Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release_1.3_beta3] Security issue - client crash in rendermapmodels while parsing invalid map #411

Open
mmmds opened this issue Nov 10, 2021 · 0 comments
Labels
Bugfix request Request to fix a bug.

Comments

@mmmds
Copy link

mmmds commented Nov 10, 2021

When the client parses an invalid map (ac_x45.cgz.zip), the game crashes in the rendermapmodels function. Values e.x and e.y that come from the map file are not properly validated. These values are used for pointer calculations and it results in accessing invalid memory addresses.

Tested on Ubuntu 20.04

  1. Assault Cube v1.3.0.0 Beta 3 for Linux, downladed from https://forum.cubers.net/thread-9116.html
  2. Compiled debug version from GitHub tag v1.3.0.0-BETA3
$ gdb --args bin_unix/native_client --loadmap=ac_x45
Starting program: /home/osboxes/AC/bin_unix/native_client --loadmap=ac_x45
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
parsing commandline argument 1: "--loadmap=ac_x45"
Using home directory: profile/
writing to file: profile/clientlog.txt
init: sdl (2.0.10)
[New Thread 0x7ffff61f3700 (LWP 3181)]
[New Thread 0x7fffed381700 (LWP 3182)]
[New Thread 0x7fffecb80700 (LWP 3183)]
[New Thread 0x7fffe7fff700 (LWP 3184)]
[New Thread 0x7fffe77fe700 (LWP 3185)]
init: net (1.3.6)
init: world (-(1203))
init: video: sdl
init: video: mode
init: video: misc
init: gl
Renderer: llvmpipe (LLVM 12.0.0, 256 bits) (Mesa/X.org)
Driver: 3.1 Mesa 21.0.3
init: console
init: sound
Audio devices: OpenAL Soft
[New Thread 0x7fffec31a700 (LWP 3186)]
[New Thread 0x7fffe57a1700 (LWP 3187)]
[Thread 0x7fffec31a700 (LWP 3186) exited]
[New Thread 0x7fffe57a1700 (LWP 3188)]
[Thread 0x7fffe57a1700 (LWP 3187) exited]
[New Thread 0x7fffec299700 (LWP 3189)]
[New Thread 0x7fffe4779700 (LWP 3190)]
Sound: OpenAL Soft / OpenAL Soft (OpenAL Community)
Driver: 1.1 ALSOFT 1.19.1
init: cfg
[New Thread 0x7fffbffff700 (LWP 3191)]
init: models
[New Thread 0x7fffbf7fe700 (LWP 3192)]
[Thread 0x7fffbf7fe700 (LWP 3192) exited]
[Thread 0x7fffbffff700 (LWP 3191) exited]
init: docs
init: localconnect
own IP: 0.0.0.0, censored own IP: 0.0.0.0, --, clock offset -454603 hours -57 minutes
auth challenge: SERVINFOCHALLENGE<(0) cn: 0 c: 0.0.0.0 (--) s: 0.0.0.0:0 3b6a27bcceb6a42d62a3a8d02a6f0d73653215771de243a63ac048a18b59da29 st: 0 ct: 27276237 (-28538316)>
init: mainloop
could not read "private/authprivate.cfg"
Beware: This is a BETA version of AssaultCube v1.3
Thank you for testing AssaultCube and helping us to release the new version!
[New Thread 0x7fffbf7fe700 (LWP 3193)]
resolving hostname packages.cubers.net failed (0.0.0.0)
successfully pinged 0 media servers, 1 failure, 0 disabled
local server failed to load map "packages/maps/official/ac_x45", error: invalid HX_ARTIST record
WARNING: rebuildtexlists() fixed 0|2|27 missing entries
while reading map at 2: type 12 out of range
while reading map at 2: unexpected end of file
world error -2
read map packages/maps/official/ac_x45.cgz rev 0 (49 milliseconds)
Douze (AC-Version) by makkE - layout by stanze
malformed emb config
malformed emb config
loaded textures (13 milliseconds)
loaded mapmodels (11 milliseconds)
loaded mapsounds (0 milliseconds)
can't find entity spawn spot! (64, 64)
game mode is "TDM"
unresolved problems occurred during load_world(), warning: 0x210
can't find entity spawn spot! (64, 64)
can't find entity spawn spot! (64, 64)

Thread 1 "native_client" received signal SIGSEGV, Segmentation fault.
0x000000000046ff7e in rendermapmodels () at entities.cpp:110
110	            rendermodel(mmi->name, ANIM_MAPMODEL|ANIM_LOOP, e.attr4, 0, vec(e.x, e.y, S(e.x, e.y)->floor + mmi->zoff + float(e.attr3) / ENTSCALE5), e.attr6, float(e.attr1) / ENTSCALE10, float(e.attr5) / ENTSCALE10, 10.0f, 0, NULL, NULL, mmi->scale);
(gdb) bt
#0  0x000000000046ff7e in rendermapmodels () at entities.cpp:110
#1  0x00000000004a5c46 in drawminimap (w=1440, h=792) at rendergl.cpp:859
#2  0x00000000004a69a3 in gl_drawframe (w=1440, h=792, changelod=0.432338327, curfps=25.9403, elapsed=206) at rendergl.cpp:1026
#3  0x0000000000480c12 in main (argc=2, argv=0x7fffffffe148) at main.cpp:1537

(gdb) print e.x
$1 = 30247
(gdb) print e.y
$2 = -25555
(gdb) print world
$3 = (sqr *) 0x8b0580
(gdb) print sfactor
$5 = 7
(gdb) print (&(world)[((e.y)<<(sfactor))+(e.x)])
$4 = (sqr *) 0xfffffffffd73cff0
(gdb) x/x (&(world)[((e.y)<<(sfactor))+(e.x)])
0xfffffffffd73cff0:	Cannot access memory at address 0xfffffffffd73cff0
@drian0 drian0 added the Bugfix request Request to fix a bug. label Nov 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bugfix request Request to fix a bug.
Projects
None yet
Development

No branches or pull requests

2 participants