From 46fafef60cba73343f28384a66eb3e60465ebc54 Mon Sep 17 00:00:00 2001 From: Amos Date: Tue, 30 May 2023 10:03:53 +0200 Subject: [PATCH] Fix vulnerability in C2S_CONNECT message parser Thanks Robotic for reporting the crash! --- r5dev/resource/patch/r5apex.patch | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/r5dev/resource/patch/r5apex.patch b/r5dev/resource/patch/r5apex.patch index 753bf41d..a0406676 100644 --- a/r5dev/resource/patch/r5apex.patch +++ b/r5dev/resource/patch/r5apex.patch @@ -64,4 +64,14 @@ // Below the reconstruction of overwritten bytes caused by the long jump to code cave... 0x12944BB: "lea r8d, ds:[rbp*8]" // fragSize << 3 0x12944C3: "mov rcx, rbx" -0x12944C6: "jmp 0x0000000140261A6B" // Jump back to original code; final split packet fragment is sane. +0x12944C6: "jmp 0x140261A6B" // Jump back to original code; final split packet fragment is sane. + +// This fixes a vulnerability in which the index field in the NET_SetConVar message +// could be used to read outside the static userinfo cvar string array. +0x030DD29: "jmp 0x1412950E3" // Jump to code cave (alignment padding at end of executable segment). +0x12944E3: "test eax, eax" // Existing NULL check, moved here due to overwrite caused by long jmp. +0x12944E5: "je 0x1412950F0" // Conditional jump to rebuild of overwritten instruction. +0x12944E7: "cmp eax, 0x28" // Check if array index does NOT exceed size; max = 0x27 (this check was missing). +0x12944EA: "jl 0x14030E951" // Conditional jump to original code that indexes into userinfo cvar string array. +0x12944F0: "mov r8d, 0x104" // Rebuid of overwritten instruction caused by long jump to code cave. +0x12944F6: "jmp 0x14030E933" // Jump to original code past the user info cvar array indexing.