From 036d46679094c7461cae51354425fade79db299b Mon Sep 17 00:00:00 2001 From: John Reiser Date: Thu, 23 Aug 2012 14:25:32 -0700 Subject: [PATCH] allow 3-byte decompressor overrun; fix DEBUG decimal(); unify with i386 --- src/stub/amd64-darwin.macho-fold.h | 112 +++++++++++++------------ src/stub/src/amd64-darwin.macho-main.c | 19 +++-- 2 files changed, 70 insertions(+), 61 deletions(-) diff --git a/src/stub/amd64-darwin.macho-fold.h b/src/stub/amd64-darwin.macho-fold.h index 29d8dcd9..773b2488 100644 --- a/src/stub/amd64-darwin.macho-fold.h +++ b/src/stub/amd64-darwin.macho-fold.h @@ -1,5 +1,5 @@ /* amd64-darwin.macho-fold.h - created from amd64-darwin.macho-fold.bin, 1372 (0x55c) bytes + created from amd64-darwin.macho-fold.bin, 1402 (0x57a) bytes This file is part of the UPX executable compressor. @@ -31,11 +31,11 @@ */ -#define STUB_AMD64_DARWIN_MACHO_FOLD_SIZE 1372 -#define STUB_AMD64_DARWIN_MACHO_FOLD_ADLER32 0x35053e52 -#define STUB_AMD64_DARWIN_MACHO_FOLD_CRC32 0x488007f4 +#define STUB_AMD64_DARWIN_MACHO_FOLD_SIZE 1402 +#define STUB_AMD64_DARWIN_MACHO_FOLD_ADLER32 0x8b0152b4 +#define STUB_AMD64_DARWIN_MACHO_FOLD_CRC32 0xc7d8d8e2 -unsigned char stub_amd64_darwin_macho_fold[1372] = { +unsigned char stub_amd64_darwin_macho_fold[1402] = { /* 0x0000 */ 232, 80, 0, 0, 0,131,249, 73,117, 74, 72,137,241, 72,137,254, /* 0x0010 */ 235, 44,138, 7, 72,131,199, 1, 60,128,114, 10, 60,143,119, 6, /* 0x0020 */ 128,127,254, 15,116, 6, 44,232, 60, 1,119, 35, 56, 23,117, 31, @@ -43,7 +43,7 @@ unsigned char stub_amd64_darwin_macho_fold[1372] = { /* 0x0040 */ 233, 4,138, 7, 72,131,199, 1, 72,255,201,117,217,235, 5, 72, /* 0x0050 */ 255,201,117,190,195, 65, 89, 72,137,223,139, 51, 72, 41,247,106, /* 0x0060 */ 0,184, 0, 8, 0, 0,139, 79, 24, 57,193, 15, 66,200, 73,137, -/* 0x0070 */ 232, 73,137,228, 72, 41,204, 72,137,226, 65, 84,232,115, 3, 0, +/* 0x0070 */ 232, 73,137,228, 72, 41,204, 72,137,226, 65, 84,232,145, 3, 0, /* 0x0080 */ 0, 76,137,228,255,160,128, 0, 0, 0,139, 7, 15,200,137, 7, /* 0x0090 */ 131,238, 4, 72,141,127, 4,119,241,195,176, 4,235, 2,176, 1, /* 0x00a0 */ 235, 2,176, 74,235, 2,176, 73,235, 2,176,153,235, 2,176, 6, @@ -69,57 +69,59 @@ unsigned char stub_amd64_darwin_macho_fold[1372] = { /* 0x01e0 */ 254,255,255,139, 84, 36, 16, 72,139, 3, 72, 1, 83, 8, 72, 41, /* 0x01f0 */ 208, 72,133,192, 72,137, 3,233, 38,255,255,255, 72,131,196, 40, /* 0x0200 */ 91, 93, 65, 92, 65, 93,195, 65, 87, 73,137,215, 65, 86, 65, 85, -/* 0x0210 */ 65, 84, 73,137,252, 73,131,196, 