<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/67039>67039</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            llvm-strip: do not strip output from UPX compressor
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          jreiser
      </td>
    </tr>
</table>

<pre>
    `llvm-strip` should not strip the output from UPX compressor of executable ELF main programs.  The output file after compression by UPX contains security information which is not covered by any PT_LOAD.  llvm-strip (processed by llvm-objcopy) from llvm17_build-17.0.1 removes the security information, and thus facilitates the creation of malware.  After llvm-strip, then a security scanner cannot use `upx -d` to recover the un-compressed file in order to scan the original file for malware.

The simplest heuristic to detect compressed ELF output from upx: if the four bytes at file offset (file_size - 36) are 0x21585055 (which is `UPX!` in little-endian: 0x55 0x50 0x58 0x21) then it is highly likely that the file was compressed by upx.  See https://github.com/upx/upx/issues/712#issuecomment-1729906268
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJx8VEuPpDYQ_jXmUmpkzADNgUNnJ31aKSNlV9rbyJiiqYmxkR8zTX59ZPc8-pDkUi1w8dX3qLb0ni4GcWDNb6x5LGQMi3XDi0Py6IrRTvvAWq7163rwwdHGWg5-sVFPYGyA_A7CgmBj2GKA2dkVfj79AmXXzaH31oGdAa-oYpCjRvj9-xlWSQY2Zy9Orr4E-HEHQBpBzgHdJwRZA-P-jmqCJOPBo4qOwg5kZutWGVLT20JqAfKZmrKv6HBKX0qzw9OP5-9_nB5LgC8xwMRxc1ah97fGfGTHF2W3nYn-pia9rLrnMZKeDlVX8rICh6t9RZ-V_xsVJr6BNBOEJXqYpSJNQYb3D5TDG187wyr1m3RYApyy5junxbfUbUB-TfBKGpOckSZJjB6BtTxuVzhMKZlgwWEWngdFc_jwEKebs2TAuimd24x2y87RhYzUt5bZuk9ajD8yfrrVFJKnddPoAywYHflAKgFNGFAFuJuVQr7fiLhdWX0CmvO82UYH4578kO-J23n2GFIg6fHZ098IB6jblIJ0CPwqqubY8KZJPZ9Bs5b_fPrFRJXUkwFNIWg8oJlImjSRX5smFZ7KMcMkyGwshQSx0GXRO2j6C_UOYZHhxjGxepP-XtW4JyElwJ-IsISweVafmDgzcb5QWOJYKrsycU5qPyp5H9Ezce4qwUSdH5VdVzThUHWi73kr2mMxDfXU170scKjavqmrpj52xTLMYzdxbCah5odWtZwfj53Efu5FhaMSqqBBcFHzXlRV27SiKx8aIVQ7j1XTVkogZw8cV0m6TKtVWncpMoeh7XjdF1qOqH3--wth8A3yIRMi3QZuyOs4xotnD1yTD_4LJVDQONzta32Cyd7dCv99IxTR6eF__Eug7z-HzdkXVOHeycz8nwAAAP__bJSahQ">