[release_1.3_beta3] Security issue - client crash in renderstrips while parsing invalid map #410
Description
When the client parses an invalid map (ac_x58.cgz.zip), the game crashes in the renderstrips function. Unfortunately, I didn't find any useful information while debugging, so I attach the stacktrace and registers view. If you find it useful, I can upload a core dump (1GB, so I didn't bother with uploading it unless it is needed).
Tested on Ubuntu 20.04
- Assault Cube v1.3.0.0 Beta 3 for Linux, downladed from https://forum.cubers.net/thread-9116.html
- Compiled debug version from GitHub tag v1.3.0.0-BETA3
$ gdb --args bin_unix/linux_64_client --loadmap=ac_x58
(gdb) r
Starting program: /home/osboxes/assaultcubev1300beta3/bin_unix/linux_64_client --loadmap=ac_x58
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
parsing commandline argument 1: "--loadmap=ac_x58"
Using home directory: profile/
writing to file: profile/clientlog.txt
init: sdl (2.0.10)
[New Thread 0x7ffff61f3700 (LWP 2652)]
[New Thread 0x7fffed381700 (LWP 2653)]
[New Thread 0x7fffecb80700 (LWP 2654)]
[New Thread 0x7fffe7fff700 (LWP 2655)]
[New Thread 0x7fffe77fe700 (LWP 2656)]
init: net (1.3.6)
init: world (-(1203))
init: video: sdl
init: video: mode
init: video: misc
init: gl
Renderer: llvmpipe (LLVM 12.0.0, 256 bits) (Mesa/X.org)
Driver: 3.1 Mesa 21.0.3
init: console
init: sound
Audio devices: OpenAL Soft
[New Thread 0x7fffec31a700 (LWP 2657)]
[New Thread 0x7fffe57a1700 (LWP 2658)]
[Thread 0x7fffec31a700 (LWP 2657) exited]
[New Thread 0x7fffe57a1700 (LWP 2659)]
[Thread 0x7fffe57a1700 (LWP 2658) exited]
[New Thread 0x7fffec299700 (LWP 2660)]
[New Thread 0x7fffe4779700 (LWP 2661)]
Sound: OpenAL Soft / OpenAL Soft (OpenAL Community)
Driver: 1.1 ALSOFT 1.19.1
init: cfg
[New Thread 0x7fffbffff700 (LWP 2662)]
init: models
[New Thread 0x7fffbf7fe700 (LWP 2663)]
[Thread 0x7fffbf7fe700 (LWP 2663) exited]
[Thread 0x7fffbffff700 (LWP 2662) exited]
init: docs
init: localconnect
own IP: 0.0.0.0, censored own IP: 0.0.0.0, --, clock offset -454603 hours -28 minutes
auth challenge: SERVINFOCHALLENGE<(0) cn: 0 c: 0.0.0.0 (--) s: 0.0.0.0:0 3b6a27bcceb6a42d62a3a8d02a6f0d73653215771de243a63ac048a18b59da29 st: 0 ct: 27276208 (-558054010)>
init: mainloop
could not read "private/authprivate.cfg"
Beware: This is a BETA version of AssaultCube v1.3
Thank you for testing AssaultCube and helping us to release the new version!
