Headline
CVE-2021-46179: Assertion `(unsigned)len <= buf->getSize()' failed in file.cpp:275 · Issue #545 · upx/upx
Reachable Assertion vulnerability in upx before 4.0.0 allows attackers to cause a denial of service via crafted file passed to the the readx function.
What’s the problem (or question)?
Assertion `(unsigned)len <= buf->getSize()' failed in file.cpp:275
upx.out: file.cpp:275: virtual int InputFile::readx(MemBuffer*, int): Assertion `(unsigned)len <= buf->getSize()' failed. Program received signal SIGABRT, Aborted.
pwndbg> bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7bcc859 in __GI_abort () at abort.c:79
#2 0x00007ffff7bcc729 in __assert_fail_base (fmt=0x7ffff7d62588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x5555555f5618 "(unsigned)len <= buf->getSize()", file=0x5555557067b1 "file.cpp", line=275, function=<optimized out>) at assert.c:92
#3 0x00007ffff7bddf36 in __GI___assert_fail (assertion=0x5555555f5618 "(unsigned)len <= buf->getSize()", file=0x5555557067b1 "file.cpp", line=275, function=0x5555555f5638 "virtual int InputFile::readx(MemBuffer*, int)") at assert.c:101
#4 0x000055555558a280 in InputFile::readx(MemBuffer*, int) ()
#5 0x00005555555c5969 in PackUnix::packExtent(PackUnix::Extent const&, Filter*, OutputFile*, unsigned int, unsigned int) ()
#6 0x00005555555b4fb2 in PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::pack2(OutputFile*, Filter&) ()
#7 0x00005555555c4d98 in PackUnix::pack(OutputFile*) ()
#8 0x00005555555d6028 in Packer::doPack(OutputFile*) ()
#9 0x00005555555eacd3 in do_one_file(char const*, char*) ()
#10 0x00005555555eaf8f in do_files(int, int, char**) ()
#11 0x00005555555973c7 in upx_main(int, char**) ()
#12 0x000055555557c4e2 in main ()
#13 0x00007ffff7bce0b3 in __libc_start_main (main=0x55555557c3e0 <main>, argc=2, argv=0x7fffffffe208, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1f8) at ../csu/libc-start.c:308
#14 0x000055555557c5fe in _start ()
What should have happened?
No crash.
Do you have an idea for a solution?
No.
How can we reproduce the issue?
1.make
2…/src/upx.out ./poc
poc.zip
Please tell us details about your environment.
- ./upx.out --version
upx 4.0.0-git-5d1347a359bb
UCL data compression library 1.03
zlib data compression library 1.2.11
LZMA SDK version 4.43 - Host Operating System and version: Ubuntu 20.04 focal
- Host CPU architecture: AMD E
poc.zip
PYC 7742 64-Core @ 16x 2.25GHz - Target Operating System and version: Ubuntu 20.04 focal
- Target CPU architecture: AMD EPYC 7742 64-Core @ 16x 2.25GHz