R5Reloaded/r5sdk
1
0
Fork 0
mirror of https://github.com/Mauler125/r5sdk.git synced 2025-02-09 19:15:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

VScript: fix buffer overflow vulnerability in SQClass::NewSlot()

Browse Source 
Assembly patch in game executable to implement the fix from commit 23a0620658 - patch has been tested and confirmed working.
This commit is contained in:
Kawe Mazidjatari 2024-06-13 15:52:03 +02:00
parent 61856106f0
commit ea4d31c26d
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/resource/patch/r5apex.patch
View File

@ -116,3 +116,18 @@
// original code...
0x12944EE: "mov r8d, 0x104"
0x12944F4: "jmp 0x14030E933"
// This fixes a vulnerability in which the SQClass' '_members' buffer could overrun due to a missing check for current member count in the class.
// This has been patched on the Squirrel repo in commit: https://github.com/albertodemichelis/squirrel/commit/23a0620658714b996d20da3d4dd1a0dcf9b0bd98
0x1067595: "jmp 0x1412950F9" // Jump to code cave (alignment padding at end of executable segment).
0x12944F9: "mov rcx, qword ptr ds:[rbx+0x40]" // Load "SQClass::_members" into RCX (unused stack register in current compound block).
// NOTE: 'this' ptr has been mov'd to a non-volatile register due to a function call in previous block.
0x12944FD: "mov eax, dword ptr ds:[rcx+0x54]" // Load "SQTable::_usednodes" into EAX (unused stack register in current compound block).
// NOTE: inline 'SQTable::CountUsed()'
0x1294500: "cmp eax, 0xFFFFFF" // Compare 'this->_members->_usednodes' against constant 'MEMBER_MAX_COUNT'.
0x1294505: "jge 0x141295112" // Short jump to FAIL block (if 'this->_members->_usednodes' equals or exceeds MEMBER_MAX_COUNT).
0x1294507: "mov ecx, dword ptr ds:[rsi]" // Restored code overwritten by long jump patch at 0x1067595.
0x1294509: "mov rdi, qword ptr ss:[rbp-0x38]" // Restored code overwritten by long jump patch at 0x1067595.
0x129450D: "jmp 0x14106819B" // Jump to original code (if 'this->_members->_usednodes' is lower than MEMBER_MAX_COUNT).
0x1294512: "xor bl, bl" // Mark failure
0x1294514: "jmp 0x141068429" // Jump to return gadget which releases temporary handles, and loads BL into RAX to be returned.