Blender SEGV when open .blend file in blender #99836

Closed
opened 2022-07-19 12:02:58 +07:00 by Sangjun Park · 14 comments

System Information
Operating system: Ubuntu 20.04.4 LTS
Graphics card: 2b:00.0 VGA compatible controller: NVIDIA Corporation TU116 [GeForce GTX 1650 SUPER] (rev a1)

Blender Version
Broken: Blender 3.3.0 Alpha branch : master, commit 533a5a6a8c Date: Mon Jul 18 20:37:11 2022 -0700

Worked: -

Short description of error
when opening .blend file crash occured in

blender/source/blender/blenloader/intern/readfile.c

that include blo_do_versions_280

Exact steps for others to reproduce the error
Open this .blend file below using "blender"

carsh_1.blend

Note
I think Attacker may Arbitrary Address Write through this .blend file.

When User open malicious .blend file can lead to Remote code Execution

Proof-of-Concept Video below
https://youtu.be/55W8bSQOXgE

**System Information** Operating system: Ubuntu 20.04.4 LTS Graphics card: 2b:00.0 VGA compatible controller: NVIDIA Corporation TU116 [GeForce GTX 1650 SUPER] (rev a1) **Blender Version** Broken: Blender 3.3.0 Alpha branch : master, commit 533a5a6a8c60686dd7d627cf7815915d7a6b467b Date: Mon Jul 18 20:37:11 2022 -0700 Worked: - **Short description of error** when opening .blend file crash occured in ``` blender/source/blender/blenloader/intern/readfile.c ``` that include blo_do_versions_280 **Exact steps for others to reproduce the error** Open this .blend file below using "blender" [carsh_1.blend](https://archive.blender.org/developer/F13300051/carsh_1.blend) **Note** I think Attacker may Arbitrary Address Write through this .blend file. When User open malicious .blend file can lead to Remote code Execution **Proof-of-Concept Video below** https://youtu.be/55W8bSQOXgE

Added subscriber: @sangjun-park

Added subscriber: @sangjun-park
Collaborator

Added subscriber: @OmarEmaraDev

Added subscriber: @OmarEmaraDev
Collaborator

Changed status from 'Needs Triage' to: 'Needs User Info'

Changed status from 'Needs Triage' to: 'Needs User Info'
Collaborator

I think Attacker may Arbitrary Address Write through this .blend file.

When User open malicious .blend file can lead to Remote code Execution.

I am not sure what you mean by that. Did you create this file yourself to demonstrate a security vulnerability? Otherwise, where did you get the file?

The file is either corrupt or is too old to load into Blender, as it reports bmain->versionfile = 103.

* thread #1, name = 'blender', stop reason = signal SIGSEGV: invalid address (fault address: 0x14f0)
  * frame #0: 0x00000000033638e0 blender`do_versions_after_linking_280(bmain=0x00007fffdb075e08, UNUSED_reports=0x00007fffffffe3a8) at versioning_280.c:1243:53
    frame #1: 0x00000000033417ac blender`do_versions_after_linking(main=0x00007fffdb075e08, reports=0x00007fffffffe3a8) at readfile.c:3622:3
    frame #2: 0x000000000333fe65 blender`blo_read_file_internal(fd=0x00007fffdace0f08, filepath="/home/omar/Desktop/carsh_1.blend") at readfile.c:3962:9
    frame #3: 0x000000000333b1c1 blender`BLO_read_from_file(filepath="/home/omar/Desktop/carsh_1.blend", skip_flags=BLO_READ_SKIP_USERDEF, reports=0x00007fffffffe2f8) at readblenentry.c:364:11
    frame #4: 0x0000000002b11855 blender`BKE_blendfile_read(filepath="/home/omar/Desktop/carsh_1.blend", params=0x00007fffffffe358, reports=0x00007fffffffe2f8) at blendfile.c:497:24
    frame #5: 0x00000000032719ca blender`WM_file_read(C=0x00007ffff3f84388, filepath="/home/omar/Desktop/carsh_1.blend", reports=0x00007fffffffe3a8) at wm_files.c:924:33
    frame #6: 0x0000000002a7ac31 blender`arg_handle_load_file(UNUSED_argc=1, argv=0x00007fffffffe9d0, data=0x00007ffff3f84388) at creator_args.c:1977:13
    frame #7: 0x0000000010dcca21 blender`BLI_args_parse(ba=0x00007ffff401f008, pass=5, default_cb=(blender`arg_handle_load_file at creator_args.c:1956), default_data=0x00007ffff3f84388) at BLI_args.c:295:22
    frame #8: 0x0000000002a7ab39 blender`main_args_setup_post(C=0x00007ffff3f84388, ba=0x00007ffff401f008) at creator_args.c:2272:3
    frame #9: 0x0000000002a76f76 blender`main(argc=2, argv=0x00007fffffffe9c8) at creator.c:512:3
    frame #10: 0x00007ffff7dba290 libc.so.6`__libc_start_call_main + 128
    frame #11: 0x00007ffff7dba34a libc.so.6`__libc_start_main@@GLIBC_2.34 + 138
    frame #12: 0x0000000002a76ba5 blender`_start + 37

