Dear Maintainer, I just tried to help triaging this bug. This bug manifests in current Stretch/9.9 and also in Buster/testing.
In the call to function setMultiStats a temporary PLAYERSTATS object gets constructed from the reference returned by getMultiStats. Therefore the copy constructor of EcKey for the member identity is called, which unfortunately unconditionally calls EC_KEY_dup, which seems not able to handle an null pointer as ec_key. Attached patch calls EC_KEY_dup just in case of a not null key. With packages rebuilt in Stretch and Buster with this patch applied, the same crash does not manifest and a multiplayer with one nullbot was possible. Could not find an upstream bug similar to this. Kind regards, Bernhard (gdb) bt #0 EC_KEY_dup (ec_key=0x0) at ../crypto/ec/ec_key.c:156 #1 0x00005555558068cc in EcKey::EcKey (this=0x7fffffffad00, b=...) at crc.cpp:248 #2 0x00005555556afd0a in PLAYERSTATS::PLAYERSTATS (this=0x7ffffffface0) at multistat.h:31 #3 setupNewPlayer (player=player@entry=0) at multijoin.cpp:473 #4 0x00005555556afe5c in MultiPlayerJoin (playerIndex=0) at multijoin.cpp:350 #5 0x00005555557d0157 in NEThostGame (SessionName=SessionName@entry=0x555555f234e3 <game+131> "Mein Spiel", PlayerName=PlayerName@entry=0x555555f20520 <sPlayer> "Spieler", one=14, two=two@entry=0, three=three@entry=0, four=four@entry=0, plyrs=4) at netplay.cpp:2780 #6 0x00005555556b5e5d in hostCampaign (sGame=sGame@entry=0x555555f234e3 <game+131> "Mein Spiel", sPlayer=sPlayer@entry=0x555555f20520 <sPlayer> "Spieler") at multiopt.cpp:259 #7 0x00005555556ab2d3 in processMultiopWidgets (id=10276) at multiint.cpp:3072 #8 0x00005555556ada6c in runMultiOptions () at multiint.cpp:3751 #9 0x0000555555799ea5 in titleLoop () at wrappers.cpp:176 #10 0x000055555567ddc5 in runTitleLoop () at main.cpp:923 #11 mainLoop () at main.cpp:995 #12 0x0000555555804ccc in wzMainEventLoop () at main_sdl.cpp:1601 #13 0x000055555567ea97 in realmain (argc=<optimized out>, argv=<optimized out>) at main.cpp:1329 #14 0x00007ffff2b642e1 in __libc_start_main (main=0x5555555d0df0 <main(int, char**)>, argc=1, argv=0x7fffffffe668, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe658) at ../csu/libc-start.c:291 #15 0x00005555555d0fea in _start ()
Description: Avoid calling EC_KEY_dup with null pointer Author: Bernhard Ãbelacker <bernha...@mailbox.org> Bug-Debian: https://bugs.debian.org/930942 Forwarded: no Last-Update: 2019-06-24 --- warzone2100-3.2.1.orig/lib/framework/crc.cpp +++ warzone2100-3.2.1/lib/framework/crc.cpp @@ -245,7 +245,9 @@ EcKey::EcKey() EcKey::EcKey(EcKey const &b) { - vKey = (void *)EC_KEY_dup((EC_KEY *)b.vKey); + vKey = nullptr; + if (!b.empty()) + vKey = (void *)EC_KEY_dup((EC_KEY *)b.vKey); } EcKey::EcKey(EcKey &&b) @@ -262,7 +264,8 @@ EcKey::~EcKey() EcKey &EcKey::operator =(EcKey const &b) { clear(); - vKey = (void *)EC_KEY_dup((EC_KEY *)b.vKey); + if (!b.empty()) + vKey = (void *)EC_KEY_dup((EC_KEY *)b.vKey); return *this; }