[New Thread 0x7fffbf7fe700 (LWP 2664)]
resolving hostname packages.cubers.net failed (0.0.0.0)
successfully pinged 0 media servers, 1 failure, 0 disabled
local server failed to load map "packages/maps/official/ac_x58", error: invalid HX_ARTIST record
WARNING: rebuildtexlists() fixed 76|235|244 missing entries
while reading map at 6386: type 24 out of range
while reading map at 6386: unexpected end of file
world error -2
read map packages/maps/official/ac_x58.cgz rev 235275103 (53 milliseconds)
Douze (AC-Version) by m772679 layout by stanze
malformed emb config
malformed emb config
malformed emb config
malformed emb config
restored editing history: 0 undos and 1 redos
restored editing history: 0 undos and 2 redos
restored editing history: 0 undos and 3 redos
restored editing history: 0 undos and 4 redos
restored editing history: 0 undos and 5 redos
restored editing history: 0 undos and 6 redos
restored editing history: 0 undos and 7 redos
restored editing history: 0 undos and 8 redos
restored editing history: 0 undos and 9 redos
restored editing history: 0 undos and 10 redos
restored editing history: 0 undos and 11 redos
restored editing history: 0 undos and 12 redos
restored editing history: 0 undos and 13 redos
restored editing history: 0 undos and 14 redos
restored editing history: 0 undos and 15 redos
restored editing history: 0 undos and 16 redos
restored editing history: 0 undos and 17 redos
loaded textures (57 milliseconds)
loaded mapmodels (0 milliseconds)
loaded mapsounds (117 milliseconds)
game mode is "TDM"
unresolved problems occurred during load_world(), warning: 0xa210
realloc(): invalid next size
Thread 1 "linux_64_client" received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7649859 in __GI_abort () at abort.c:79
#2 0x00007ffff76b43ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff77de285 "%s\n")
at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff76bc47c in malloc_printerr (str=str@entry=0x7ffff77dc5a8 "realloc(): invalid next size") at malloc.c:5347
#4 0x00007ffff76c012c in _int_realloc (av=av@entry=0x7ffff780fb80 <main_arena>, oldp=oldp@entry=0x130eac0, oldsize=oldsize@entry=688,
nb=1408) at malloc.c:4564
#5 0x00007ffff76c22d6 in __GI___libc_realloc (oldmem=0x130ead0, bytes=1400) at malloc.c:3235
#6 0x00007fffee15d680 in llvm::SmallVectorBase<unsigned int>::grow_pod(void*, unsigned long, unsigned long) ()
from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#7 0x00007fffee6325b3 in ?? () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#8 0x00007fffee630f7d in llvm::ScheduleDAGInstrs::addVRegUseDeps(llvm::SUnit*, unsigned int) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#9 0x00007fffee633ba5 in llvm::ScheduleDAGInstrs::buildSchedGraph(llvm::AAResults*, llvm::RegPressureTracker*, llvm::PressureDiffs*, llvm::LiveIntervals*, bool) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#10 0x00007fffee542793 in llvm::ScheduleDAGMILive::buildDAGWithRegPressure() () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#11 0x00007fffee542519 in llvm::ScheduleDAGMILive::schedule() () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#12 0x00007fffee548a78 in ?? () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#13 0x00007fffee54856d in ?? () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#14 0x00007fffee4cae2e in llvm::MachineFunctionPass::runOnFunction(llvm::Function&) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#15 0x00007fffee2e836d in llvm::FPPassManager::runOnFunction(llvm::Function&) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#16 0x00007fffee2edd53 in llvm::FPPassManager::runOnModule(llvm::Module&) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#17 0x00007fffee2e89bf in llvm::legacy::PassManagerImpl::run(llvm::Module&) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#18 0x00007fffef7488e8 in llvm::MCJIT::emitObject(llvm::Module*) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#19 0x00007fffef748bc1 in llvm::MCJIT::generateCodeForModule(llvm::Module*) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#20 0x00007fffef74954e in llvm::MCJIT::finalizeObject() () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#21 0x00007fffef706710 in LLVMGetPointerToGlobal () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#22 0x00007ffff35c78b2 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#23 0x00007ffff35c85e8 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#24 0x00007ffff35b77f0 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#25 0x00007ffff359dfa0 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
