Bug#930942: warzone2100: Segfault upon multiplayer "Start Hosting Game"

Bernhard Übelacker bernhardu at mailbox.org
Mon Jun 24 14:52:16 BST 2019 

Dear Maintainer,
I just tried to help triaging this bug.

This bug manifests in current Stretch/9.9 and
also in Buster/testing.

In the call to function setMultiStats a temporary
PLAYERSTATS object gets constructed from the
reference returned by getMultiStats.
Therefore the copy constructor of EcKey for the member identity
is called, which unfortunately unconditionally calls EC_KEY_dup,
which seems not able to handle an null pointer as ec_key.

Attached patch calls EC_KEY_dup just in case of a not null key.
With packages rebuilt in Stretch and Buster with this
patch applied, the same crash does not manifest and a multiplayer
with one nullbot was possible.

Could not find an upstream bug similar to this.

Kind regards,
Bernhard


(gdb) bt
#0  EC_KEY_dup (ec_key=0x0) at ../crypto/ec/ec_key.c:156
#1  0x00005555558068cc in EcKey::EcKey (this=0x7fffffffad00, b=...) at crc.cpp:248
#2  0x00005555556afd0a in PLAYERSTATS::PLAYERSTATS (this=0x7ffffffface0) at multistat.h:31
#3  setupNewPlayer (player=player at entry=0) at multijoin.cpp:473
#4  0x00005555556afe5c in MultiPlayerJoin (playerIndex=0) at multijoin.cpp:350
#5  0x00005555557d0157 in NEThostGame (SessionName=SessionName at entry=0x555555f234e3 <game+131> "Mein Spiel", PlayerName=PlayerName at entry=0x555555f20520 <sPlayer> "Spieler", one=14, two=two at entry=0, three=three at entry=0, four=four at entry=0, plyrs=4) at netplay.cpp:2780
#6  0x00005555556b5e5d in hostCampaign (sGame=sGame at entry=0x555555f234e3 <game+131> "Mein Spiel", sPlayer=sPlayer at entry=0x555555f20520 <sPlayer> "Spieler") at multiopt.cpp:259
#7  0x00005555556ab2d3 in processMultiopWidgets (id=10276) at multiint.cpp:3072
#8  0x00005555556ada6c in runMultiOptions () at multiint.cpp:3751
#9  0x0000555555799ea5 in titleLoop () at wrappers.cpp:176
#10 0x000055555567ddc5 in runTitleLoop () at main.cpp:923
#11 mainLoop () at main.cpp:995
#12 0x0000555555804ccc in wzMainEventLoop () at main_sdl.cpp:1601
#13 0x000055555567ea97 in realmain (argc=<optimized out>, argv=<optimized out>) at main.cpp:1329
#14 0x00007ffff2b642e1 in __libc_start_main (main=0x5555555d0df0 <main(int, char**)>, argc=1, argv=0x7fffffffe668, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe658) at ../csu/libc-start.c:291
#15 0x00005555555d0fea in _start ()
-------------- next part --------------

# Stretch/9.9 qemu amd64 VM 2019-06-24


apt update
apt dist-upgrade


apt install systemd-coredump xserver-xorg lightdm openbox mc gdb fakeroot warzone2100 warzone2100-dbgsym libssl1.1-dbgsym
apt build-dep warzone2100


mkdir /home/benutzer/source/libssl1.1/orig -p
cd    /home/benutzer/source/libssl1.1/orig
apt source libssl1.1
cd

mkdir /home/benutzer/source/warzone2100/orig -p
cd    /home/benutzer/source/warzone2100/orig
apt source warzone2100
cd


reboot


export DISPLAY=:0
gdb -q \
    -ex 'set width 0' \
    -ex 'set pagination off' \
    -ex 'directory /home/benutzer/source/libssl1.1/orig/openssl-1.1.0j/crypto' \
    -ex 'directory /home/benutzer/source/warzone2100/orig/warzone2100-3.2.1/lib/framework' \
    -ex 'directory /home/benutzer/source/warzone2100/orig/warzone2100-3.2.1/src' \
    -ex 'run' \
    --args warzone2100


