irrlicht icon indicating copy to clipboard operation
irrlicht copied to clipboard

Published 20 hours ago verified publisher icon minetest

Invalid load of boolean value in lib/irrlichtmt/include/irrAllocator.h

Open erlehmann opened this issue 2 years ago • 0 comments

Compiling recent Minetest with UBsan (executing cmake with the argument -DCMAKE_CXX_FLAGS='-fsanitize-undefined -fno-sanitize=vptr' in addition to its other arguments) & starting Minetest with the environment variable setting UBSAN_OPTIONS='print_stacktrace=1' produced the following stack trace:

lib/irrlichtmt/include/irrAllocator.h:47:3: runtime error: load of value 192, which is not a valid value for type 'bool'
    #0 0x55f21a77cf16 in irr::core::irrAllocator<bool>::construct(bool*, bool const&) (bin/minetest+0x43c1f16)
    minetest/minetest#1 0x55f21aadd3e8 in irr::core::array<bool, irr::core::irrAllocator<bool> >::operator=(irr::core::array<bool, irr::core::irrAllocator<bool> > const&) (bin/minetest+0x47223e8)
    minetest/minetest#2 0x55f21aadc571 in irr::core::array<bool, irr::core::irrAllocator<bool> >::array(irr::core::array<bool, irr::core::irrAllocator<bool> > const&) (bin/minetest+0x4721571)
    minetest/minetest#3 0x55f21aadcd03 in irr::core::irrAllocator<irr::core::array<bool, irr::core::irrAllocator<bool> > >::construct(irr::core::array<bool, irr::core::irrAllocator<bool> >*, irr::core::array<bool, irr::core::irrAllocator<bool> > const&) (bin/minetest+0x4721d03)
    minetest/minetest#4 0x55f21aadc989 in irr::core::array<irr::core::array<bool, irr::core::irrAllocator<bool> >, irr::core::irrAllocator<irr::core::array<bool, irr::core::irrAllocator<bool> > > >::reallocate(unsigned int, bool) (bin/minetest+0x4721989)
    minetest/minetest#5 0x55f21aad2235 in irr::core::array<irr::core::array<bool, irr::core::irrAllocator<bool> >, irr::core::irrAllocator<irr::core::array<bool, irr::core::irrAllocator<bool> > > >::insert(irr::core::array<bool, irr::core::irrAllocator<bool> > const&, unsigned int) (bin/minetest+0x4717235)
    minetest/minetest#6 0x55f21aacd3be in irr::core::array<irr::core::array<bool, irr::core::irrAllocator<bool> >, irr::core::irrAllocator<irr::core::array<bool, irr::core::irrAllocator<bool> > > >::push_back(irr::core::array<bool, irr::core::irrAllocator<bool> > const&) (bin/minetest+0x47123be)
    minetest/minetest#7 0x55f21aab8660 in irr::scene::CSkinnedMesh::finalize() (bin/minetest+0x46fd660)
    minetest/minetest#8 0x55f21ab89369 in irr::scene::CB3DMeshFileLoader::createMesh(irr::io::IReadFile*) (bin/minetest+0x47ce369)
    minetest/minetest#9 0x55f21a731aad in irr::scene::CSceneManager::getUncachedMesh(irr::io::IReadFile*, irr::core::string<char, irr::core::irrAllocator<char> > const&, irr::core::string<char, irr::core::irrAllocator<char> > const&) (bin/minetest+0x4376aad)
    minetest/minetest#10 0x55f21a73166f in irr::scene::CSceneManager::getMesh(irr::io::IReadFile*) (bin/minetest+0x437666f)
    minetest/minetest#11 0x55f2195bfd75 in Client::getMesh(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) (bin/minetest+0x3204d75)
    minetest/minetest#12 0x55f2196cd38f in GenericCAO::addToScene(ITextureSource*, irr::scene::ISceneManager*) (bin/minetest+0x331238f)
    minetest/minetest#13 0x55f219615398 in ClientEnvironment::addActiveObject(ClientActiveObject*) (bin/minetest+0x325a398)
    minetest/minetest#14 0x55f2196157e3 in ClientEnvironment::addActiveObject(unsigned short, unsigned char, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) (bin/minetest+0x325a7e3)
    minetest/minetest#15 0x55f219dab4bb in Client::handleCommand_ActiveObjectRemoveAdd(NetworkPacket*) (bin/minetest+0x39f04bb)
    minetest/minetest#16 0x55f2195c82e7 in Client::handleCommand(NetworkPacket*) (bin/minetest+0x320d2e7)
    minetest/minetest#17 0x55f2195b36cc in Client::ProcessData(NetworkPacket*) (bin/minetest+0x31f86cc)
    minetest/minetest#18 0x55f2195b3079 in Client::ReceiveAll() (bin/minetest+0x31f8079)
    minetest/minetest#19 0x55f2195ac330 in Client::step(float) (bin/minetest+0x31f1330)
    minetest/minetest#20 0x55f21979f7d2 in Game::step(float*) (bin/minetest+0x33e47d2)
    minetest/minetest#21 0x55f2197473b0 in Game::run() (bin/minetest+0x338c3b0)
    minetest/minetest#22 0x55f21978705f in the_game(bool*, InputHandler*, RenderingEngine*, GameStartData const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, ChatBackend&, bool*) (bin/minetest+0x33cc05f)
    minetest/minetest#23 0x55f21962ec7a in ClientLauncher::run(GameStartData&, Settings const&) (bin/minetest+0x3273c7a)
    minetest/minetest#24 0x55f21a2dfe71 in main (bin/minetest+0x3f24e71)
    minetest/minetest#25 0x7ff59080c09a in __libc_start_main ../csu/libc-start.c:308
    minetest/minetest#26 0x55f219558419 in _start (bin/minetest+0x319d419)

I can not provide many details about how to reproduce it, but it happened in MineClone5.

To my knowledge UBsan has no false-positives. Therefore, this issue should be assumed to be a remotely-exploitable security vulnerability on the client, until it is somehow proven that this is not the case.

erlehmann avatar Sep 13 '21 09:09 erlehmann