32, 85, 83, 72,131,236, 88, 72, +/* 0x0210 */ 73,137,253, 73,131,197, 32, 65, 84, 85, 83, 72,131,236, 88, 72, /* 0x0220 */ 139,132, 36,144, 0, 0, 0, 72,137,124, 36, 56,137,116, 36, 52, /* 0x0230 */ 137, 76, 36, 48, 76,137, 68, 36, 40, 76,137, 76, 36, 32, 72,137, /* 0x0240 */ 68, 36, 24, 49,192, 59, 71, 16, 72,199, 68, 36, 16, 0, 0, 0, -/* 0x0250 */ 0,199, 68, 36, 12, 0, 0, 0, 0, 15,131,129, 1, 0, 0, 65, -/* 0x0260 */ 139, 4, 36,131,248, 25, 15,133, 48, 1, 0, 0, 73,139, 76, 36, -/* 0x0270 */ 32, 72,133,201, 15,132, 34, 1, 0, 0, 73,139, 68, 36, 24, 73, -/* 0x0280 */ 139, 84, 36, 48, 72,137,195, 72,137,197, 73,137,213,129,227,255, -/* 0x0290 */ 15, 0, 0, 72,137, 84, 36, 64, 72,137, 68, 36, 72, 72, 41,221, -/* 0x02a0 */ 73, 1,221, 76,141, 52, 8,116, 64, 77,133,255,117, 10, 72,133, -/* 0x02b0 */ 210,185, 18, 0, 0, 0,117, 5,185, 18, 16, 0, 0, 65,131,200, -/* 0x02c0 */ 255, 68,139, 76, 36, 52, 72,133,210, 68, 15, 69, 68, 36, 48, 69, -/* 0x02d0 */ 3, 76, 36, 40,186, 3, 0, 0, 0, 76,137,238, 72,137,239,232, -/* 0x02e0 */ 210,253,255,255, 72, 57,197,117,113, 77,133,255,116, 47, 73,131, -/* 0x02f0 */ 124, 36, 48, 0,116, 39, 73,131,124, 36, 40, 0,117, 8, 72,139, -/* 0x0300 */ 84, 36, 40, 72,137, 42, 72,139, 76, 36, 24, 72,139, 84, 36, 32, -/* 0x0310 */ 72,141,116, 36, 64, 76,137,255,232,235,253,255,255, 76,137,235, -/* 0x0320 */ 74,141, 84, 45, 0, 72,247,219,129,227,255, 15, 0, 0, 72,137, -/* 0x0330 */ 216, 72,133,219,116, 11,198, 2, 0, 72,255,194, 72,255,200,235, -/* 0x0340 */ 243, 77,133,237,116, 30, 65,139, 84, 36, 60, 76,137,238, 72,137, +/* 0x0250 */ 0,199, 68, 36, 12, 0, 0, 0, 0, 15,131,159, 1, 0, 0, 65, +/* 0x0260 */ 139, 69, 0,131,248, 25, 15,133, 81, 1, 0, 0, 73,139, 85, 32, +/* 0x0270 */ 72,133,210, 15,132, 68, 1, 0, 0, 73,139,125, 24, 73,139, 69, +/* 0x0280 */ 48, 72,137,251, 72,137,253, 73,137,196,129,227,255, 15, 0, 0, +/* 0x0290 */ 72,137, 68, 36, 64, 72,137,124, 36, 72, 72, 41,221, 73, 1,220, +/* 0x02a0 */ 76,141, 52, 23,116, 70, 77,133,255, 76,137,230,116, 7, 73,141, +/* 0x02b0 */ 116, 36, 3,235, 10, 72,133,192,185, 18, 0, 0, 0,117, 5,185, +/* 0x02c0 */ 18, 16, 0, 0, 65,131,200,255, 68,139, 76, 36, 52, 72,133,192, +/* 0x02d0 */ 68, 15, 69, 68, 36, 48, 69, 3, 77, 40,186, 3, 0, 0, 0, 72, +/* 0x02e0 */ 137,239,232,207,253,255,255, 72, 57,197,117,110, 77,133,255,116, +/* 0x02f0 */ 45, 73,131,125, 48, 0,116, 38, 73,131,125, 40, 0,117, 8, 72, +/* 0x0300 */ 139, 84, 36, 40, 72,137, 42, 72,139, 76, 36, 24, 72,139, 84, 36, +/* 0x0310 */ 32, 72,141,116, 