--Type <RET> for more, q to quit, c to continue without paging--
#26 0x00007ffff30328c1 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#27 0x00000000004836a8 in renderstrips() ()
#28 0x000000000048ba6b in drawminimap(int, int) ()
#29 0x000000000048c4d0 in gl_drawframe(int, int, float, float, int) ()
#30 0x000000000046d70c in main ()
(gdb) i r
rax 0x0 0
rbx 0x7ffff64f8f40 140737325797184
rcx 0x7ffff766a18b 140737344086411
rdx 0x0 0
rsi 0x7fffffffb340 140737488335680
rdi 0x2 2
rbp 0x7fffffffb690 0x7fffffffb690
rsp 0x7fffffffb340 0x7fffffffb340
r8 0x0 0
r9 0x7fffffffb340 140737488335680
r10 0x8 8
r11 0x200246 2097734
r12 0x7fffffffb5b0 140737488336304
r13 0x10 16
r14 0x7fffec378000 140737156448256
r15 0x1 1
rip 0x7ffff766a18b 0x7ffff766a18b <__GI_raise+203>
eflags 0x200246 [ PF ZF IF ID ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
$ gdb --args bin_unix/native_client --loadmap=ac_x58
[...]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
parsing commandline argument 1: "--loadmap=ac_x58"
Using home directory: profile/
writing to file: profile/clientlog.txt
init: sdl (2.0.10)
[New Thread 0x7ffff61f3700 (LWP 3113)]
[New Thread 0x7fffed381700 (LWP 3114)]
[New Thread 0x7fffecb80700 (LWP 3115)]
[New Thread 0x7fffe7fff700 (LWP 3116)]
[New Thread 0x7fffe77fe700 (LWP 3117)]
init: net (1.3.6)
init: world (-(1203))
init: video: sdl
init: video: mode
init: video: misc
init: gl
Renderer: llvmpipe (LLVM 12.0.0, 256 bits) (Mesa/X.org)
Driver: 3.1 Mesa 21.0.3
init: console
init: sound
Audio devices: OpenAL Soft
[New Thread 0x7fffec31a700 (LWP 3118)]
[New Thread 0x7fffe57a1700 (LWP 3119)]
[Thread 0x7fffec31a700 (LWP 3118) exited]
[New Thread 0x7fffe57a1700 (LWP 3120)]
[Thread 0x7fffe57a1700 (LWP 3119) exited]
[New Thread 0x7fffec299700 (LWP 3121)]
[New Thread 0x7fffe4779700 (LWP 3122)]
Sound: OpenAL Soft / OpenAL Soft (OpenAL Community)
Driver: 1.1 ALSOFT 1.19.1
init: cfg
[New Thread 0x7fffbffff700 (LWP 3123)]
init: models
[New Thread 0x7fffbf7fe700 (LWP 3124)]
[Thread 0x7fffbf7fe700 (LWP 3124) exited]
[Thread 0x7fffbffff700 (LWP 3123) exited]
init: docs
init: localconnect
own IP: 0.0.0.0, censored own IP: 0.0.0.0, --, clock offset -454603 hours -49 minutes
auth challenge: SERVINFOCHALLENGE<(0) cn: 0 c: 0.0.0.0 (--) s: 0.0.0.0:0 3b6a27bcceb6a42d62a3a8d02a6f0d73653215771de243a63ac048a18b59da29 st: 0 ct: 27276229 (651169311)>
init: mainloop
could not read "private/authprivate.cfg"
Beware: This is a BETA version of AssaultCube v1.3
Thank you for testing AssaultCube and helping us to release the new version!
[New Thread 0x7fffbf7fe700 (LWP 3125)]
resolving hostname packages.cubers.net failed (0.0.0.0)
successfully pinged 0 media servers, 1 failure, 0 disabled
local server failed to load map "packages/maps/official/ac_x58", error: invalid HX_ARTIST record
WARNING: rebuildtexlists() fixed 76|235|244 missing entries
while reading map at 6386: type 24 out of range
while reading map at 6386: unexpected end of file
world error -2
read map packages/maps/official/ac_x58.cgz rev 235275103 (48 milliseconds)
Douze (AC-Version) by m772679 layout by stanze
malformed emb config
malformed emb config
malformed emb config
malformed emb config
restored editing history: 0 undos and 1 redos
restored editing history: 0 undos and 2 redos
restored editing history: 0 undos and 3 redos
restored editing history: 0 undos and 4 redos
restored editing history: 0 undos and 5 redos
restored editing history: 0 undos and 6 redos
restored editing history: 0 undos and 7 redos
restored editing history: 0 undos and 8 redos
restored editing history: 0 undos and 9 redos
restored editing history: 0 undos and 10 redos
restored editing history: 0 undos and 11 redos
restored editing history: 0 undos and 12 redos
restored editing history: 0 undos and 13 redos
restored editing history: 0 undos and 14 redos
restored editing history: 0 undos and 15 redos
restored editing history: 0 undos and 16 redos
restored editing history: 0 undos and 17 redos
loaded textures (51 milliseconds)
loaded mapmodels (0 milliseconds)
loaded mapsounds (168 milliseconds)
game mode is "TDM"
unresolved problems occurred during load_world(), warning: 0xa210
Thread 1 "native_client" received signal SIGSEGV, Segmentation fault.
