News:

Simutrans Sites
Know our official sites. Find tools and resources for Simutrans.

[security] Buffer overflow in simsys.cc

Started by highlander, September 25, 2024, 03:29:38 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

highlander

Hi,

There is a buffer overflow vulnerability in simutrans in symsis.cc:

https://github.com/simutrans/simutrans/blob/348382a31a6f4a481133af307b8af4ee0f3b8197/src/simutrans/sys/simsys.cc#L601

The program blindly trusts environment variables given by the user.

It can be triggered when exceeding `buffer` size set on line 570 of simsys.cc:


static char buffer[PATH_MAX + 24];

I had to use a way higher number than PATH_MAX + 25 to trigger a segfault but you get the idea:


Commit version: 348382a31a6f4a481133af307b8af4ee0f3b8197

root@debian:/home/user/simutrans# HOME=$(python3 -c "print('A'*9500)") gdb ./build/simutrans/simutrans
...
Reading symbols from ./build/simutrans/simutrans...
(gdb) run
dr_fatal_notify: ERROR: Absolutely no base installation found.
Please download/install the complete base set!

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff79d8e4a in __GI___libc_free (mem=0x4141414141414141) at ./malloc/malloc.c:3362
3362    ./malloc/malloc.c: No such file or directory.

I am attaching a patch for it.

Regards,

prissi

Ok, added some checks. Although I am pretty sure a lot of other programs and scripts will not like such a home variable.

I think that if you want to crash simutrans, the network code is the way better place to look for overruns.