36, 64, 76,137,255,232,234,253,255,255, 76,137, +/* 0x0320 */ 227, 74,141, 84, 37, 0, 72,247,219,129,227,255, 15, 0, 0, 72, +/* 0x0330 */ 137,216, 72,133,219,116, 11,198, 2, 0, 72,255,194, 72,255,200, +/* 0x0340 */ 235,243, 77,133,228,116, 29, 65,139, 85, 60, 76,137,230, 72,137, /* 0x0350 */ 239,232, 76,253,255,255,133,192,116, 10,191,127, 0, 0, 0,232, -/* 0x0360 */ 58,253,255,255, 73,141, 68, 29, 0, 72, 1,197, 76, 57,245,115, -/* 0x0370 */ 82, 72,133,237,116, 77, 65,139, 84, 36, 60, 73, 41,238, 69, 49, -/* 0x0380 */ 201, 65,131,200,255,185, 18, 16, 0, 0, 76,137,246, 72,137,239, -/* 0x0390 */ 232, 33,253,255,255, 72, 57,197,116, 41,235,190,131,232, 4,131, -/* 0x03a0 */ 248, 1,119, 31, 72,184, 4, 0, 0, 0, 42, 0, 0, 0, 73, 57, -/* 0x03b0 */ 68, 36, 8, 73,141, 84, 36, 16, 72, 15, 69, 84, 36, 16, 72,137, -/* 0x03c0 */ 84, 36, 16, 65,139, 68, 36, 4,255, 68, 36, 12,139, 84, 36, 12, -/* 0x03d0 */ 73, 1,196, 72,139, 68, 36, 56, 59, 80, 16,233,121,254,255,255, -/* 0x03e0 */ 72,139, 68, 36, 16, 72,131,196, 88, 91, 93, 65, 92, 65, 93, 65, -/* 0x03f0 */ 94, 65, 95,195, 65, 86, 73,137,206, 49,201, 65, 85, 69, 49,237, -/* 0x0400 */ 65, 84, 77,137,204, 85, 72,137,213, 72,141, 87, 24, 83, 76,137, -/* 0x0410 */ 195, 72,131,236, 64,139,127, 24, 72,137,116, 36, 56, 72,139, 68, -/* 0x0420 */ 36, 56, 72,141,116, 36, 16, 72,137, 84, 36, 40, 72,137, 84, 36, -/* 0x0430 */ 8, 76,137,194, 72,137,108, 36, 24, 72,137,124, 36, 16, 72,141, -/* 0x0440 */ 124, 36, 32, 72,131,232, 24, 72,137, 68, 36, 32, 72,137, 4, 36, -/* 0x0450 */ 232,179,252,255,255, 65, 83, 73,137,217,131,201,255, 49,246, 72, -/* 0x0460 */ 137,239, 72,141, 84, 36, 8, 65, 84, 76,139,132, 36,128, 0, 0, -/* 0x0470 */ 0,232,145,253,255,255, 65, 89, 65, 90,139,117, 16, 72,141, 85, -/* 0x0480 */ 32, 72,137,195, 49,201, 57,241, 15,131,190, 0, 0, 0,131, 58, -/* 0x0490 */ 14, 15,133,168, 0, 0, 0,139,122, 8, 49,246, 72,141, 60, 58, -/* 0x04a0 */ 49,210,232, 11,252,255,255,133,192, 65,137,196,120, 22, 68,137, -/* 0x04b0 */ 233, 76,137,242, 72,137,238, 68,137,231,232,235,251,255,255, 73, -/* 0x04c0 */ 57,198,116, 16,191,127, 0, 0, 0,232,208,251,255,255, 68,139, -/* 0x04d0 */ 107, 8,235,218,139, 69, 0, 61,202,254,186,190,116, 7, 61,190, -/* 0x04e0 */ 186,254,202,117, 49, 72, 15,182,117, 7, 72,137,239, 72,141, 93, -/* 0x04f0 */ 8, 72,107,246, 20,131,198, 8,232,141,251,255,255,139, 69, 4, -/* 0x0500 */ 49,201, 57,193,115, 16,129, 59, 7, 0, 0, 1,116,192,255,193, -/* 0x0510 */ 72,131,195, 20,235,236, 65, 80, 68,137,238, 69, 