Bug 3767 - Some protection from malicious qvms
Status: RESOLVED FIXED
Alias: None
Product: ioquake3
Classification: Unclassified
Component: Misc
Version: GIT MASTER
Hardware: All All
: P3 normal
Assignee: Zachary J. Slater
QA Contact: ioquake3 bugzilla mailing list
URL:
Depends on:
Blocks:
 
Reported: 2008-09-03 11:59 EDT by Amanieu d'Antras
Modified: 2011-03-07 20:40:14 EST
1 user (show)

See Also:

Attachments
My implementation (7.03 KB, patch)
2008-09-03 14:44 EDT, Ben Millwood
More paranoid version of the above (7.03 KB, patch)
2008-09-03 15:28 EDT, Ben Millwood
Tighter security (8.05 KB, patch)
2008-09-03 17:50 EDT, Ben Millwood
Whoops. (7.83 KB, patch)
2008-09-03 17:58 EDT, Ben Millwood
Issues above addressed (8.11 KB, patch)
2008-09-04 11:16 EDT, Ben Millwood

Description Amanieu d'Antras 2008-09-03 11:59:20 EDT 
Prevent qvms from modifying filesystem cvars:
http://www.tremfusion.net/hg/tremfusion/rev/49980e342398
Prevent qvms from removing system commands:
http://www.tremfusion.net/hg/tremfusion/rev/09efc8d67735
Comment 1 Ben Millwood 2008-09-03 14:44:05 EDT 
Created attachment 1852 [details]
My implementation

This is functionally more or less identical but IMO neater than both patches above. Might be slightly slower, but I may or may not submit further largely unrelated patches that make the command or cvar code a little more efficient.
Comment 2 Ben Millwood 2008-09-03 15:28:01 EDT 
Created attachment 1853 [details]
More paranoid version of the above

This patch is the same, but instead of merely informing the user via a print, the system drops the client from the server if a QVM tries to do something malicious.

This should make servers that distribute dangerous QVMs very easy to spot, and if you're running a QVM that does this kind of thing you probably don't want to keep running it anyway.
Comment 3 Ben Millwood 2008-09-03 15:33:35 EDT 
I think it may still be possible to set variables by using trap_Cvar_Register to add the CVAR_USER_CREATED flag, then calling it again with CVAR_ROM.
Also, although it's rarer for servers to run untrusted QVMs, the possibility should probably be addressed.

I will address both these issues in a new patch sometime later.
Comment 4 Ben Millwood 2008-09-03 17:50:40 EDT 
Created attachment 1854 [details]
Tighter security

This patch prohibits using Cvar_Get to add CVAR_USER_CREATED to an already-existing variable, which should close the security hole with trap_Cvar_Register
It also adds protection to sv_game.c which I omitted the first time.
Comment 5 Ben Millwood 2008-09-03 17:58:06 EDT 
Created attachment 1855 [details]
Whoops.

Above patch doesn't compile :(

fixed
Comment 6 Amanieu d'Antras 2008-09-04 07:20:16 EDT 
You shouldn't protect fs_game, because it will break the ui mods menu.
Also, you should use SetVM when parsing server systeminfo.
Comment 7 Ben Millwood 2008-09-04 11:16:19 EDT 
Created attachment 1857 [details]
Issues above addressed

Sorted the issues above and switched to more logical naming since server var setting is now protected.

Also, disallowed setting CVAR_SERVER_CREATED on existing variable with Cvar_Get.
Comment 8 Thilo Schulz 2011-03-07 20:40:14 EST 
applied with a few minormodifications in r1916. Thanks to you two!