Crash happens due to a null scene in screen->scene->view_layers.

> I think Attacker may Arbitrary Address Write through this .blend file. > > When User open malicious .blend file can lead to Remote code Execution. I am not sure what you mean by that. Did you create this file yourself to demonstrate a security vulnerability? Otherwise, where did you get the file? The file is either corrupt or is too old to load into Blender, as it reports `bmain->versionfile = 103`. ``` * thread #1, name = 'blender', stop reason = signal SIGSEGV: invalid address (fault address: 0x14f0) * frame #0: 0x00000000033638e0 blender`do_versions_after_linking_280(bmain=0x00007fffdb075e08, UNUSED_reports=0x00007fffffffe3a8) at versioning_280.c:1243:53 frame #1: 0x00000000033417ac blender`do_versions_after_linking(main=0x00007fffdb075e08, reports=0x00007fffffffe3a8) at readfile.c:3622:3 frame #2: 0x000000000333fe65 blender`blo_read_file_internal(fd=0x00007fffdace0f08, filepath="/home/omar/Desktop/carsh_1.blend") at readfile.c:3962:9 frame #3: 0x000000000333b1c1 blender`BLO_read_from_file(filepath="/home/omar/Desktop/carsh_1.blend", skip_flags=BLO_READ_SKIP_USERDEF, reports=0x00007fffffffe2f8) at readblenentry.c:364:11 frame #4: 0x0000000002b11855 blender`BKE_blendfile_read(filepath="/home/omar/Desktop/carsh_1.blend", params=0x00007fffffffe358, reports=0x00007fffffffe2f8) at blendfile.c:497:24 frame #5: 0x00000000032719ca blender`WM_file_read(C=0x00007ffff3f84388, filepath="/home/omar/Desktop/carsh_1.blend", reports=0x00007fffffffe3a8) at wm_files.c:924:33 frame #6: 0x0000000002a7ac31 blender`arg_handle_load_file(UNUSED_argc=1, argv=0x00007fffffffe9d0, data=0x00007ffff3f84388) at creator_args.c:1977:13 frame #7: 0x0000000010dcca21 blender`BLI_args_parse(ba=0x00007ffff401f008, pass=5, default_cb=(blender`arg_handle_load_file at creator_args.c:1956), default_data=0x00007ffff3f84388) at BLI_args.c:295:22 frame #8: 0x0000000002a7ab39 blender`main_args_setup_post(C=0x00007ffff3f84388, ba=0x00007ffff401f008) at creator_args.c:2272:3 frame #9: 0x0000000002a76f76 blender`main(argc=2, argv=0x00007fffffffe9c8) at creator.c:512:3 frame #10: 0x00007ffff7dba290 libc.so.6`__libc_start_call_main + 128 frame #11: 0x00007ffff7dba34a libc.so.6`__libc_start_main@@GLIBC_2.34 + 138 frame #12: 0x0000000002a76ba5 blender`_start + 37 ``` Crash happens due to a null scene in `screen->scene->view_layers`.

Hello, I made it myself to show security issue. Thanks

however, i think this is null pointer reference. not Arbitrary Address Write sorry

Hello, I made it myself to show security issue. Thanks however, i think this is null pointer reference. not Arbitrary Address Write sorry
Collaborator

Can you explain why would dereferencing a null pointer be considered a security issue?