0x00007fffee1f4daf in ?? () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
(gdb) bt
#0 0x00007fffee1f4daf in ?? () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#1 0x00007fffee12111e in llvm::FoldingSetBase::FindNodeOrInsertPos(llvm::FoldingSetNodeID const&, void*&, llvm::FoldingSetBase::FoldingSetInfo const&) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#2 0x00007fffee1eec13 in llvm::AttributeSetNode::getSorted(llvm::LLVMContext&, llvm::ArrayRef<llvm::Attribute>) ()
from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#3 0x00007fffee1ec9d6 in llvm::AttributeSetNode::get(llvm::LLVMContext&, llvm::AttrBuilder const&) ()
from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#4 0x00007fffee1f035e in llvm::AttributeList::addAttributes(llvm::LLVMContext&, unsigned int, llvm::AttrBuilder const&) const ()
from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#5 0x00007fffee1f050c in llvm::AttributeList::addAttribute(llvm::LLVMContext&, unsigned int, llvm::Attribute) const ()
from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#6 0x00007fffee2b1616 in llvm::Function::addAttribute(unsigned int, llvm::Attribute) () from /lib/x86_64-linux-gnu/libLLVM-12.so.1
#7 0x00007ffff35c0e64 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#8 0x00007ffff35c57f8 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#9 0x00007ffff35b7408 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#10 0x00007ffff359dfa0 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#11 0x00007ffff30328c1 in ?? () from /usr/lib/x86_64-linux-gnu/dri/swrast_dri.so
#12 0x000000000049c701 in renderstrips () at rendercubes.cpp:65
#13 0x00000000004a5c2d in drawminimap (w=1440, h=792) at rendergl.cpp:857
#14 0x00000000004a69a3 in gl_drawframe (w=1440, h=792, changelod=0.431610614, curfps=25.896637, elapsed=329) at rendergl.cpp:1026
#15 0x0000000000480c12 in main (argc=2, argv=0x7fffffffe148) at main.cpp:1537
[...]
#12 0x000000000049c701 in renderstrips () at rendercubes.cpp:65
65 RENDERSTRIPS(sb.tris, GL_TRIANGLES);
(gdb) list
60 {
61 loopj(renderedtexs)
62 {
63 stripbatch &sb = stripbatches[j];
64 glBindTexture(GL_TEXTURE_2D, lookupworldtexture(sb.tex)->id);
65 RENDERSTRIPS(sb.tris, GL_TRIANGLES);
66 RENDERSTRIPS(sb.tristrips, GL_TRIANGLE_STRIP);
67 RENDERSTRIPS(sb.quads, GL_QUADS);
68 }
69 renderedtexs = 0;
(gdb) print sb.tris
$1 = {first = {static MINSIZE = 8, buf = 0x470af20, alen = 16, ulen = 12}, count = {static MINSIZE = 8, buf = 0x45b0df0, alen = 16,
ulen = 12}}
(gdb) x/32x sb.tris.first.length()
0xc: Cannot access memory at address 0xc
(gdb) print sb.tris.first.length()
$3 = 12
(gdb) print sb.tris.count.length()
$7 = 12
(gdb) x/12x sb.tris.first.getbuf()
0x470af20: 0x00000075 0x000002ed 0x00000425 0x0000086f
0x470af30: 0x00000891 0x00000935 0x00000959 0x0000098d
0x470af40: 0x00000ad7 0x00000ae1 0x00000c00 0x00000c3d
(gdb) x/12x sb.tris.count.getbuf()
0x45b0df0: 0x00000003 0x00000003 0x00000003 0x00000003
0x45b0e00: 0x00000003 0x00000003 0x00000003 0x00000003
0x45b0e10: 0x00000003 0x00000003 0x00000003 0x00000003
(gdb) i r
rax 0x0 0
rbx 0x58d770 5822320
rcx 0x377368a6 930310310
rdx 0x7fffffffa048 140737488330824
rsi 0x1752000000dad990 1680405610976958864
rdi 0x855be0 8739808
rbp 0x0 0x0
rsp 0x7fffffffdc50 0x7fffffffdc50
r8 0x7fffffff9f78 140737488330616
r9 0x7f 127
r10 0x4797188 75067784
r11 0x7ffff780fbe0 140737345813472
r12 0x4174b0 4289712
r13 0x7fffffffe140 140737488347456
r14 0x0 0
r15 0x0 0
rip 0x49c701 0x49c701 <renderstrips()+353>
eflags 0x210246 [ PF ZF IF RF ID ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) info locals
i = 0
sb = @0x607910: {tex = 8, tris = {first = {static MINSIZE = 8, buf = 0x470af20, alen = 16, ulen = 12}, count = {static MINSIZE = 8,
buf = 0x45b0df0, alen = 16, ulen = 12}}, tristrips = {first = {static MINSIZE = 8, buf = 0x46d0c60, alen = 32, ulen = 20}, count = {
static MINSIZE = 8, buf = 0x47bd0d0, alen = 32, ulen = 20}}, quads = {first = {static MINSIZE = 8, buf = 0x478bbd0, alen = 32,
ulen = 18}, count = {static MINSIZE = 8, buf = 0x47bdcb0, alen = 32, ulen = 18}}}
j = 0