Blender SEGV when open .blend file in blender #99836

New Issue

Sangjun Park · 2022-07-19T12:02:58+02:00

Sangjun Park commented

2022-07-19 12:02:58 +02:00

System Information
Operating system: Ubuntu 20.04.4 LTS
Graphics card: 2b:00.0 VGA compatible controller: NVIDIA Corporation TU116 [GeForce GTX 1650 SUPER] (rev a1)

Blender Version
Broken: Blender 3.3.0 Alpha branch : master, commit 533a5a6a8c Date: Mon Jul 18 20:37:11 2022 -0700

Worked: -

Short description of error
when opening .blend file crash occured in

blender/source/blender/blenloader/intern/readfile.c

that include blo_do_versions_280

Exact steps for others to reproduce the error
Open this .blend file below using "blender"

carsh_1.blend

Note
I think Attacker may Arbitrary Address Write through this .blend file.

When User open malicious .blend file can lead to Remote code Execution

Proof-of-Concept Video below
https://youtu.be/55W8bSQOXgE

**System Information** Operating system: Ubuntu 20.04.4 LTS Graphics card: 2b:00.0 VGA compatible controller: NVIDIA Corporation TU116 [GeForce GTX 1650 SUPER] (rev a1) **Blender Version** Broken: Blender 3.3.0 Alpha branch : master, commit 533a5a6a8c60686dd7d627cf7815915d7a6b467b Date: Mon Jul 18 20:37:11 2022 -0700 Worked: - **Short description of error** when opening .blend file crash occured in ``` blender/source/blender/blenloader/intern/readfile.c ``` that include blo_do_versions_280 **Exact steps for others to reproduce the error** Open this .blend file below using "blender" [carsh_1.blend](https://archive.blender.org/developer/F13300051/carsh_1.blend) **Note** I think Attacker may Arbitrary Address Write through this .blend file. When User open malicious .blend file can lead to Remote code Execution **Proof-of-Concept Video below** https://youtu.be/55W8bSQOXgE

Sangjun Park commented

2022-07-19 12:02:58 +02:00

Added subscriber: @sangjun-park

Omar Emara commented

2022-07-19 12:33:54 +02:00

Added subscriber: @OmarEmaraDev

Omar Emara commented

2022-07-19 12:33:54 +02:00

Changed status from 'Needs Triage' to: 'Needs User Info'

Omar Emara commented

2022-07-19 12:33:54 +02:00

I think Attacker may Arbitrary Address Write through this .blend file.

When User open malicious .blend file can lead to Remote code Execution.

I am not sure what you mean by that. Did you create this file yourself to demonstrate a security vulnerability? Otherwise, where did you get the file?

The file is either corrupt or is too old to load into Blender, as it reports bmain->versionfile = 103.

* thread #1, name = 'blender', stop reason = signal SIGSEGV: invalid address (fault address: 0x14f0)
  * frame #0: 0x00000000033638e0 blender`do_versions_after_linking_280(bmain=0x00007fffdb075e08, UNUSED_reports=0x00007fffffffe3a8) at versioning_280.c:1243:53
    frame #1: 0x00000000033417ac blender`do_versions_after_linking(main=0x00007fffdb075e08, reports=0x00007fffffffe3a8) at readfile.c:3622:3
    frame #2: 0x000000000333fe65 blender`blo_read_file_internal(fd=0x00007fffdace0f08, filepath="/home/omar/Desktop/carsh_1.blend") at readfile.c:3962:9
    frame #3: 0x000000000333b1c1 blender`BLO_read_from_file(filepath="/home/omar/Desktop/carsh_1.blend", skip_flags=BLO_READ_SKIP_USERDEF, reports=0x00007fffffffe2f8) at readblenentry.c:364:11
    frame #4: 0x0000000002b11855 blender`BKE_blendfile_read(filepath="/home/omar/Desktop/carsh_1.blend", params=0x00007fffffffe358, reports=0x00007fffffffe2f8) at blendfile.c:497:24
    frame #5: 0x00000000032719ca blender`WM_file_read(C=0x00007ffff3f84388, filepath="/home/omar/Desktop/carsh_1.blend", reports=0x00007fffffffe3a8) at wm_files.c:924:33
    frame #6: 0x0000000002a7ac31 blender`arg_handle_load_file(UNUSED_argc=1, argv=0x00007fffffffe9d0, data=0x00007ffff3f84388) at creator_args.c:1977:13
    frame #7: 0x0000000010dcca21 blender`BLI_args_parse(ba=0x00007ffff401f008, pass=5, default_cb=(blender`arg_handle_load_file at creator_args.c:1956), default_data=0x00007ffff3f84388) at BLI_args.c:295:22
    frame #8: 0x0000000002a7ab39 blender`main_args_setup_post(C=0x00007ffff3f84388, ba=0x00007ffff401f008) at creator_args.c:2272:3
    frame #9: 0x0000000002a76f76 blender`main(argc=2, argv=0x00007fffffffe9c8) at creator.c:512:3
    frame #10: 0x00007ffff7dba290 libc.so.6`__libc_start_call_main + 128
    frame #11: 0x00007ffff7dba34a libc.so.6`__libc_start_main@@GLIBC_2.34 + 138
    frame #12: 0x0000000002a76ba5 blender`_start + 37