Can you explain why would dereferencing a null pointer be considered a security issue?

Added subscriber: @PratikPB2123

Added subscriber: @PratikPB2123

Sure
Null pointer Reference is one of the vuln of OWASP.

The detail description of it is in this URL.

Attacker can abuse Null pointer Reference with other vuln.

https://owasp.org/www-community/vulnerabilities/Null_Dereference

Sure Null pointer Reference is one of the vuln of OWASP. The detail description of it is in this URL. Attacker can abuse Null pointer Reference with other vuln. https://owasp.org/www-community/vulnerabilities/Null_Dereference
Collaborator

@sangjun-park Since the fix is likely straightforward, maybe you should submit a patch directly to fix the issue. Refer to the following document that details the process: https://wiki.blender.org/wiki/Process/Contributing_Code.
If you find the process difficult, you can also just attach the raw patch along with your report.

@sangjun-park Since the fix is likely straightforward, maybe you should submit a patch directly to fix the issue. Refer to the following document that details the process: https://wiki.blender.org/wiki/Process/Contributing_Code. If you find the process difficult, you can also just attach the raw patch along with your report.

Changed status from 'Needs User Info' to: 'Confirmed'

Changed status from 'Needs User Info' to: 'Confirmed'

Confirming this bug report. As far as I understand fix is simple condition check.

Confirming this bug report. As far as I understand fix is simple `condition check`.

Added subscriber: @Shan-Huang

Added subscriber: @Shan-Huang

I added a null check to do_versions_after_linking_280 to simply no-op when screen->scene is null.

It fixed the null pointer, but crashed with a new assertion failure from versiong_280.c do_version_workspaces_after_lib_link(Main *bmain)

BLI_assert(BLI_listbase_is_empty(&bmain->workspaces));
blender.exe         :0x00007FF77908FA40  bli_windows_system_backtrace_stack_thread D:\yemount\blender-dev\blender\source\blender\blenlib\intern\system_win32.c:219
blender.exe         :0x00007FF779090670  BLI_windows_system_backtrace_stack D:\yemount\blender-dev\blender\source\blender\blenlib\intern\system_win32.c:306
blender.exe         :0x00007FF779090F40  BLI_system_backtrace D:\yemount\blender-dev\blender\source\blender\blenlib\intern\system_win32.c:372
blender.exe         :0x00007FF779099D10  _BLI_assert_print_backtrace D:\yemount\blender-dev\blender\source\blender\blenlib\intern\BLI_assert.c:36
blender.exe         :0x00007FF76AB81D60  do_version_workspaces_after_lib_link D:\yemount\blender-dev\blender\source\blender\blenloader\intern\versioning_280.c:196
blender.exe         :0x00007FF76AB7CFC0  do_versions_after_linking_280 D:\yemount\blender-dev\blender\source\blender\blenloader\intern\versioning_280.c:1305
blender.exe         :0x00007FF76AAFC990  do_versions_after_linking D:\yemount\blender-dev\blender\source\blender\blenloader\intern\readfile.c:3631
blender.exe         :0x00007FF76AADF990  blo_read_file_internal D:\yemount\blender-dev\blender\source\blender\blenloader\intern\readfile.c:3974
blender.exe         :0x00007FF76ABCD870  BLO_read_from_file D:\yemount\blender-dev\blender\source\blender\blenloader\intern\readblenentry.c:364
blender.exe         :0x00007FF7798F0E90  BKE_blendfile_read D:\yemount\blender-dev\blender\source\blender\blenkernel\intern\blendfile.c:497
blender.exe         :0x00007FF76A9ACD60  WM_file_read D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_files.c:939
blender.exe         :0x00007FF76A9BD500  wm_file_read_opwrap D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_files.c:2535
blender.exe         :0x00007FF76A9BDD60  wm_open_mainfile__open D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_files.c:2657
blender.exe         :0x00007FF76A9BE2C0  wm_open_mainfile_exec D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_files.c:2692
blender.exe         :0x00007FF76AA0CA80  wm_handler_fileselect_do D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:2680
blender.exe         :0x00007FF76AA0E170  wm_handler_fileselect_call D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:2778
blender.exe         :0x00007FF76AA106D0  wm_handlers_do_intern D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:3271
blender.exe         :0x00007FF76AA117C0  wm_handlers_do D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:3325
blender.exe         :0x00007FF76A9FAE40  wm_event_do_handlers D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:3916
blender.exe         :0x00007FF76A9A6210  WM_main D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm.c:643
blender.exe         :0x00007FF7672597A0  main D:\yemount\blender-dev\blender\source\creator\creator.c:579
blender.exe         :0x00007FF7798DCD90  invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:79
blender.exe         :0x00007FF7798DCBF0  __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
blender.exe         :0x00007FF7798DCBD0  __scrt_common_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:331
blender.exe         :0x00007FF7798DCE30  mainCRTStartup D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:17
KERNEL32.DLL        :0x00007FFEB9EA7020  BaseThreadInitThunk
ntdll.dll           :0x00007FFEBA582680  RtlUserThreadStart

