Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release_1.3_beta3] Security issue - client crash in renderstrips while parsing invalid map #410

Open
mmmds opened this issue Nov 10, 2021 · 3 comments
Open

[release_1.3_beta3] Security issue - client crash in renderstrips while parsing invalid map #410

mmmds opened this issue Nov 10, 2021 · 3 comments
Labels
Bugfix request Request to fix a bug.

Comments

@mmmds
Copy link

mmmds commented Nov 10, 2021

When the client parses an invalid map (ac_x58.cgz.zip), the game crashes in the renderstrips function. Unfortunately, I didn't find any useful information while debugging, so I attach the stacktrace and registers view. If you find it useful, I can upload a core dump (1GB, so I didn't bother with uploading it unless it is needed).

Tested on Ubuntu 20.04

  1. Assault Cube v1.3.0.0 Beta 3 for Linux, downladed from https://forum.cubers.net/thread-9116.html
  2. Compiled debug version from GitHub tag v1.3.0.0-BETA3
$ gdb --args bin_unix/linux_64_client --loadmap=ac_x58
(gdb) r
Starting program: /home/osboxes/assaultcubev1300beta3/bin_unix/linux_64_client --loadmap=ac_x58
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
parsing commandline argument 1: "--loadmap=ac_x58"
Using home directory: profile/
writing to file: profile/clientlog.txt
init: sdl (2.0.10)
[New Thread 0x7ffff61f3700 (LWP 2652)]
[New Thread 0x7fffed381700 (LWP 2653)]
[New Thread 0x7fffecb80700 (LWP 2654)]
[New Thread 0x7fffe7fff700 (LWP 2655)]
[New Thread 0x7fffe77fe700 (LWP 2656)]
init: net (1.3.6)
init: world (-(1203))
init: video: sdl
init: video: mode
init: video: misc
init: gl
Renderer: llvmpipe (LLVM 12.0.0, 256 bits) (Mesa/X.org)
Driver: 3.1 Mesa 21.0.3
init: console
init: sound
Audio devices: OpenAL Soft
[New Thread 0x7fffec31a700 (LWP 2657)]
[New Thread 0x7fffe57a1700 (LWP 2658)]
[Thread 0x7fffec31a700 (LWP 2657) exited]
[New Thread 0x7fffe57a1700 (LWP 2659)]
[Thread 0x7fffe57a1700 (LWP 2658) exited]
[New Thread 0x7fffec299700 (LWP 2660)]
[New Thread 0x7fffe4779700 (LWP 2661)]
Sound: OpenAL Soft / OpenAL Soft (OpenAL Community)
Driver: 1.1 ALSOFT 1.19.1
init: cfg
[New Thread 0x7fffbffff700 (LWP 2662)]
init: models
[New Thread 0x7fffbf7fe700 (LWP 2663)]
[Thread 0x7fffbf7fe700 (LWP 2663) exited]
[Thread 0x7fffbffff700 (LWP 2662) exited]
init: docs
init: localconnect
own IP: 0.0.0.0, censored own IP: 0.0.0.0, --, clock offset -454603 hours -28 minutes
auth challenge: SERVINFOCHALLENGE<(0) cn: 0 c: 0.0.0.0 (--) s: 0.0.0.0:0 3b6a27bcceb6a42d62a3a8d02a6f0d73653215771de243a63ac048a18b59da29 st: 0 ct: 27276208 (-558054010)>
init: mainloop
could not read "private/authprivate.cfg"
Beware: This is a BETA version of AssaultCube v1.3
Thank you for testing AssaultCube and helping us to release the new version!
[New Thread 0x7fffbf7fe700 (LWP 2664)]
resolving hostname packages.cubers.net failed (0.0.0.0)
successfully pinged 0 media servers, 1 failure, 0 disabled
local server failed to load map "packages/maps/official/ac_x58", error: invalid HX_ARTIST record
WARNING: rebuildtexlists() fixed 76|235|244 missing entries
while reading map at 6386: type 24 out of range
while reading map at 6386: unexpected end of file
world error -2
read map packages/maps/official/ac_x58.cgz rev 235275103 (53 milliseconds)
Douze (AC-Version) by m772679 layout by stanze
malformed emb config
malformed emb config
malformed emb config
malformed emb config
restored editing history: 0 undos and 1 redos
restored editing history: 0 undos and 2 redos
restored editing history: 0 undos and 3 redos
restored editing history: 0 undos and 4 redos
restored editing history: 0 undos and 5 redos
restored editing history: 0 undos and 6 redos
restored editing history: 0 undos and 7 redos
restored editing history: 0 undos and 8 redos
restored editing history: 0 undos and 9 redos
restored editing history: 0 undos and 10 redos
restored editing history: 0 undos and 11 redos
restored editing history: 0 undos and 12 redos
restored editing history: 0 undos and 13 redos
restored editing history: 0 undos and 14 redos
restored editing history: 0 undos and 15 redos
restored editing history: 0 undos and 16 redos
restored editing history: 0 undos and 17 redos
loaded textures (57 milliseconds)
loaded mapmodels (0 milliseconds)
loaded mapsounds (117 milliseconds)
game mode is "TDM"
unresolved problems occurred during load_world(), warning: 0xa210
realloc(): invalid next size