# Stretch/9.9 qemu amd64 VM 2019-06-24 apt update apt dist-upgrade apt install systemd-coredump xserver-xorg lightdm openbox mc gdb fakeroot warzone2100 warzone2100-dbgsym libssl1.1-dbgsym apt build-dep warzone2100 mkdir /home/benutzer/source/libssl1.1/orig -p cd /home/benutzer/source/libssl1.1/orig apt source libssl1.1 cd mkdir /home/benutzer/source/warzone2100/orig -p cd /home/benutzer/source/warzone2100/orig apt source warzone2100 cd reboot export DISPLAY=:0 gdb -q \ -ex 'set width 0' \ -ex 'set pagination off' \ -ex 'directory /home/benutzer/source/libssl1.1/orig/openssl-1.1.0j/crypto' \ -ex 'directory /home/benutzer/source/warzone2100/orig/warzone2100-3.2.1/lib/framework' \ -ex 'directory /home/benutzer/source/warzone2100/orig/warzone2100-3.2.1/src' \ -ex 'run' \ --args warzone2100 ############ benutzer@debian:~$ gdb -q -ex 'set width 0' -ex 'set pagination off' -ex 'run' --args warzone2100 Reading symbols from warzone2100...(no debugging symbols found)...done. Starting program: /usr/games/warzone2100 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7fffe63a7700 (LWP 3843)] info |02:03:13: [realmain:1146] Using /home/benutzer/.warzone2100-3.2/logs/WZlog-0624_140313.txt debug file [New Thread 0x7fffe5b19700 (LWP 3850)] [New Thread 0x7fffdc72c700 (LWP 3853)] [New Thread 0x7fffdbf2b700 (LWP 3854)] [New Thread 0x7fffdb72a700 (LWP 3855)] [New Thread 0x7fffdaf29700 (LWP 3856)] [New Thread 0x7fffda728700 (LWP 3857)] [New Thread 0x7fffd9f27700 (LWP 3858)] [New Thread 0x7fffd9726700 (LWP 3859)] [New Thread 0x7fffd8f25700 (LWP 3860)] [New Thread 0x7fffd7925700 (LWP 3861)] [Thread 0x7fffd7925700 (LWP 3861) exited] ALSA lib confmisc.c:767:(parse_card) cannot find card '0' ALSA lib conf.c:4528:(_snd_config_evaluate) function snd_func_card_driver returned error: Datei oder Verzeichnis nicht gefunden ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings ALSA lib conf.c:4528:(_snd_config_evaluate) function snd_func_concat returned error: Datei oder Verzeichnis nicht gefunden ALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name ALSA lib conf.c:4528:(_snd_config_evaluate) function snd_func_refer returned error: Datei oder Verzeichnis nicht gefunden ALSA lib conf.c:5007:(snd_config_expand) Evaluate error: Datei oder Verzeichnis nicht gefunden ALSA lib pcm.c:2495:(snd_pcm_open_noupdate) Unknown PCM default AL lib: (EE) ALCplaybackAlsa_open: Could not open playback device 'default': Datei oder Verzeichnis nicht gefunden error |02:03:13: [sound_InitLibrary:157] Couldn't open audio device. error |02:03:13: [sound_Init:54] Cannot init sound library [New Thread 0x7fffd7925700 (LWP 3863)] error |02:03:14: [cdAudio_OpenTrack:96] Failed creating audio stream for music/menu.ogg [New Thread 0x7fffd6724700 (LWP 4278)] [New Thread 0x7fffd5f23700 (LWP 4279)] Thread 1 "warzone2100" received signal SIGSEGV, Segmentation fault. 0x00007ffff3884da9 in EC_KEY_dup () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 (gdb) bt #0 0x00007ffff3884da9 in EC_KEY_dup () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 #1 0x00005555558068cc in EcKey::EcKey(EcKey const&) () #2 0x00005555556afd0a in setupNewPlayer(unsigned int) () #3 0x00005555556afe5c in MultiPlayerJoin(unsigned int) () #4 0x00005555557d0157 in NEThostGame(char const*, char const*, int, int, int, int, unsigned int) () #5 0x00005555556b5e5d