Crash happens due to a null scene in screen->scene->view_layers.

> I think Attacker may Arbitrary Address Write through this .blend file. > > When User open malicious .blend file can lead to Remote code Execution. I am not sure what you mean by that. Did you create this file yourself to demonstrate a security vulnerability? Otherwise, where did you get the file? The file is either corrupt or is too old to load into Blender, as it reports `bmain->versionfile = 103`. ``` * thread #1, name = 'blender', stop reason = signal SIGSEGV: invalid address (fault address: 0x14f0) * frame #0: 0x00000000033638e0 blender`do_versions_after_linking_280(bmain=0x00007fffdb075e08, UNUSED_reports=0x00007fffffffe3a8) at versioning_280.c:1243:53 frame #1: 0x00000000033417ac blender`do_versions_after_linking(main=0x00007fffdb075e08, reports=0x00007fffffffe3a8) at readfile.c:3622:3 frame #2: 0x000000000333fe65 blender`blo_read_file_internal(fd=0x00007fffdace0f08, filepath="/home/omar/Desktop/carsh_1.blend") at readfile.c:3962:9 frame #3: 0x000000000333b1c1 blender`BLO_read_from_file(filepath="/home/omar/Desktop/carsh_1.blend", skip_flags=BLO_READ_SKIP_USERDEF, reports=0x00007fffffffe2f8) at readblenentry.c:364:11 frame #4: 0x0000000002b11855 blender`BKE_blendfile_read(filepath="/home/omar/Desktop/carsh_1.blend", params=0x00007fffffffe358, reports=0x00007fffffffe2f8) at blendfile.c:497:24 frame #5: 0x00000000032719ca blender`WM_file_read(C=0x00007ffff3f84388, filepath="/home/omar/Desktop/carsh_1.blend", reports=0x00007fffffffe3a8) at wm_files.c:924:33 frame #6: 0x0000000002a7ac31 blender`arg_handle_load_file(UNUSED_argc=1, argv=0x00007fffffffe9d0, data=0x00007ffff3f84388) at creator_args.c:1977:13 frame #7: 0x0000000010dcca21 blender`BLI_args_parse(ba=0x00007ffff401f008, pass=5, default_cb=(blender`arg_handle_load_file at creator_args.c:1956), default_data=0x00007ffff3f84388) at BLI_args.c:295:22 frame #8: 0x0000000002a7ab39 blender`main_args_setup_post(C=0x00007ffff3f84388, ba=0x00007ffff401f008) at creator_args.c:2272:3 frame #9: 0x0000000002a76f76 blender`main(argc=2, argv=0x00007fffffffe9c8) at creator.c:512:3 frame #10: 0x00007ffff7dba290 libc.so.6`__libc_start_call_main + 128 frame #11: 0x00007ffff7dba34a libc.so.6`__libc_start_main@@GLIBC_2.34 + 138 frame #12: 0x0000000002a76ba5 blender`_start + 37 ``` Crash happens due to a null scene in `screen->scene->view_layers`.

Sangjun Park commented

2022-07-19 13:07:47 +02:00

Hello, I made it myself to show security issue. Thanks

however, i think this is null pointer reference. not Arbitrary Address Write sorry

Hello, I made it myself to show security issue. Thanks however, i think this is null pointer reference. not Arbitrary Address Write sorry

Omar Emara commented

2022-07-19 13:52:00 +02:00

Can you explain why would dereferencing a null pointer be considered a security issue?

Pratik Borhade commented

2022-07-19 14:12:41 +02:00

Added subscriber: @PratikPB2123

Sangjun Park commented

2022-07-19 15:59:35 +02:00

Sure
Null pointer Reference is one of the vuln of OWASP.

The detail description of it is in this URL.

