Opened 14 years ago

Closed 13 years ago

Last modified 7 months ago

#1908 closed defect (fixed)

BASE: buffer overflow causes crash from env-var HOME

Reported by: SF/toreanderson Owned by: fingolfin
Priority: low Component: Port: Linux
Keywords: Cc:
Game:

Description

This is from Ulf Härnhammar in
<http://bugs.debian.org/292263/>. I guess ScummVM is
never installed as a setuid binary? It isn't on Debian
anyway, so priority set as low.

....

Hello,

if I start scummvm with a long value for the
environment variable HOME, the
program crashes.

metaur@metaur:~$ HOME=`perl -e 'print "U" x 1030;'`
/usr/games/scummvm
WARNING: Unable to open configuration file:
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU/.scummvmr
c!
Segmentation fault
metaur@metaur:~$

Ticket imported from: #1109687. Ticket imported from: bugs/1908.

Change History (16)

comment:1 Changed 14 years ago by SF/toreanderson

Priority: normallow

comment:2 Changed 14 years ago by sev-

Fixed in CVS. And no, ScummVM does not require root privilidges.

comment:3 Changed 14 years ago by sev-

Owner: set to sev-
Resolution: fixed
Status: newclosed

comment:4 Changed 14 years ago by SF/ender

As a note, you'd have to be crazy to install scummvm setuid. I
couldn't count the number of places a exploited savegame
could break out :)

comment:5 Changed 14 years ago by SF/toreanderson

I hope you don't believe I seriously doubted the correctness
of installing ScummVM non-setuid on a unix/linux-lookalike
such as Debian! :-)

Was thinking more of these funny architectures I have no
idea how works, such as iPac, Dreamcast, Microsoft, Morphos,
and so on.

Thanks for fixing it so rapidly!

Tore

comment:6 Changed 14 years ago by SF/toreanderson

Status: closednew

comment:7 Changed 14 years ago by SF/toreanderson

Hi,

It seems to me this bug is still present in 0.8.0. At least
I can reproduce it using the method suggested by the
submitter. Hence, I'm reopening this bug.

Tore

comment:8 Changed 14 years ago by fingolfin

Indeed, only main.cpp was fixed, but not config-manager.cpp.
I fixed that one, too. Furthermore, SCUMMVM_SAVEPATH is also
read from env. While an overflow there should be harmless, I
still added a check there, too... Will be included in the
next release.

comment:9 Changed 14 years ago by fingolfin

Owner: changed from sev- to fingolfin

comment:10 Changed 14 years ago by fingolfin

Status: newclosed

comment:11 Changed 13 years ago by SF/weine

I can still make scummvm segfault this way, even with a
checkout from svn made today. The limit seem to be 512
characters, FVIW; anything higher than that causes scummvm
to segfault.

comment:12 Changed 13 years ago by fingolfin

Argh, stupid bug, in fopenNoCase. I'll look into it.

comment:13 Changed 13 years ago by fingolfin

Status: closednew
Summary: buffer overflow causes crash from env-var HOMEBASE: buffer overflow causes crash from env-var HOME

comment:14 Changed 13 years ago by fingolfin

Status: newclosed

comment:15 Changed 13 years ago by fingolfin

The bug in fopenNoCase should be fixed now, at least I really can't reproduce
the issue anymore :)

comment:16 Changed 7 months ago by digitall

Component: Port: Linux
Note: See TracTickets for help on using tickets.