitmask -1) & (h>>6)]);
What should have happened?
Decompress a crafted/suspicious file.
Do you have an idea for a solution?
We are very grateful to @jreiser for patching the bucket in p_lx_elf.cpp in the issue 367. However, in fact, all places involving get_te64 () should be strengthened in upx, especially in p_lx_elf.cpp. The position we reported should be patched at least:
position in PackLinuxElf64::elf_lookup() at p_lx_elf:5423
upx_uint64_t const w = get_te64(&bitmask[(n_bitmask -1) & (h>>6)]);
How can we reproduce the issue?
- compile upx with address-sanitize
- execute cmd
upx.out -df $PoC -o /dev/null
Poc can be found here.
Please tell us details about your environment.
- UPX version used (upx --version):
upx 4.0.0-git-c6b9e3c62d15 (latest-devel-branch) UCL data compression library 1.03 zlib data compression library 1.2.8 LZMA SDK version 4.43
- Host Operating System and version:
Ubuntu 16.04 64-bit - Host CPU architecture:
Intel® Core™ i5-6200U CPU @ 2.30GHz with 8GB - Target Operating System and version:
same as Host - Target CPU architecture:
same as Host