Thread 1 "linux_64_client" received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7649859 in __GI_abort () at abort.c:79
#2  0x00007ffff76b43ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff77de285 "%s\n")
    at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff76bc47c in malloc_printerr (str=str@entry=0x7ffff77dc5a8 "realloc(): invalid next size") at malloc.c:5347
#4  0x00007ffff76c012c in _int_realloc (av=av@entry=0x7ffff780fb80 <main_arena>, oldp=oldp@entry=0x130eac0, oldsize=oldsize@entry=688, 
    nb=1408) at malloc.c:4564
#5  0x00007ffff76c22d6 in __GI___libc_realloc (oldmem=0x130ead0, bytes=1400) at malloc.c:3235
#6  0x00007fffee15d680 in llvm::SmallVectorBase<unsigned int>::grow_pod(void*, unsigned long, unsigned long) ()
   from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#7  0x00007fffee6325b3 in ?? () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#8  0x00007fffee630f7d in llvm::ScheduleDAGInstrs::addVRegUseDeps(llvm::SUnit*, unsigned int) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#9  0x00007fffee633ba5 in llvm::ScheduleDAGInstrs::buildSchedGraph(llvm::AAResults*, llvm::RegPressureTracker*, llvm::PressureDiffs*, llvm::LiveIntervals*, bool) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#10 0x00007fffee542793 in llvm::ScheduleDAGMILive::buildDAGWithRegPressure() () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#11 0x00007fffee542519 in llvm::ScheduleDAGMILive::schedule() () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#12 0x00007fffee548a78 in ?? () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#13 0x00007fffee54856d in ?? () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#14 0x00007fffee4cae2e in llvm::MachineFunctionPass::runOnFunction(llvm::Function&) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#15 0x00007fffee2e836d in llvm::FPPassManager::runOnFunction(llvm::Function&) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#16 0x00007fffee2edd53 in llvm::FPPassManager::runOnModule(llvm::Module&) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#17 0x00007fffee2e89bf in llvm::legacy::PassManagerImpl::run(llvm::Module&) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#18 0x00007fffef7488e8 in llvm::MCJIT::emitObject(llvm::Module*) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#19 0x00007fffef748bc1 in llvm::MCJIT::generateCodeForModule(llvm::Module*) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#20 0x00007fffef74954e in llvm::MCJIT::finalizeObject() () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#21 0x00007fffef706710 in LLVMGetPointerToGlobal () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#22 0x00007ffff35c78b2 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#23 0x00007ffff35c85e8 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#24 0x00007ffff35b77f0 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#25 0x00007ffff359dfa0 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
--Type <RET> for more, q to quit, c to continue without paging--
#26 0x00007ffff30328c1 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#27 0x00000000004836a8 in renderstrips() ()
#28 0x000000000048ba6b in drawminimap(int, int) ()
#29 0x000000000048c4d0 in gl_drawframe(int, int, float, float, int) ()
#30 0x000000000046d70c in main ()
(gdb) i r
rax            0x0                 0
rbx            0x7ffff64f8f40      140737325797184
rcx            0x7ffff766a18b      140737344086411
rdx            0x0                 0
rsi            0x7fffffffb340      140737488335680
rdi            0x2                 2
rbp            0x7fffffffb690      0x7fffffffb690
rsp            0x7fffffffb340      0x7fffffffb340
r8             0x0                 0
r9             0x7fffffffb340      140737488335680
r10            0x8                 8
r11            0x200246            2097734
r12            0x7fffffffb5b0      140737488336304
r13            0x10                16
r14            0x7fffec378000      140737156448256
r15            0x1                 1
rip            0x7ffff766a18b      0x7ffff766a18b <__GI_raise+203>
eflags         0x200246            [ PF ZF IF ID ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

