Page MenuHomeFeedback Tracker
Create Task
Maniphest T69160

Potentially exploitable access violation originating from PhysX3_x86.dll
Closed, ResolvedPublic
Actions

Description

While playing multiplayer on the IC Invade server, I got a game crash. It appears from the Visual Studio debugger and the RPT file that the crash originated from the PhysX dll file with an access violation. Visual Studio 2010 JIT debugger reports the following call stack at the crash:

PhysX3_x86.dll!physx::ProjectionPlaneProperty::ProjectionPlaneProperty() + 0x9e68c bytes

 	[Frames below may be incorrect and/or missing, no symbols loaded for PhysX3_x86.dll]	
 	PhysX3_x86.dll!physx::ProjectionPlaneProperty::ProjectionPlaneProperty()  + 0x9e9ce bytes	
 	PhysX3Common_x86.dll!physx::shdfnd::Sync::wait()  + 0x3d bytes	
 	kernel32.dll!BaseThreadInitThunk()  + 0x12 bytes	
 	ntdll.dll!RtlInitializeExceptionChain()  + 0x63 bytes	
 	ntdll.dll!RtlInitializeExceptionChain()  + 0x36 bytes

I am reporting this as private because of the possibility that the bug is exploitable.

Dump files:
http://www.mediafire.com/?3a2icp5sqp6ci9s

{F20538}

Details

Legacy ID
4207478362
Severity
None
Resolution
Suspended
Reproducibility
Have Not Tried
Category
Game Crash
Steps To Reproduce

I have not attempted to reproduce the issue.

Additional Information

Obligatory note, the access violation appears to have come from a call to a PhysX function. Access violations tend to be a big sign of the possibility to attempt to write to other RAM addresses. Normally this is prevented by modern technologies such as ASLR and DEP, but there are ways around those protections. Due to Visual Studio indicating it's from ProjectionPlaneProperty, it looks like it could possibly be exploited by a malformed input file. I would have to do more research to confirm my suspicions of being exploitable, but I figured I'd file the bug report now so that it can be fixed more quickly.

This is a duplicate of issue 10790, I only saw that after posting this. i am not going to post the same level of info there that I did here because of the security aspects involved.

Event Timeline

th3flyboy edited Steps To Reproduce. (Show Details)Jun 30 2013, 5:49 AM
th3flyboy edited Additional Information. (Show Details)
th3flyboy set Category to Game Crash.
th3flyboy set Reproducibility to Have Not Tried.
th3flyboy set Severity to None.
th3flyboy set Resolution to Suspended.
th3flyboy set Legacy ID to 4207478362.May 7 2016, 3:09 PM
Fank added a subscriber: Fank.May 7 2016, 3:09 PM
Fank added a comment.May 13 2014, 6:17 PM

Issue closed as obsolete. If you encounter this problem again, please create another ticket. Thank you.

© Bohemia Interactive a.s. Bohemia Interactive® is a registered trademark of Bohemia Interactive a.s. All rights reserved. · Privacy Policy · Terms and Conditions