Fix use-after-free when creating custom user messages

peace-maker · dvander · commit 15450a6d0c52 · 2020-06-23T10:32:55.000-07:00
When creating our own "owned and local" protobuf message in `StartProtobufMessage`, `m_FakeEngineBuffer` is used to track that message. In `EndMessage` the message is optionally converted to a "private" one with the right abi on osx and passed to the engine's `SendUserMessage`. On linux and windows the same message as in the `m_FakeEngineBuffer` is passed though without conversion. `engine->SendUserMessage` has a vtable hook which sets `m_FakeEngineBuffer` to the passed argument. `m_FakeEngineBuffer` frees the message it previously held, since it's "owned" from `StartProtobufMessage`, but that's the same one that's passed in as argument so a use-after-free in the engine happens when the now-freed message pointer is forwarded to the real `SendUserMessage` in the engine. The message created in `StartProtobufMessage` wasn't free'd at all when hooks are blocked too. This fix moves the message buffer into a local variable which is destroyed at the end of the function. Fixes alliedmodders#1286 and alliedmodders#1296
diff --git a/core/UserMessages.cpp b/core/UserMessages.cpp
@@ -312,12 +312,12 @@ bool UserMessages::EndMessage()
 	}
 
 #if SOURCE_ENGINE == SE_CSGO || SOURCE_ENGINE == SE_BLADE
+	PbHandle localBuffer = std::move(m_FakeEngineBuffer);
 	if (m_CurFlags & USERMSG_BLOCKHOOKS)
 	{
-		PbHandle priv = m_FakeEngineBuffer.ToPrivate(m_CurId);
+		PbHandle priv = localBuffer.ToPrivate(m_CurId);
 		ENGINE_CALL(SendUserMessage)(static_cast<IRecipientFilter &>(m_CellRecFilter), m_CurId,
 		                             *priv.GetPrivateMessage());
-		m_FakeEngineBuffer = nullptr;
 	} else {
 		OnMessageEnd_Pre();
 
@@ -327,10 +327,9 @@ bool UserMessages::EndMessage()
 		case MRES_HANDLED:
 		case MRES_OVERRIDE:
 		{
-			PbHandle priv = m_FakeEngineBuffer.ToPrivate(m_CurId);
+			PbHandle priv = localBuffer.ToPrivate(m_CurId);
 			engine->SendUserMessage(static_cast<IRecipientFilter &>(m_CellRecFilter), m_CurId,
 			                        *priv.GetPrivateMessage());
-			m_FakeEngineBuffer = nullptr;
 			break;
 		}
 		//case MRES_SUPERCEDE:
diff --git a/core/pb_handle.h b/core/pb_handle.h
@@ -105,7 +105,8 @@ class PbHandle
 	}
 
 	PbHandle& operator =(PbHandle&& other) {
-		maybe_free();
+		if (other.msg_ != msg_)
+			maybe_free();
 		msg_ = other.msg_;
 		ownership_ = other.ownership_;
 		locality_ = other.locality_;

Original file line number	Diff line number	Diff line change
`@@ -312,12 +312,12 @@ bool UserMessages::EndMessage()`
`312`	`312`	`}`
`313`	`313`
`314`	`314`	`#if SOURCE_ENGINE == SE_CSGO \|\| SOURCE_ENGINE == SE_BLADE`
	`315`	`+ PbHandle localBuffer = std::move(m_FakeEngineBuffer);`
`315`	`316`	`if (m_CurFlags & USERMSG_BLOCKHOOKS)`
`316`	`317`	`{`
`317`		`- PbHandle priv = m_FakeEngineBuffer.ToPrivate(m_CurId);`
	`318`	`+ PbHandle priv = localBuffer.ToPrivate(m_CurId);`
`318`	`319`	`ENGINE_CALL(SendUserMessage)(static_cast<IRecipientFilter &>(m_CellRecFilter), m_CurId,`
`319`	`320`	`*priv.GetPrivateMessage());`
`320`		`- m_FakeEngineBuffer = nullptr;`
`321`	`321`	`} else {`
`322`	`322`	`OnMessageEnd_Pre();`
`323`	`323`
`@@ -327,10 +327,9 @@ bool UserMessages::EndMessage()`
`327`	`327`	`case MRES_HANDLED:`
`328`	`328`	`case MRES_OVERRIDE:`
`329`	`329`	`{`
`330`		`- PbHandle priv = m_FakeEngineBuffer.ToPrivate(m_CurId);`
	`330`	`+ PbHandle priv = localBuffer.ToPrivate(m_CurId);`
`331`	`331`	`engine->SendUserMessage(static_cast<IRecipientFilter &>(m_CellRecFilter), m_CurId,`
`332`	`332`	`*priv.GetPrivateMessage());`
`333`		`- m_FakeEngineBuffer = nullptr;`
`334`	`333`	`break;`
`335`	`334`	`}`
`336`	`335`	`//case MRES_SUPERCEDE:`
Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,8 @@ class PbHandle`
`105`	`105`	`}`
`106`	`106`
`107`	`107`	`PbHandle& operator =(PbHandle&& other) {`
`108`		`- maybe_free();`
	`108`	`+ if (other.msg_ != msg_)`
	`109`	`+ maybe_free();`
`109`	`110`	`msg_ = other.msg_;`
`110`	`111`	`ownership_ = other.ownership_;`
`111`	`112`	`locality_ = other.locality_;`