$ gdb --args bin_unix/native_client --loadmap=ac_x58
[...]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
parsing commandline argument 1: "--loadmap=ac_x58"
Using home directory: profile/
writing to file: profile/clientlog.txt
init: sdl (2.0.10)
[New Thread 0x7ffff61f3700 (LWP 3113)]
[New Thread 0x7fffed381700 (LWP 3114)]
[New Thread 0x7fffecb80700 (LWP 3115)]
[New Thread 0x7fffe7fff700 (LWP 3116)]
[New Thread 0x7fffe77fe700 (LWP 3117)]
init: net (1.3.6)
init: world (-(1203))
init: video: sdl
init: video: mode
init: video: misc
init: gl
Renderer: llvmpipe (LLVM 12.0.0, 256 bits) (Mesa/X.org)
Driver: 3.1 Mesa 21.0.3
init: console
init: sound
Audio devices: OpenAL Soft
[New Thread 0x7fffec31a700 (LWP 3118)]
[New Thread 0x7fffe57a1700 (LWP 3119)]
[Thread 0x7fffec31a700 (LWP 3118) exited]
[New Thread 0x7fffe57a1700 (LWP 3120)]
[Thread 0x7fffe57a1700 (LWP 3119) exited]
[New Thread 0x7fffec299700 (LWP 3121)]
[New Thread 0x7fffe4779700 (LWP 3122)]
Sound: OpenAL Soft / OpenAL Soft (OpenAL Community)
Driver: 1.1 ALSOFT 1.19.1
init: cfg
[New Thread 0x7fffbffff700 (LWP 3123)]
init: models
[New Thread 0x7fffbf7fe700 (LWP 3124)]
[Thread 0x7fffbf7fe700 (LWP 3124) exited]
[Thread 0x7fffbffff700 (LWP 3123) exited]
init: docs
init: localconnect
own IP: 0.0.0.0, censored own IP: 0.0.0.0, --, clock offset -454603 hours -49 minutes
auth challenge: SERVINFOCHALLENGE<(0) cn: 0 c: 0.0.0.0 (--) s: 0.0.0.0:0 3b6a27bcceb6a42d62a3a8d02a6f0d73653215771de243a63ac048a18b59da29 st: 0 ct: 27276229 (651169311)>
init: mainloop
could not read "private/authprivate.cfg"
Beware: This is a BETA version of AssaultCube v1.3
Thank you for testing AssaultCube and helping us to release the new version!
[New Thread 0x7fffbf7fe700 (LWP 3125)]
resolving hostname packages.cubers.net failed (0.0.0.0)
successfully pinged 0 media servers, 1 failure, 0 disabled
local server failed to load map "packages/maps/official/ac_x58", error: invalid HX_ARTIST record
WARNING: rebuildtexlists() fixed 76|235|244 missing entries
while reading map at 6386: type 24 out of range
while reading map at 6386: unexpected end of file
world error -2
read map packages/maps/official/ac_x58.cgz rev 235275103 (48 milliseconds)
Douze (AC-Version) by m772679 layout by stanze
malformed emb config
malformed emb config
malformed emb config
malformed emb config
restored editing history: 0 undos and 1 redos
restored editing history: 0 undos and 2 redos
restored editing history: 0 undos and 3 redos
restored editing history: 0 undos and 4 redos
restored editing history: 0 undos and 5 redos
restored editing history: 0 undos and 6 redos
restored editing history: 0 undos and 7 redos
restored editing history: 0 undos and 8 redos
restored editing history: 0 undos and 9 redos
restored editing history: 0 undos and 10 redos
restored editing history: 0 undos and 11 redos
restored editing history: 0 undos and 12 redos
restored editing history: 0 undos and 13 redos
restored editing history: 0 undos and 14 redos
restored editing history: 0 undos and 15 redos
restored editing history: 0 undos and 16 redos
restored editing history: 0 undos and 17 redos
loaded textures (51 milliseconds)
loaded mapmodels (0 milliseconds)
loaded mapsounds (168 milliseconds)
game mode is "TDM"
unresolved problems occurred during load_world(), warning: 0xa210