49,201, 69, 49, -/* 0x0520 */ 192, 68,137,225,106, 0, 49,210, 72,137,239,232,215,252,255,255, -/* 0x0530 */ 68,137,231, 72,137,195,232,115,251,255,255, 94, 95,235, 13,139, -/* 0x0540 */ 66, 4,255,193, 72, 1,194,233, 58,255,255,255, 72,131,196, 64, -/* 0x0550 */ 72,137,216, 91, 93, 65, 92, 65, 93, 65, 94,195 +/* 0x0360 */ 58,253,255,255, 73,141, 4, 28, 72, 1,197, 76, 57,245,115, 42, +/* 0x0370 */ 72,133,237,116,109, 65,139, 85, 60, 73, 41,238, 69, 49,201, 65, +/* 0x0380 */ 131,200,255,185, 18, 16, 0, 0, 76,137,246, 72,137,239,232, 35, +/* 0x0390 */ 253,255,255, 72, 57,197,116, 74,235,192, 77,133,255,116, 67, 73, +/* 0x03a0 */ 131,196, 3, 65,129,228,255, 15, 0, 0, 73,131,252, 3,119, 50, +/* 0x03b0 */ 76,137,230, 72,137,239,232,235,252,255,255,235, 37,131,232, 4, +/* 0x03c0 */ 131,248, 1,119, 29, 72,184, 4, 0, 0, 0, 42, 0, 0, 0, 73, +/* 0x03d0 */ 57, 69, 8, 73,141, 85, 16, 72, 15, 69, 84, 36, 16, 72,137, 84, +/* 0x03e0 */ 36, 16, 65,139, 69, 4,255, 68, 36, 12,139, 84, 36, 12, 73, 1, +/* 0x03f0 */ 197, 72,139, 68, 36, 56, 59, 80, 16,233, 91,254,255,255, 72,139, +/* 0x0400 */ 68, 36, 16, 72,131,196, 88, 91, 93, 65, 92, 65, 93, 65, 94, 65, +/* 0x0410 */ 95,195, 65, 86, 73,137,206, 49,201, 65, 85, 69, 49,237, 65, 84, +/* 0x0420 */ 77,137,204, 85, 72,137,213, 72,141, 87, 24, 83, 76,137,195, 72, +/* 0x0430 */ 131,236, 64,139,127, 24, 72,137,116, 36, 56, 72,139, 68, 36, 56, +/* 0x0440 */ 72,141,116, 36, 16, 72,137, 84, 36, 40, 72,137, 84, 36, 8, 76, +/* 0x0450 */ 137,194, 72,137,108, 36, 24, 72,137,124, 36, 16, 72,141,124, 36, +/* 0x0460 */ 32, 72,131,232, 24, 72,137, 68, 36, 32, 72,137, 4, 36,232,149, +/* 0x0470 */ 252,255,255, 65, 83, 73,137,217,131,201,255, 49,246, 72,137,239, +/* 0x0480 */ 72,141, 84, 36, 8, 65, 84, 76,139,132, 36,128, 0, 0, 0,232, +/* 0x0490 */ 115,253,255,255, 65, 89, 65, 90,139,117, 16, 72,141, 85, 32, 72, +/* 0x04a0 */ 137,195, 49,201, 57,241, 15,131,190, 0, 0, 0,131, 58, 14, 15, +/* 0x04b0 */ 133,168, 0, 0, 0,139,122, 8, 49,246, 72,141, 60, 58, 49,210, +/* 0x04c0 */ 232,237,251,255,255,133,192, 65,137,196,120, 22, 68,137,233, 76, +/* 0x04d0 */ 137,242, 72,137,238, 68,137,231,232,205,251,255,255, 73, 57,198, +/* 0x04e0 */ 116, 16,191,127, 0, 0, 0,232,178,251,255,255, 68,139,107, 8, +/* 0x04f0 */ 235,218,139, 69, 0, 61,202,254,186,190,116, 7, 61,190,186,254, +/* 0x0500 */ 202,117, 49, 72, 15,182,117, 7, 72,137,239, 72,141, 93, 8, 72, +/* 0x0510 */ 107,246, 20,131,198, 8,232,111,251,255,255,139, 69, 4, 49,201, +/* 0x0520 */ 57,193,115, 16,129, 