in hostCampaign(char*, char*) () #6 0x00005555556ab2d3 in ?? () #7 0x00005555556ada6c in runMultiOptions() () #8 0x0000555555799ea5 in titleLoop() () #9 0x000055555567ddc5 in mainLoop() () #10 0x0000555555804ccc in wzMainEventLoop() () #11 0x000055555567ea97 in realmain(int, char**) () #12 0x00007ffff2b642e1 in __libc_start_main (main=0x5555555d0df0 <main>, argc=1, argv=0x7fffffffe668, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe658) at ../csu/libc-start.c:291 #13 0x00005555555d0fea in _start () benutzer@debian:~$ gdb -q \ > -ex 'set width 0' \ > -ex 'set pagination off' \ > -ex 'directory > /home/benutzer/source/libssl1.1/orig/openssl-1.1.0j/crypto' \ > -ex 'directory > /home/benutzer/source/warzone2100/orig/warzone2100-3.2.1/lib/framework' \ > -ex 'run' \ > --args warzone2100 Reading symbols from warzone2100...Reading symbols from /usr/lib/debug/.build-id/35/32f188d4647a1a16b01dc3a21f242289ca00be.debug...done. done. Source directories searched: /home/benutzer/source/libssl1.1/orig/openssl-1.1.0j/crypto:$cdir:$cwd Source directories searched: /home/benutzer/source/warzone2100/orig/warzone2100-3.2.1/lib/framework:/home/benutzer/source/libssl1.1/orig/openssl-1.1.0j/crypto:$cdir:$cwd Starting program: /usr/games/warzone2100 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New Thread 0x7fffe63a7700 (LWP 9286)] info |02:10:44: [realmain:1146] Using /home/benutzer/.warzone2100-3.2/logs/WZlog-0624_141044.txt debug file [New Thread 0x7fffe5b19700 (LWP 9293)] [New Thread 0x7fffdc72c700 (LWP 9296)] [New Thread 0x7fffdbf2b700 (LWP 9297)] [New Thread 0x7fffdb72a700 (LWP 9298)] [New Thread 0x7fffdaf29700 (LWP 9299)] [New Thread 0x7fffda728700 (LWP 9300)] [New Thread 0x7fffd9f27700 (LWP 9301)] [New Thread 0x7fffd9726700 (LWP 9302)] [New Thread 0x7fffd8f25700 (LWP 9303)] [New Thread 0x7fffd7925700 (LWP 9304)] [Thread 0x7fffd7925700 (LWP 9304) exited] ALSA lib confmisc.c:767:(parse_card) cannot find card '0' ALSA lib conf.c:4528:(_snd_config_evaluate) function snd_func_card_driver returned error: Datei oder Verzeichnis nicht gefunden ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings ALSA lib conf.c:4528:(_snd_config_evaluate) function snd_func_concat returned error: Datei oder Verzeichnis nicht gefunden ALSA lib confmisc.c:1246:(snd_func_refer) error evaluating name ALSA lib conf.c:4528:(_snd_config_evaluate) function snd_func_refer returned error: Datei oder Verzeichnis nicht gefunden ALSA lib conf.c:5007:(snd_config_expand) Evaluate error: Datei oder Verzeichnis nicht gefunden ALSA lib pcm.c:2495:(snd_pcm_open_noupdate) Unknown PCM default AL lib: (EE) ALCplaybackAlsa_open: Could not open playback device 'default': Datei oder Verzeichnis nicht gefunden error |02:10:44: [sound_InitLibrary:157] Couldn't open audio device. error |02:10:44: [sound_Init:54] Cannot init sound library [New Thread 0x7fffd7925700 (LWP 9306)] error |02:10:45: [cdAudio_OpenTrack:96] Failed creating audio stream for music/menu.ogg [New Thread 0x7fffd6724700 (LWP 9640)] [New Thread 0x7fffd5f23700 (LWP 9641)] Thread 1 "warzone2100" received signal SIGSEGV, Segmentation fault. EC_KEY_dup (ec_key=0x0) at ../crypto/ec/ec_key.c:156 156 EC_KEY *ret = EC_KEY_new_method(ec_key->engine); (gdb) bt #0 EC_KEY_dup (ec_key=0x0) at ../crypto/ec/ec_key.c:156 #1 0x00005555558068cc in EcKey::EcKey (this=0x7fffffffad00, b=...) at crc.cpp:248 #2 0x00005555556afd0a in PLAYERSTATS::PLAYERSTATS (this=0x7ffffffface0) at multistat.h:31 #3 setupNewPlayer (player=player@entry=0) at multijoin.cpp:473 #4 0x00005555556afe5c in MultiPlayerJoin (playerIndex=0) at multijoin.cpp:350 #5 0x00005555557d0157 in NEThostGame (SessionName=SessionName@entry=0x555555f234e3 <game+131> "Mein Spiel", PlayerName=PlayerName@entry=0x555555f20520 <sPlayer> "Spieler", one=14, two=two@entry=0, three=three@entry=0, four=four@entry=0, plyrs=4) at netplay.cpp:2780 #6 0x00005555556b5e5d in hostCampaign (sGame=sGame@entry=0x555555f234e3 <game+131> "Mein Spiel", sPlayer=sPlayer@entry=0x555555f20520 <sPlayer> "Spieler") at multiopt.cpp:259 #7 0x00005555556ab2d3 in processMultiopWidgets (id=10276) at multiint.cpp:3072 #8 0x00005555556ada6c in runMultiOptions () at multiint.cpp:3751 #9 0x0000555555799ea5 in titleLoop () at wrappers.cpp:176 #10 0x000055555567ddc5 in runTitleLoop () at main.cpp:923 #11 mainLoop () at main.cpp:995 #12 0x0000555555804ccc in wzMainEventLoop () at main_sdl.cpp:1601 #13 0x000055555567ea97 in realmain (argc=<optimized out>, argv=<optimized out>) at main.cpp:1329 #14 0x00007ffff2b642e1 in __libc_start_main (main=0x5555555d0df0 <main(int, char**)>, argc=1, argv=0x7fffffffe668, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe658) at ../csu/libc-start.c:291 #15 0x00005555555d0fea in _start () (gdb) list EC_KEY_dup 153 154 EC_KEY *EC_KEY_dup(const EC_KEY *ec_key) 155 { 156 EC_KEY *ret = EC_KEY_new_method(ec_key->engine); 157 158 if (ret == NULL) 159 return NULL; 160 161 if (EC_KEY_copy(ret, ec_key) == NULL) { 162 EC_KEY_free(ret); 163 return NULL; 164 } 165 return ret; 166 } 167 (gdb) print ec_key $1 = (const EC_KEY *) 0x0 (gdb) up #1 0x00005555558068cc in EcKey::EcKey (this=0x7fffffffad00, b=...) at crc.cpp:248 warning: Source file is more recent than executable. 248 vKey = (void *)EC_KEY_dup((EC_KEY *)b.vKey); (gdb) list crc.cpp:248 245 246 EcKey::EcKey(EcKey const &b) 247 { 248 vKey = (void *)EC_KEY_dup((EC_KEY *)b.vKey); 249 } (gdb) up #2 0x00005555556afd0a in PLAYERSTATS::PLAYERSTATS (this=0x7ffffffface0) at multistat.h:31 31 struct PLAYERSTATS (gdb) list 30 31 struct PLAYERSTATS 32 { 33 PLAYERSTATS(); 34 35 uint32_t played; /// propogated stats. 36 uint32_t wins; 37 uint32_t losses; 38 uint32_t totalKills; 39 uint32_t totalScore; 40 41 uint32_t recentKills; // score/kills in last game. 42 uint32_t recentScore; 43 44 EcKey identity; 45 }; (gdb) list multistat.cpp:43 42 43 PLAYERSTATS::PLAYERSTATS() 44 : played(0) 45 , wins(0) 46 , losses(0) 47 , totalKills(0) 48 , totalScore(0) 49 , recentKills(0) 50 , recentScore(0) 51 {} 52 ############ gdb -q --args warzone2100 set width 0 set pagination off directory /home/benutzer/source/libssl1.1/orig/openssl-1.1.0j/crypto directory /home/benutzer/source/warzone2100/try1/warzone2100-3.2.1/lib/framework directory /home/benutzer/source/warzone2100/try1/warzone2100-3.2.1/src b multijoin.cpp:473 run