Stepping through readfile.c a bit, I saw that one of the data blocks has id code ID_WS and thus a workspace block was created and added to the main database list, before the assert - which is trouble :/
(From my very limited Blender dev experience) I think this means the file is too old or corrupted?

I added a null check to `do_versions_after_linking_280` to simply no-op when `screen->scene` is null. It fixed the null pointer, but crashed with a new assertion failure from versiong_280.c `do_version_workspaces_after_lib_link(Main *bmain)` ``` BLI_assert(BLI_listbase_is_empty(&bmain->workspaces)); ``` ``` blender.exe :0x00007FF77908FA40 bli_windows_system_backtrace_stack_thread D:\yemount\blender-dev\blender\source\blender\blenlib\intern\system_win32.c:219 blender.exe :0x00007FF779090670 BLI_windows_system_backtrace_stack D:\yemount\blender-dev\blender\source\blender\blenlib\intern\system_win32.c:306 blender.exe :0x00007FF779090F40 BLI_system_backtrace D:\yemount\blender-dev\blender\source\blender\blenlib\intern\system_win32.c:372 blender.exe :0x00007FF779099D10 _BLI_assert_print_backtrace D:\yemount\blender-dev\blender\source\blender\blenlib\intern\BLI_assert.c:36 blender.exe :0x00007FF76AB81D60 do_version_workspaces_after_lib_link D:\yemount\blender-dev\blender\source\blender\blenloader\intern\versioning_280.c:196 blender.exe :0x00007FF76AB7CFC0 do_versions_after_linking_280 D:\yemount\blender-dev\blender\source\blender\blenloader\intern\versioning_280.c:1305 blender.exe :0x00007FF76AAFC990 do_versions_after_linking D:\yemount\blender-dev\blender\source\blender\blenloader\intern\readfile.c:3631 blender.exe :0x00007FF76AADF990 blo_read_file_internal D:\yemount\blender-dev\blender\source\blender\blenloader\intern\readfile.c:3974 blender.exe :0x00007FF76ABCD870 BLO_read_from_file D:\yemount\blender-dev\blender\source\blender\blenloader\intern\readblenentry.c:364 blender.exe :0x00007FF7798F0E90 BKE_blendfile_read D:\yemount\blender-dev\blender\source\blender\blenkernel\intern\blendfile.c:497 blender.exe :0x00007FF76A9ACD60 WM_file_read D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_files.c:939 blender.exe :0x00007FF76A9BD500 wm_file_read_opwrap D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_files.c:2535 blender.exe :0x00007FF76A9BDD60 wm_open_mainfile__open D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_files.c:2657 blender.exe :0x00007FF76A9BE2C0 wm_open_mainfile_exec D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_files.c:2692 blender.exe :0x00007FF76AA0CA80 wm_handler_fileselect_do D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:2680 blender.exe :0x00007FF76AA0E170 wm_handler_fileselect_call D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:2778 blender.exe :0x00007FF76AA106D0 wm_handlers_do_intern D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:3271 blender.exe :0x00007FF76AA117C0 wm_handlers_do D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:3325 blender.exe :0x00007FF76A9FAE40 wm_event_do_handlers D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:3916 blender.exe :0x00007FF76A9A6210 WM_main D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm.c:643 blender.exe :0x00007FF7672597A0 main D:\yemount\blender-dev\blender\source\creator\creator.c:579 blender.exe :0x00007FF7798DCD90 invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:79 blender.exe :0x00007FF7798DCBF0 __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 blender.exe :0x00007FF7798DCBD0 __scrt_common_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:331 blender.exe :0x00007FF7798DCE30 mainCRTStartup D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:17 KERNEL32.DLL :0x00007FFEB9EA7020 BaseThreadInitThunk ntdll.dll :0x00007FFEBA582680 RtlUserThreadStart ``` Stepping through `readfile.c` a bit, I saw that one of the data blocks has id code `ID_WS` and thus a workspace block was created and added to the main database list, before the assert - which is trouble :/ (From my very limited Blender dev experience) I think this means the file is too old or corrupted?