Attacker can abuse Null pointer Reference with other vuln.

https://owasp.org/www-community/vulnerabilities/Null_Dereference

Sure Null pointer Reference is one of the vuln of OWASP. The detail description of it is in this URL. Attacker can abuse Null pointer Reference with other vuln. https://owasp.org/www-community/vulnerabilities/Null_Dereference

Omar Emara commented

2022-07-20 16:05:09 +02:00

@sangjun-park Since the fix is likely straightforward, maybe you should submit a patch directly to fix the issue. Refer to the following document that details the process: https://wiki.blender.org/wiki/Process/Contributing_Code.
If you find the process difficult, you can also just attach the raw patch along with your report.

@sangjun-park Since the fix is likely straightforward, maybe you should submit a patch directly to fix the issue. Refer to the following document that details the process: https://wiki.blender.org/wiki/Process/Contributing_Code. If you find the process difficult, you can also just attach the raw patch along with your report.

Pratik Borhade commented

2022-09-17 11:50:13 +02:00

Changed status from 'Needs User Info' to: 'Confirmed'

Pratik Borhade commented

2022-09-17 11:50:13 +02:00

Confirming this bug report. As far as I understand fix is simple condition check.

Confirming this bug report. As far as I understand fix is simple `condition check`.

Shan Huang commented

2022-09-26 08:15:53 +02:00

Added subscriber: @Shan-Huang

Shan Huang commented

2022-09-26 08:15:53 +02:00

I added a null check to do_versions_after_linking_280 to simply no-op when screen->scene is null.

It fixed the null pointer, but crashed with a new assertion failure from versiong_280.c do_version_workspaces_after_lib_link(Main *bmain)

BLI_assert(BLI_listbase_is_empty(&bmain->workspaces));

blender.exe         :0x00007FF77908FA40  bli_windows_system_backtrace_stack_thread D:\yemount\blender-dev\blender\source\blender\blenlib\intern\system_win32.c:219
blender.exe         :0x00007FF779090670  BLI_windows_system_backtrace_stack D:\yemount\blender-dev\blender\source\blender\blenlib\intern\system_win32.c:306
blender.exe         :0x00007FF779090F40  BLI_system_backtrace D:\yemount\blender-dev\blender\source\blender\blenlib\intern\system_win32.c:372
blender.exe         :0x00007FF779099D10  _BLI_assert_print_backtrace D:\yemount\blender-dev\blender\source\blender\blenlib\intern\BLI_assert.c:36
blender.exe         :0x00007FF76AB81D60  do_version_workspaces_after_lib_link D:\yemount\blender-dev\blender\source\blender\blenloader\intern\versioning_280.c:196
blender.exe         :0x00007FF76AB7CFC0  do_versions_after_linking_280 D:\yemount\blender-dev\blender\source\blender\blenloader\intern\versioning_280.c:1305
blender.exe         :0x00007FF76AAFC990  do_versions_after_linking D:\yemount\blender-dev\blender\source\blender\blenloader\intern\readfile.c:3631
blender.exe         :0x00007FF76AADF990  blo_read_file_internal D:\yemount\blender-dev\blender\source\blender\blenloader\intern\readfile.c:3974
blender.exe         :0x00007FF76ABCD870  BLO_read_from_file D:\yemount\blender-dev\blender\source\blender\blenloader\intern\readblenentry.c:364
blender.exe         :0x00007FF7798F0E90  BKE_blendfile_read D:\yemount\blender-dev\blender\source\blender\blenkernel\intern\blendfile.c:497
blender.exe         :0x00007FF76A9ACD60  WM_file_read D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_files.c:939
blender.exe         :0x00007FF76A9BD500  wm_file_read_opwrap D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_files.c:2535
blender.exe         :0x00007FF76A9BDD60  wm_open_mainfile__open D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_files.c:2657
blender.exe         :0x00007FF76A9BE2C0  wm_open_mainfile_exec D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_files.c:2692
blender.exe         :0x00007FF76AA0CA80  wm_handler_fileselect_do D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:2680
blender.exe         :0x00007FF76AA0E170  wm_handler_fileselect_call D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:2778
blender.exe         :0x00007FF76AA106D0  wm_handlers_do_intern D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:3271
blender.exe         :0x00007FF76AA117C0  wm_handlers_do D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:3325
blender.exe         :0x00007FF76A9FAE40  wm_event_do_handlers D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:3916
blender.exe         :0x00007FF76A9A6210  WM_main D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm.c:643
blender.exe         :0x00007FF7672597A0  main D:\yemount\blender-dev\blender\source\creator\creator.c:579
blender.exe         :0x00007FF7798DCD90  invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:79
blender.exe         :0x00007FF7798DCBF0  __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
blender.exe         :0x00007FF7798DCBD0  __scrt_common_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:331
blender.exe         :0x00007FF7798DCE30  mainCRTStartup D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:17
KERNEL32.DLL        :0x00007FFEB9EA7020  BaseThreadInitThunk
ntdll.dll           :0x00007FFEBA582680  RtlUserThreadStart

Stepping through readfile.c a bit, I saw that one of the data blocks has id code ID_WS and thus a workspace block was created and added to the main database list, before the assert - which is trouble :/
(From my very limited Blender dev experience) I think this means the file is too old or corrupted?

