[quake3-bugzilla] [Bug 4249] New: Segmentation fault in x86 vm compiler with malicious QVM

bugzilla-daemon at icculus.org bugzilla-daemon at icculus.org
Thu Jul 23 14:16:52 EDT 2009 

http://bugzilla.icculus.org/show_bug.cgi?id=4249

           Summary: Segmentation fault in x86 vm compiler with malicious
                    QVM
           Product: ioquake3
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: major
          Priority: P3
         Component: Misc
        AssignedTo: zakk at icculus.org
        ReportedBy: bugzilla at benmachine.co.uk
         QAContact: quake3-bugzilla at icculus.org


I had this demonstrated and explained to me recently by Amanieu: put the
following in segfault.asm:

code
CNSTP4 805306368
JUMPV

and then make it into a QVM:
$ q3asm -o ui.qvm segfault.asm
Wrap it in a pk3 and dump it in baseq3 (named such that it will be loaded as a
priority). The result:

Loading vm file vm/ui.qvm...
...which has vmMagic VM_MAGIC_VER2
Loading 0 jump table targets

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb7b166d0 (LWP 12292)]
0x0811c68e in VM_Compile (vm=0x9a0c3c0, header=0xb619af4c)
    at src/qcommon/vm_x86.c:557
557                    jused[lastConst] = 1;
(gdb) bt
#0  0x0811c68e in VM_Compile (vm=0x9a0c3c0, header=0xb619af4c)
    at src/qcommon/vm_x86.c:557
#1  0x080b0e80 in VM_Create (module=0x8123846 "ui", 
    systemCalls=0x8064177 <CL_UISystemCalls>, interpret=VMI_COMPILED)
    at src/qcommon/vm.c:592
#2  0x080654c3 in CL_InitUI () at src/client/cl_ui.c:1029
#3  0x0805d135 in CL_StartHunkUsers (rendererOnly=qfalse)
    at src/client/cl_main.c:2758
#4  0x0807a442 in Com_Init (commandLine=0xbfe4dd74 "")
    at src/qcommon/common.c:2529
#5  0x080f7c81 in main (argc=8, argv=0xbfe4e244) at src/sys/sys_main.c:548
(gdb) print lastConst
$1 = 805306368

This looks like just a simple bounds check missing, but I'm out of my depth in
the VM compiler.

Of course there's a limited amount you can do to stop arbitrary VMs from
crashing the client, but this being an uninitialised memory access it's almost
certainly worth closing before someone makes a security exploit of it.

Credit for finding this pretty much solely goes to Amanieu, I just did the
subsequent writeup

-- 
Configure bugmail: http://bugzilla.icculus.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

More information about the quake3-bugzilla mailing list