Added subscriber: @BlenderBruno

Added subscriber: @BlenderBruno
Philipp Oeser added the
Module
User Interface
label 2023-02-20 09:52:58 +07:00
Philipp Oeser removed the
Meta
Good First Issue
Module
User Interface
labels 2023-02-20 10:14:41 +07:00
Philipp Oeser added the
Module
Core
label 2023-02-20 10:45:16 +07:00
Bastien Montagne added
Type
Known Issue
and removed
Type
Report
labels 2023-02-22 18:12:18 +07:00
Blender Bot added
Status
Resolved
and removed
Status
Confirmed
labels 2023-03-01 11:51:05 +07:00
Sign in to join this conversation.
No Label
Interest
Alembic
Interest
Animation & Rigging
Interest
Asset Browser
Interest
Asset Browser Project Overview
Interest
Audio
Interest
Automated Testing
Interest
Blender Asset Bundle
Interest
BlendFile
Interest
Collada
Interest
Compositing
Interest
Core
Interest
Cycles
Interest
Dependency Graph
Interest
Development Management
Interest
Eevee & Viewport
Interest
Freestyle
Interest
Geometry Nodes
Interest
Grease Pencil
Interest
ID Management
Interest
Images & Movies
Interest/Import
Export
Interest
Line Art
Interest
Masking
Interest
Metal
Interest
Modeling
Interest
Modifiers
Interest
Motion Tracking
Interest
Nodes & Physics
Interest
OpenGL
Interest
Overrides
Interest
Performance
Interest
Physics
Interest
Pipeline, Assets & IO
Interest
Platforms, Builds & Tests
Interest
Python API
Interest
Render & Cycles
Interest
Render Pipeline
Interest
Sculpt, Paint & Texture
Interest
Text Editor
Interest
Translations
Interest
Triaging
Interest
Undo
Interest
USD
Interest
User Interface
Interest
UV Editing
Interest
VFX & Video
Interest
Video Sequencer
Interest
Virtual Reality
Interest
Vulkan
Interest: Wayland
Legacy
Blender 2.8 Project
Legacy
Milestone 1: Basic, Local Asset Browser
Legacy
OpenGL Error
Meta
Good First Issue
Meta
Papercut
Meta
Retrospective
Meta
Security
Module
Animation & Rigging
Module
Core
Module
Development Management
Module
Eevee & Viewport
Module
Grease Pencil
Module
Modeling
Module
Nodes & Physics
Module
Pipeline, Assets & IO
Module
Platforms, Builds & Tests
Module
Python API
Module
Render & Cycles
Module
Sculpt, Paint & Texture
Module
Triaging
Module
User Interface
Module
VFX & Video
Platform
FreeBSD
Platform
Linux
Platform
macOS
Platform
Windows
Priority
High
Priority
Low
Priority
Normal
Priority
Unbreak Now!
Status
Archived
Status
Confirmed
Status
Duplicate
Status
Needs Info from Developers
Status
Needs Information from User
Status
Needs Triage
Status
Resolved
Type
Bug
Type
Design
Type
Known Issue
Type
Patch
Type
Report
Type
To Do
No Milestone
No project
No Assignees
5 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: blender/blender#99836
There is no content yet.