I added a null check to `do_versions_after_linking_280` to simply no-op when `screen->scene` is null. It fixed the null pointer, but crashed with a new assertion failure from versiong_280.c `do_version_workspaces_after_lib_link(Main *bmain)` ``` BLI_assert(BLI_listbase_is_empty(&bmain->workspaces)); ``` ``` blender.exe :0x00007FF77908FA40 bli_windows_system_backtrace_stack_thread D:\yemount\blender-dev\blender\source\blender\blenlib\intern\system_win32.c:219 blender.exe :0x00007FF779090670 BLI_windows_system_backtrace_stack D:\yemount\blender-dev\blender\source\blender\blenlib\intern\system_win32.c:306 blender.exe :0x00007FF779090F40 BLI_system_backtrace D:\yemount\blender-dev\blender\source\blender\blenlib\intern\system_win32.c:372 blender.exe :0x00007FF779099D10 _BLI_assert_print_backtrace D:\yemount\blender-dev\blender\source\blender\blenlib\intern\BLI_assert.c:36 blender.exe :0x00007FF76AB81D60 do_version_workspaces_after_lib_link D:\yemount\blender-dev\blender\source\blender\blenloader\intern\versioning_280.c:196 blender.exe :0x00007FF76AB7CFC0 do_versions_after_linking_280 D:\yemount\blender-dev\blender\source\blender\blenloader\intern\versioning_280.c:1305 blender.exe :0x00007FF76AAFC990 do_versions_after_linking D:\yemount\blender-dev\blender\source\blender\blenloader\intern\readfile.c:3631 blender.exe :0x00007FF76AADF990 blo_read_file_internal D:\yemount\blender-dev\blender\source\blender\blenloader\intern\readfile.c:3974 blender.exe :0x00007FF76ABCD870 BLO_read_from_file D:\yemount\blender-dev\blender\source\blender\blenloader\intern\readblenentry.c:364 blender.exe :0x00007FF7798F0E90 BKE_blendfile_read D:\yemount\blender-dev\blender\source\blender\blenkernel\intern\blendfile.c:497 blender.exe :0x00007FF76A9ACD60 WM_file_read D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_files.c:939 blender.exe :0x00007FF76A9BD500 wm_file_read_opwrap D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_files.c:2535 blender.exe :0x00007FF76A9BDD60 wm_open_mainfile__open D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_files.c:2657 blender.exe :0x00007FF76A9BE2C0 wm_open_mainfile_exec D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_files.c:2692 blender.exe :0x00007FF76AA0CA80 wm_handler_fileselect_do D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:2680 blender.exe :0x00007FF76AA0E170 wm_handler_fileselect_call D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:2778 blender.exe :0x00007FF76AA106D0 wm_handlers_do_intern D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:3271 blender.exe :0x00007FF76AA117C0 wm_handlers_do D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:3325 blender.exe :0x00007FF76A9FAE40 wm_event_do_handlers D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm_event_system.cc:3916 blender.exe :0x00007FF76A9A6210 WM_main D:\yemount\blender-dev\blender\source\blender\windowmanager\intern\wm.c:643 blender.exe :0x00007FF7672597A0 main D:\yemount\blender-dev\blender\source\creator\creator.c:579 blender.exe :0x00007FF7798DCD90 invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:79 blender.exe :0x00007FF7798DCBF0 __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 blender.exe :0x00007FF7798DCBD0 __scrt_common_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:331 blender.exe :0x00007FF7798DCE30 mainCRTStartup D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:17 KERNEL32.DLL :0x00007FFEB9EA7020 BaseThreadInitThunk ntdll.dll :0x00007FFEBA582680 RtlUserThreadStart ``` Stepping through `readfile.c` a bit, I saw that one of the data blocks has id code `ID_WS` and thus a workspace block was created and added to the main database list, before the assert - which is trouble :/ (From my very limited Blender dev experience) I think this means the file is too old or corrupted?

Bruno commented

2022-12-24 14:09:45 +01:00

Added subscriber: @BlenderBruno

Philipp Oeser added the

Module

User Interface

label 2023-02-20 09:52:58 +01:00

Philipp Oeser removed the