############


benutzer at debian:~$ gdb -q -ex 'set width 0' -ex 'set pagination off' -ex 'run' --args warzone2100
Reading symbols from warzone2100...(no debugging symbols found)...done.
Starting program: /usr/games/warzone2100 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe63a7700 (LWP 3843)]
info    |02:03:13: [realmain:1146] Using /home/benutzer/.warzone2100-3.2/logs/WZlog-0624_140313.txt debug file
[New Thread 0x7fffe5b19700 (LWP 3850)]
[New Thread 0x7fffdc72c700 (LWP 3853)]
[New Thread 0x7fffdbf2b700 (LWP 3854)]
[New Thread 0x7fffdb72a700 (LWP 3855)]
[New Thread 0x7fffdaf29700 (LWP 3856)]
[New Thread 0x7fffda728700 (LWP 3857)]
[New Thread 0x7fffd9f27700 (LWP 3858)]
[New Thread 0x7fffd9726700 (LWP 3859)]
[New Thread 0x7fffd8f25700 (LWP 3860)]
[New Thread 0x7fffd7925700 (LWP 3861)]
[Thread 0x7fffd7925700 (LWP 3861) exited]
ALSA lib confmisc.c:767:(parse_card) cannot find card '0'
ALSA lib conf.c:4528:(_snd_config_evaluate) function snd_func_card_driver returned error: Datei oder Verzeichnis nicht gefunden
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4528:(_snd_config_evaluate) function snd_func_concat returned error: Datei oder Verzeichnis nicht gefunden
ALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name
ALSA lib conf.c:4528:(_snd_config_evaluate) function snd_func_refer returned error: Datei oder Verzeichnis nicht gefunden
ALSA lib conf.c:5007:(snd_config_expand) Evaluate error: Datei oder Verzeichnis nicht gefunden
ALSA lib pcm.c:2495:(snd_pcm_open_noupdate) Unknown PCM default
AL lib: (EE) ALCplaybackAlsa_open: Could not open playback device 'default': Datei oder Verzeichnis nicht gefunden
error   |02:03:13: [sound_InitLibrary:157] Couldn't open audio device.
error   |02:03:13: [sound_Init:54] Cannot init sound library
[New Thread 0x7fffd7925700 (LWP 3863)]
error   |02:03:14: [cdAudio_OpenTrack:96] Failed creating audio stream for music/menu.ogg
[New Thread 0x7fffd6724700 (LWP 4278)]
[New Thread 0x7fffd5f23700 (LWP 4279)]

Thread 1 "warzone2100" received signal SIGSEGV, Segmentation fault.
0x00007ffff3884da9 in EC_KEY_dup () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
(gdb) bt
#0  0x00007ffff3884da9 in EC_KEY_dup () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#1  0x00005555558068cc in EcKey::EcKey(EcKey const&) ()
#2  0x00005555556afd0a in setupNewPlayer(unsigned int) ()
#3  0x00005555556afe5c in MultiPlayerJoin(unsigned int) ()
#4  0x00005555557d0157 in NEThostGame(char const*, char const*, int, int, int, int, unsigned int) ()
#5  0x00005555556b5e5d in hostCampaign(char*, char*) ()
#6  0x00005555556ab2d3 in ?? ()
#7  0x00005555556ada6c in runMultiOptions() ()
#8  0x0000555555799ea5 in titleLoop() ()
#9  0x000055555567ddc5 in mainLoop() ()
#10 0x0000555555804ccc in wzMainEventLoop() ()
#11 0x000055555567ea97 in realmain(int, char**) ()
#12 0x00007ffff2b642e1 in __libc_start_main (main=0x5555555d0df0 <main>, argc=1, argv=0x7fffffffe668, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe658) at ../csu/libc-start.c:291
#13 0x00005555555d0fea in _start ()





benutzer at debian:~$ gdb -q \
>     -ex 'set width 0' \
>     -ex 'set pagination off' \
>     -ex 'directory /home/benutzer/source/libssl1.1/orig/openssl-1.1.0j/crypto' \
>     -ex 'directory /home/benutzer/source/warzone2100/orig/warzone2100-3.2.1/lib/framework' \
>     -ex 'run' \
>     --args warzone2100
Reading symbols from warzone2100...Reading symbols from /usr/lib/debug/.build-id/35/32f188d4647a1a16b01dc3a21f242289ca00be.debug...done.
done.
Source directories searched: /home/benutzer/source/libssl1.1/orig/openssl-1.1.0j/crypto:$cdir:$cwd
Source directories searched: /home/benutzer/source/warzone2100/orig/warzone2100-3.2.1/lib/framework:/home/benutzer/source/libssl1.1/orig/openssl-1.1.0j/crypto:$cdir:$cwd
Starting program: /usr/games/warzone2100 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe63a7700 (LWP 9286)]
info    |02:10:44: [realmain:1146] Using /home/benutzer/.warzone2100-3.2/logs/WZlog-0624_141044.txt debug file
[New Thread 0x7fffe5b19700 (LWP 9293)]
[New Thread 0x7fffdc72c700 (LWP 9296)]
[New Thread 0x7fffdbf2b700 (LWP 9297)]
[New Thread 0x7fffdb72a700 (LWP 9298)]
[New Thread 0x7fffdaf29700 (LWP 9299)]
[New Thread 0x7fffda728700 (LWP 9300)]
[New Thread 0x7fffd9f27700 (LWP 9301)]
[New Thread 0x7fffd9726700 (LWP 9302)]
[New Thread 0x7fffd8f25700 (LWP 9303)]
[New Thread 0x7fffd7925700 (LWP 9304)]
[Thread 0x7fffd7925700 (LWP 9304) exited]
ALSA lib confmisc.c:767:(parse_card) cannot find card '0'
ALSA lib conf.c:4528:(_snd_config_evaluate) function snd_func_card_driver returned error: Datei oder Verzeichnis nicht gefunden
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4528:(_snd_config_evaluate) function snd_func_concat returned error: Datei oder Verzeichnis nicht gefunden
ALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name
ALSA lib conf.c:4528:(_snd_config_evaluate) function snd_func_refer returned error: Datei oder Verzeichnis nicht gefunden
ALSA lib conf.c:5007:(snd_config_expand) Evaluate error: Datei oder Verzeichnis nicht gefunden
ALSA lib pcm.c:2495:(snd_pcm_open_noupdate) Unknown PCM default
AL lib: (EE) ALCplaybackAlsa_open: Could not open playback device 'default': Datei oder Verzeichnis nicht gefunden
error   |02:10:44: [sound_InitLibrary:157] Couldn't open audio device.
error   |02:10:44: [sound_Init:54] Cannot init sound library
[New Thread 0x7fffd7925700 (LWP 9306)]
error   |02:10:45: [cdAudio_OpenTrack:96] Failed creating audio stream for music/menu.ogg
[New Thread 0x7fffd6724700 (LWP 9640)]
[New Thread 0x7fffd5f23700 (LWP 9641)]

Thread 1 "warzone2100" received signal SIGSEGV, Segmentation fault.
EC_KEY_dup (ec_key=0x0) at ../crypto/ec/ec_key.c:156
156         EC_KEY *ret = EC_KEY_new_method(ec_key->engine);

