Bug#1010827: minetest: wrong find_nodes_in_area() volume calculation can crash or hang server

Tue May 10 23:13:05 BST 2022

Package: minetest
Version: 5.3.0+repack-2.1+deb11u1
Severity: normal
Tags: patch upstream
X-Debbugs-Cc: nils+debian-reportbug at dieweltistgarnichtso.net

Dear Maintainer,

Minetest before version 5.5.0 has an implementation of the function 
minetest.find_nodes_in_area() that can be used by clients to hang a 
server. Attached is a proof of concept Lua code to this bug report; 
you can run the “/areatest” command to crash Minetest with an error 
message that states “area volume exceeds allowed value of 4096000”.

This issue is security-relevant: It can be used by clients to crash 
or hang the server, depending on the exact coordinates given to the 
function minetest.find_nodes_in_area().

Minetest issue: <https://github.com/minetest/minetest/issues/11769>

Note that the upstream fix for this is actually faulty, as Minetest 
developers reused the constant MAX_MAP_GENERATION_LIMIT, neglegting 
that it is unsuited for bounds checking – as the map generator only 
stops after overrunning it. Basically: Minetest developers have bad 
understanding of how Minetest map generator works at map boundaries 
and are unwilling to introduce bounds checks in advance of anything 
proven to crash or hang for fear of performance losses.

Minetest patch: <https://github.com/minetest/minetest/pull/11770>

Again, the above patch is faulty and should not be applied – it has 
caused at least one other bug. which may or may not be mitigated by 
raising MAX_MAP_GENERATION_LIMIT to 31007 (I am unsure about that … 
it might be that the current version of Minetest still has issues).

Minetest bug: <https://github.com/minetest/minetest/issues/11828>

Before Minetest upstream came up with their questionable fix, I had 
come up with a fix which wraps around minetest.find_nodes_in_area() 
to prevent the crash. It is fully unit-tested, AFAIK it works 100%.

You can see the entire patch and the unit test for it here:
<https://git.minetest.land/Mineclonia/Mineclonia/pulls/169>
It is written in the form of Lua wrapper code for Minetest.

If you are unsure on how to integrate it, I can try to help.

-- System Information:
Debian Release: 11.3
  APT prefers stable
  APT policy: (900, 'stable'), (500, 'oldoldstable')
Architecture: i386 (i686)

Kernel: Linux 5.10.0-10-686 (SMP w/2 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages minetest depends on:
ii  libc6             2.31-13+deb11u3
ii  libcurl3-gnutls   7.74.0-1.3+deb11u1
ii  libfreetype6      2.10.4+dfsg-1
ii  libgcc-s1         10.2.1-6
ii  libgmp10          2:6.2.1+dfsg-1+deb11u1
ii  libirrlicht1.8    1.8.4+dfsg1-1.1
ii  libjsoncpp24      1.9.4-4
ii  libleveldb1d      1.22-3
ii  libluajit-5.1-2   2.1.0~beta3+dfsg-5.3
ii  libncursesw6      6.2+20201114-2
ii  libopenal1        1:1.19.1-2
ii  libpq5            13.5-0+deb11u1
ii  libspatialindex6  1.9.3-2
ii  libsqlite3-0      3.34.1-3
ii  libstdc++6        10.2.1-6
ii  libtinfo6         6.2+20201114-2
ii  libvorbisfile3    1.3.7-1
ii  libx11-6          2:1.7.2-1
ii  minetest-data     5.3.0+repack-2.1+deb11u1
ii  zlib1g            1:1.2.11.dfsg-2

minetest recommends no packages.

Versions of packages minetest suggests:
pn  minetest-mod-moreblocks  <none>
pn  minetest-mod-moreores    <none>
pn  minetest-mod-pipeworks   <none>
pn  minetest-server          <none>
pn  minetestmapper           <none>

-- no debconf information