There is a heap-buffer-overflow in the canUnpack function of p_mach.cpp:1539

[gutiniao]

A crafted input will lead to crash in p_mach.cpp at UPX 3.95(latest version,git clone from branch devel)

Triggered by
./upx.out -d -f POC

OS: Ubuntu 18.04.3 LTS

CPU architecture: x86_64

Poc
002

The ASAN information is as follows:

./upx.out -d -f 002
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2019
UPX git-75a2cc  Markus Oberhumer, Laszlo Molnar & John Reiser   Feb 24th 2019

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
=================================================================
==24764==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000010 at pc 0x56476d2e5ab3 bp 0x7ffc2f050250 sp 0x7ffc2f050240
READ of size 4 at 0x602000000010 thread T0
    #0 0x56476d2e5ab2 in get_le32(void const*) /home/liuz/upx-asan/upx_new/upx/src/bele.h:164
    #1 0x56476d2e5ab2 in LE32::operator unsigned int() const /home/liuz/upx-asan/upx_new/upx/src/bele.h:416
    #2 0x56476d2e5ab2 in PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::canUnpack() /home/liuz/upx-asan/upx_new/upx/src/p_mach.cpp:1539
    #3 0x56476d3555a6 in try_unpack /home/liuz/upx-asan/upx_new/upx/src/packmast.cpp:114
    #4 0x56476d356ad5 in PackMaster::visitAllPackers(Packer* (*)(Packer*, void*), InputFile*, options_t const*, void*) /home/liuz/upx-asan/upx_new/upx/src/packmast.cpp:225
    #5 0x56476d3582b0 in PackMaster::getUnpacker(InputFile*) /home/liuz/upx-asan/upx_new/upx/src/packmast.cpp:248
    #6 0x56476d3583cf in PackMaster::unpack(OutputFile*) /home/liuz/upx-asan/upx_new/upx/src/packmast.cpp:266
    #7 0x56476d3944ee in do_one_file(char const*, char*) /home/liuz/upx-asan/upx_new/upx/src/work.cpp:160
    #8 0x56476d39499f in do_files(int, int, char**) /home/liuz/upx-asan/upx_new/upx/src/work.cpp:271
    #9 0x56476d2253e6 in main /home/liuz/upx-asan/upx_new/upx/src/main.cpp:1543
    #10 0x7ff90c80eb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #11 0x56476d226549 in _start (/home/liuz/upx-asan/upx_new/upx/src/upx.out+0x5c549)

0x602000000011 is located 0 bytes to the right of 1-byte region [0x602000000010,0x602000000011)
allocated by thread T0 here:
    #0 0x7ff90d68c618 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0618)
    #1 0x56476d2e3bc9 in PackMachBase<N_Mach::MachClass_64<N_BELE_CTP::LEPolicy> >::canUnpack() /home/liuz/upx-asan/upx_new/upx/src/p_mach.cpp:1525

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/liuz/upx-asan/upx_new/upx/src/bele.h:164 in get_le32(void const*)
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24764==ABORTING

[jreiser]

Fixed at tip of devel branch.

$ ../upx.out -d -f -o foo 002 --info
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2019
UPX git-819c33+ Markus Oberhumer, Laszlo Molnar & John Reiser   Feb 24th 2019

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
[WARNING] Mach_header.sizeofcmds = 0 too small

upx.out: 002: CantUnpackException: file corrupted

Omit the --info to suppress the details.

[carnil]

CVE-2019-20021 has been assigned for thi issue.

[chrisbward]

Did a fix for this ship in 3.96? I checked the release notes and couldn't find a mention of CVE-2019-20021

[jreiser]

Issues generally are tracked by Github issue number. UPX ignores CVE; the CVE system is trash which should be carried out and discarded.

commit 819c33fee2b2c33b96bef27a13cb20f2589819aa
Author: John Reiser <[email protected]>
Date:   Fri Nov 15 21:32:06 2019 -0800

    Detect malformed Mach-o file in ::canUnpack()

    https://github.com/upx/upx/issues/314
    https://github.com/upx/upx/issues/315
            modified:   p_mach.cpp