(gdb) bt
#0  EC_KEY_dup (ec_key=0x0) at ../crypto/ec/ec_key.c:156
#1  0x00005555558068cc in EcKey::EcKey (this=0x7fffffffad00, b=...) at crc.cpp:248
#2  0x00005555556afd0a in PLAYERSTATS::PLAYERSTATS (this=0x7ffffffface0) at multistat.h:31
#3  setupNewPlayer (player=player at entry=0) at multijoin.cpp:473
#4  0x00005555556afe5c in MultiPlayerJoin (playerIndex=0) at multijoin.cpp:350
#5  0x00005555557d0157 in NEThostGame (SessionName=SessionName at entry=0x555555f234e3 <game+131> "Mein Spiel", PlayerName=PlayerName at entry=0x555555f20520 <sPlayer> "Spieler", one=14, two=two at entry=0, three=three at entry=0, four=four at entry=0, plyrs=4) at netplay.cpp:2780
#6  0x00005555556b5e5d in hostCampaign (sGame=sGame at entry=0x555555f234e3 <game+131> "Mein Spiel", sPlayer=sPlayer at entry=0x555555f20520 <sPlayer> "Spieler") at multiopt.cpp:259
#7  0x00005555556ab2d3 in processMultiopWidgets (id=10276) at multiint.cpp:3072
#8  0x00005555556ada6c in runMultiOptions () at multiint.cpp:3751
#9  0x0000555555799ea5 in titleLoop () at wrappers.cpp:176
#10 0x000055555567ddc5 in runTitleLoop () at main.cpp:923
#11 mainLoop () at main.cpp:995
#12 0x0000555555804ccc in wzMainEventLoop () at main_sdl.cpp:1601
#13 0x000055555567ea97 in realmain (argc=<optimized out>, argv=<optimized out>) at main.cpp:1329
#14 0x00007ffff2b642e1 in __libc_start_main (main=0x5555555d0df0 <main(int, char**)>, argc=1, argv=0x7fffffffe668, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe658) at ../csu/libc-start.c:291
#15 0x00005555555d0fea in _start ()

(gdb) list EC_KEY_dup
153
154     EC_KEY *EC_KEY_dup(const EC_KEY *ec_key)
155     {
156         EC_KEY *ret = EC_KEY_new_method(ec_key->engine);
157
158         if (ret == NULL)
159             return NULL;
160
161         if (EC_KEY_copy(ret, ec_key) == NULL) {
162             EC_KEY_free(ret);
163             return NULL;
164         }
165         return ret;
166     }
167

(gdb) print ec_key
$1 = (const EC_KEY *) 0x0


(gdb) up
#1  0x00005555558068cc in EcKey::EcKey (this=0x7fffffffad00, b=...) at crc.cpp:248
warning: Source file is more recent than executable.
248             vKey = (void *)EC_KEY_dup((EC_KEY *)b.vKey);

(gdb) list crc.cpp:248
245
246     EcKey::EcKey(EcKey const &b)
247     {
248             vKey = (void *)EC_KEY_dup((EC_KEY *)b.vKey);
249     }


(gdb) up
#2  0x00005555556afd0a in PLAYERSTATS::PLAYERSTATS (this=0x7ffffffface0) at multistat.h:31
31      struct PLAYERSTATS

(gdb) list
30
31      struct PLAYERSTATS
32      {
33              PLAYERSTATS();
34
35              uint32_t played;                                                /// propogated stats.
36              uint32_t wins;
37              uint32_t losses;
38              uint32_t totalKills;
39              uint32_t totalScore;
40
41              uint32_t recentKills;                           // score/kills in last game.
42              uint32_t recentScore;
43
44              EcKey    identity;
45      };

(gdb) list multistat.cpp:43
42
43      PLAYERSTATS::PLAYERSTATS()
44              : played(0)
45              , wins(0)
46              , losses(0)
47              , totalKills(0)
48              , totalScore(0)
49              , recentKills(0)
50              , recentScore(0)
51      {}
52


############


gdb -q --args warzone2100


set width 0
set pagination off
directory /home/benutzer/source/libssl1.1/orig/openssl-1.1.0j/crypto
directory /home/benutzer/source/warzone2100/try1/warzone2100-3.2.1/lib/framework
directory /home/benutzer/source/warzone2100/try1/warzone2100-3.2.1/src
b multijoin.cpp:473
run

More information about the Pkg-games-devel mailing list