Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stack buffer overflow (write) while loading map in CMapLayers::LoadEnvPoints, maplayers.cpp:184 #2981

Closed
mmmds opened this issue Oct 23, 2021 · 2 comments · Fixed by #3018 · May be fixed by #2931
Closed

Stack buffer overflow (write) while loading map in CMapLayers::LoadEnvPoints, maplayers.cpp:184 #2981

mmmds opened this issue Oct 23, 2021 · 2 comments · Fixed by #3018 · May be fixed by #2931

Comments

@mmmds
Copy link

mmmds commented Oct 23, 2021

The client crashes when an invalid map (14.map.zip) is loaded. Such a map can be delivered to the client by a malicious server.

Tested on Ubuntu 20.04 x86_64, Teeworlds version: f35da54b6f2c5f9fd4bbd4559f887ccf8f8cc526

Compilation with ASAN:

export CXXFLAGS="-ggdb -O0 -fsanitize=address -fno-omit-frame-pointer"
export CFLAGS="-ggdb -O0 -fsanitize=address -fno-omit-frame-pointer"
cmake ..
make

Run and connect to a server that delivers an invalid map:

./teeworlds "connect 127.0.0.1" "gfx_fullscreen 0" "gfx_screen_height 240" "gfx_screen_width 360"
[...]
=================================================================
==33805==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffffffd8f78 at pc 0x5555556fae80 bp 0x7ffffffd8e10 sp 0x7ffffffd8e00
WRITE of size 4 at 0x7ffffffd8f78 thread T0
    #0 0x5555556fae7f in CMapLayers::LoadEnvPoints(CLayers const*, array<CEnvPoint, allocator_default<CEnvPoint> >&) /home/osboxes/teeworlds/teeworlds-asan/src/game/client/components/maplayers.cpp:184
    #1 0x5555556fcf3b in CMapLayers::OnMapLoad() /home/osboxes/teeworlds/teeworlds-asan/src/game/client/components/maplayers.cpp:117
    #2 0x555555839981 in CGameClient::OnConnected() /home/osboxes/teeworlds/teeworlds-asan/src/game/client/gameclient.cpp:459
    #3 0x5555555f6755 in CClient::ProcessServerPacket(CNetChunk*) /home/osboxes/teeworlds/teeworlds-asan/src/engine/client/client.cpp:1283
    #4 0x5555555f91ce in CClient::PumpNetwork() /home/osboxes/teeworlds/teeworlds-asan/src/engine/client/client.cpp:1596
    #5 0x5555555f9596 in CClient::Update() /home/osboxes/teeworlds/teeworlds-asan/src/engine/client/client.cpp:1766
    #6 0x5555555fc1f0 in CClient::Run() /home/osboxes/teeworlds/teeworlds-asan/src/engine/client/client.cpp:2108
    #7 0x5555555d24e5 in main /home/osboxes/teeworlds/teeworlds-asan/src/engine/client/client.cpp:2704
    #8 0x7ffff68e10b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #9 0x5555555dc48d in _start (/home/osboxes/teeworlds/teeworlds-asan/build/teeworlds+0x8848d)

Address 0x7ffffffd8f78 is located in stack of thread T0 at offset 184 in frame
    #0 0x5555556f949f in CMapLayers::LoadEnvPoints(CLayers const*, array<CEnvPoint, allocator_default<CEnvPoint> >&) /home/osboxes/teeworlds/teeworlds-asan/src/game/client/components/maplayers.cpp:135

  This frame has 5 object(s):
    [32, 36) 'Start' (line 141)
    [48, 52) 'Num' (line 141)
    [64, 68) 'Start' (line 151)
    [80, 84) 'Num' (line 151)
    [96, 184) 'p' (line 173) <== Memory access at offset 184 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/osboxes/teeworlds/teeworlds-asan/src/game/client/components/maplayers.cpp:184 in CMapLayers::LoadEnvPoints(CLayers const*, array<CEnvPoint, allocator_default<CEnvPoint> >&)
Shadow bytes around the buggy address:
  0x10007fff3190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff31a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff31b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff31c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff31d0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f8 f2
=>0x10007fff31e0: 04 f2 04 f2 00 00 00 00 00 00 00 00 00 00 00[f3]
  0x10007fff31f0: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff3200: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10007fff3210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3
  0x10007fff3220: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff3230: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==33805==ABORTING

Compilation without ASAN:

export CXXFLAGS="-ggdb -O0"
export CFLAGS="-ggdb -O0"
cmake ..
make

Run and connect to a server that delivers an invalid map:

./teeworlds "connect 127.0.0.1" "gfx_fullscreen 0" "gfx_screen_height 240" "gfx_screen_width 360"
[...]
Segmentation fault (core dumped)
@mmmds
Copy link
Author

mmmds commented Nov 7, 2021

The bug can be abused to write arbitrary value on a stack and control an instruction pointer leading to arbitrary code execution.

$ gdb --args ./teeworlds 'connect 127.0.0.1'
[...]
Thread 1 "teeworlds" received signal SIGSEGV, Segmentation fault.
0x000000aabbccddee in ?? ()
(gdb) i r
rax 0x6 6
rbx 0xeeeeeeddddddddcc -1229783011548078644
rcx 0x555556004390 93825003438992
rdx 0x46 70
rsi 0x0 0
rdi 0x555556004390 93825003438992
rbp 0xee 0xee
rsp 0x7ffffffddad0 0x7ffffffddad0
r8 0x4d0 1232
r9 0x7ffff7861ff0 140737346150384
r10 0x555555a3c010 93824997376016
r11 0x7ffff7861be0 140737346149344
r12 0x0 0
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0xaabbccddee 0xaabbccddee
eflags 0x210202 [ IF RF ID ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0

Additionally, the binaries available on GitHub do not have stack protection enabled. On the contrary, build available in Ubuntu 20.04 repository has the protection enabled.

@carnil
Copy link

carnil commented Dec 15, 2021

CVE-2021-43518 appears to have been assigned for this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants