Bug#1010816: minetest.emerge_area() call with invalid position can hang server

Tue, 10 May 2022 12:00:20 -0700 

Package: minetest
Version: 5.3.0+repack-2.1+deb11u1
Severity: normal
Tags: upstream
X-Debbugs-Cc: nils+debian-report...@dieweltistgarnichtso.net

Dear Maintainer,

calling minetest.emerge_area() with the first argument being a position 
where x equals 32767 causes RAM and CPU usage to spike, as the Minetest 
server queues 4096 emerge calls instead of 0. Note that as of now, such 
a position is nonsensical, as the map generator stops generating around 
x=31007 or so. It takes a long time to process these emerge calls, even 
if a server has enough spare RAM and CPU resources to not hang forever.

This bug is security-relevant: A malicious client could provoke servers 
into emerging an area – e.g. if it can trigger structure placement code 
that does not have bounds checks. So far I have never seen such code in 
any mod that had any bounds checks for minetest.emerge_area() calls.

I have attached proof of concept code. To verify the bug, name the file 
init.lua, put it in a folder that is in the minetest mods folder (named 
crash_emerge) then enter a world with the mod “crash_emerge” activated.

This bug likely affects all Minetest versions and is not fixed upstream. 

A fix for all versions of Minetest would be to write a mod that wraps 
the function minetest.emerge_area() and checks if the given positions 
are out of bounds, not calling minetest.emerge_area() if that is true.

-- System Information:
Debian Release: 11.3
  APT prefers stable
  APT policy: (900, 'stable'), (500, 'oldoldstable')
Architecture: i386 (i686)

Kernel: Linux 5.10.0-10-686 (SMP w/2 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages minetest depends on:
ii  libc6             2.31-13+deb11u3
ii  libcurl3-gnutls   7.74.0-1.3+deb11u1
ii  libfreetype6      2.10.4+dfsg-1
ii  libgcc-s1         10.2.1-6
ii  libgmp10          2:6.2.1+dfsg-1+deb11u1
ii  libirrlicht1.8    1.8.4+dfsg1-1.1
ii  libjsoncpp24      1.9.4-4
ii  libleveldb1d      1.22-3
ii  libluajit-5.1-2   2.1.0~beta3+dfsg-5.3
ii  libncursesw6      6.2+20201114-2
ii  libopenal1        1:1.19.1-2
ii  libpq5            13.5-0+deb11u1
ii  libspatialindex6  1.9.3-2
ii  libsqlite3-0      3.34.1-3
ii  libstdc++6        10.2.1-6
ii  libtinfo6         6.2+20201114-2
ii  libvorbisfile3    1.3.7-1
ii  libx11-6          2:1.7.2-1
ii  minetest-data     5.3.0+repack-2.1+deb11u1
ii  zlib1g            1:1.2.11.dfsg-2

minetest recommends no packages.

Versions of packages minetest suggests:
pn  minetest-mod-moreblocks  <none>
pn  minetest-mod-moreores    <none>
pn  minetest-mod-pipeworks   <none>
pn  minetest-server          <none>
pn  minetestmapper           <none>

-- no debconf information

local emerge = function()
        local i = 32767
        minetest.emerge_area(
                { x=i, y=0, z=0 },
                { x=i+1, y=0, z=0 },
                function(blockpos, action, calls_remaining)
                        minetest.debug(
                                dump(
                                        calls_remaining,
                                        i
                                )
                        )
                end
        )
end

minetest.after( 0, emerge )

Reply via email to