59, 7, 0, 0, 1,116,192,255,193, 72,131, +/* 0x0530 */ 195, 20,235,236, 65, 80, 68,137,238, 69, 49,201, 69, 49,192, 68, +/* 0x0540 */ 137,225,106, 0, 49,210, 72,137,239,232,185,252,255,255, 68,137, +/* 0x0550 */ 231, 72,137,195,232, 85,251,255,255, 94, 95,235, 13,139, 66, 4, +/* 0x0560 */ 255,193, 72, 1,194,233, 58,255,255,255, 72,131,196, 64, 72,137, +/* 0x0570 */ 216, 91, 93, 65, 92, 65, 93, 65, 94,195 }; diff --git a/src/stub/src/amd64-darwin.macho-main.c b/src/stub/src/amd64-darwin.macho-main.c index edb9edd1..ceea9b12 100644 --- a/src/stub/src/amd64-darwin.macho-main.c +++ b/src/stub/src/amd64-darwin.macho-main.c @@ -116,7 +116,7 @@ decimal(int x, char *ptr, int n) { if (x < 0) { x = -x; - *ptr = '-'; ++n; + *ptr[n++] = '-'; } return unsimal(x, ptr, n); } @@ -382,6 +382,7 @@ typedef struct { unsigned reserved; } Mach_header64; enum e0 { + MH_MAGIC = 0xfeedface, MH_MAGIC64 = 1+0xfeedface }; enum e2 { @@ -456,7 +457,6 @@ typedef union { #define PROT_READ 1 #define PROT_WRITE 2 #define PROT_EXEC 4 - #define MAP_ANON_FD -1 extern void *mmap(void *, size_t, unsigned, unsigned, int, off_t); @@ -498,14 +498,16 @@ do_xmap( mlen += frag; if (0!=mlen) { + // Decompressor can overrun the destination by 3 bytes. [x86 only] + size_t const mlen3 = mlen + (xi ? 3 : 0); unsigned const prot = VM_PROT_READ | VM_PROT_WRITE; unsigned const flags = MAP_FIXED | MAP_PRIVATE | ((xi || 0==sc->filesize) ? MAP_ANON : 0); int const fdm = ((0==sc->filesize) ? MAP_ANON_FD : fdi); off_t const offset = sc->fileoff + fat_offset; - DPRINTF((STR_mmap(), addr, mlen, prot, flags, fdm, offset)); - if (addr != mmap(addr, mlen, prot, flags, fdm, offset)) { + DPRINTF((STR_mmap(), addr, mlen3, prot, flags, fdm, offset)); + if (addr != mmap(addr, mlen3, prot, flags, fdm, offset)) { err_exit(8); } } @@ -533,6 +535,12 @@ ERR_LAB err_exit(9); } } + else if (xi) { // cleanup if decompressor overrun crosses page boundary + mlen = ~PAGE_MASK & (3+ mlen); + if (mlen<=3) { // page fragment was overrun buffer only + munmap(addr, mlen); + } + } } else if (LC_UNIXTHREAD==sc->cmd || LC_THREAD==sc->cmd) { Mach_thread_command const *const thrc = (Mach_thread_command const *)sc; @@ -545,8 +553,6 @@ ERR_LAB } -extern void spin(void *, ...); - /************************************************************************* // upx_main - called by our entry code // @@ -604,6 +610,7 @@ ERR_LAB err_exit(19); } switch (mhdr->magic) { + case MH_MAGIC: break; case MH_MAGIC64: break; case FAT_CIGAM: case FAT_MAGIC: {