Thread 1 "native_client" received signal SIGSEGV, Segmentation fault.
0x00007fffee1f4daf in ?? () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
(gdb) bt
#0  0x00007fffee1f4daf in ?? () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#1  0x00007fffee12111e in llvm::FoldingSetBase::FindNodeOrInsertPos(llvm::FoldingSetNodeID const&, void*&, llvm::FoldingSetBase::FoldingSetInfo const&) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#2  0x00007fffee1eec13 in llvm::AttributeSetNode::getSorted(llvm::LLVMContext&, llvm::ArrayRef<llvm::Attribute>) ()
   from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#3  0x00007fffee1ec9d6 in llvm::AttributeSetNode::get(llvm::LLVMContext&, llvm::AttrBuilder const&) ()
   from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#4  0x00007fffee1f035e in llvm::AttributeList::addAttributes(llvm::LLVMContext&, unsigned int, llvm::AttrBuilder const&) const ()
   from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#5  0x00007fffee1f050c in llvm::AttributeList::addAttribute(llvm::LLVMContext&, unsigned int, llvm::Attribute) const ()
   from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#6  0x00007fffee2b1616 in llvm::Function::addAttribute(unsigned int, llvm::Attribute) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#7  0x00007ffff35c0e64 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#8  0x00007ffff35c57f8 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#9  0x00007ffff35b7408 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#10 0x00007ffff359dfa0 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#11 0x00007ffff30328c1 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#12 0x000000000049c701 in renderstrips () at rendercubes.cpp:65
#13 0x00000000004a5c2d in drawminimap (w=1440, h=792) at rendergl.cpp:857
#14 0x00000000004a69a3 in gl_drawframe (w=1440, h=792, changelod=0.431610614, curfps=25.896637, elapsed=329) at rendergl.cpp:1026
#15 0x0000000000480c12 in main (argc=2, argv=0x7fffffffe148) at main.cpp:1537
[...]
#12 0x000000000049c701 in renderstrips () at rendercubes.cpp:65
65	        RENDERSTRIPS(sb.tris, GL_TRIANGLES);
(gdb) list
60	{
61	    loopj(renderedtexs)
62	    {
63	        stripbatch &sb = stripbatches[j];
64	        glBindTexture(GL_TEXTURE_2D, lookupworldtexture(sb.tex)->id);
65	        RENDERSTRIPS(sb.tris, GL_TRIANGLES);
66	        RENDERSTRIPS(sb.tristrips, GL_TRIANGLE_STRIP);
67	        RENDERSTRIPS(sb.quads, GL_QUADS);
68	    }
69	    renderedtexs = 0;
(gdb) print sb.tris
$1 = {first = {static MINSIZE = 8, buf = 0x470af20, alen = 16, ulen = 12}, count = {static MINSIZE = 8, buf = 0x45b0df0, alen = 16, 
    ulen = 12}}
(gdb) x/32x sb.tris.first.length()
0xc:	Cannot access memory at address 0xc
(gdb) print sb.tris.first.length()
$3 = 12
(gdb) print sb.tris.count.length()
$7 = 12
(gdb) x/12x sb.tris.first.getbuf()
0x470af20:	0x00000075	0x000002ed	0x00000425	0x0000086f
0x470af30:	0x00000891	0x00000935	0x00000959	0x0000098d
0x470af40:	0x00000ad7	0x00000ae1	0x00000c00	0x00000c3d
(gdb) x/12x sb.tris.count.getbuf()
0x45b0df0:	0x00000003	0x00000003	0x00000003	0x00000003
0x45b0e00:	0x00000003	0x00000003	0x00000003	0x00000003
0x45b0e10:	0x00000003	0x00000003	0x00000003	0x00000003
(gdb) i r
rax            0x0                 0
rbx            0x58d770            5822320
rcx            0x377368a6          930310310
rdx            0x7fffffffa048      140737488330824
rsi            0x1752000000dad990  1680405610976958864
rdi            0x855be0            8739808
rbp            0x0                 0x0
rsp            0x7fffffffdc50      0x7fffffffdc50
r8             0x7fffffff9f78      140737488330616
r9             0x7f                127
r10            0x4797188           75067784
r11            0x7ffff780fbe0      140737345813472
r12            0x4174b0            4289712
r13            0x7fffffffe140      140737488347456
r14            0x0                 0
r15            0x0                 0
rip            0x49c701            0x49c701 <renderstrips()+353>
eflags         0x210246            [ PF ZF IF RF ID ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0
(gdb) info locals
i = 0
sb = @0x607910: {tex = 8, tris = {first = {static MINSIZE = 8, buf = 0x470af20, alen = 16, ulen = 12}, count = {static MINSIZE = 8, 
      buf = 0x45b0df0, alen = 16, ulen = 12}}, tristrips = {first = {static MINSIZE = 8, buf = 0x46d0c60, alen = 32, ulen = 20}, count = {
      static MINSIZE = 8, buf = 0x47bd0d0, alen = 32, ulen = 20}}, quads = {first = {static MINSIZE = 8, buf = 0x478bbd0, alen = 32, 
      ulen = 18}, count = {static MINSIZE = 8, buf = 0x47bdcb0, alen = 32, ulen = 18}}}
j = 0
@baarreth baarreth added Bugfix request Request to fix a bug. Release-critical Prevents the publication of the release. and removed Release-critical Prevents the publication of the release. labels Nov 10, 2021
@drian0
Copy link
Contributor

drian0 commented Nov 11, 2021

@mmmds
Thank you for reporting this.
Could you let me know if you created this invalid map manually or did AC v1.3 produce this invalid map due to a bug?

@mmmds
Copy link
Author

mmmds commented Nov 11, 2021

The map is a result of fuzzing with AFL.

@drian0
Copy link
Contributor

drian0 commented Nov 12, 2021

Thanks for this info.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bugfix request Request to fix a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mmmds @baarreth @drian0