|ALPHA| Mad Professor wrote: > So it seems that the "buffer exploit" that's running around UrT > servers is related to the QVM, at least from what I can tell that's > where it segfaults for the x86 QVM (using the interpreted QVM I get > "VM program counter out of range in OP_LEAVE" instead, still a crash). > This brings up the following question: Is the QVM designed to be safe > or not? It seems that a bug in the game code running on the VM will > happily crash a server.
I doubt security was a primary concern for id. I'm sure the design does make it possible to protect against buggy QVMs to a certain degree nevertheless. The actual implementation has some deficiencies though. Whether you consider QVMs 'safe' depends on the definition of 'safe' though. Yours seems to be that a buggy QVMs must not 'crash' the server. That's not possible as in general the only sane action the engine can do when it detects illegal QVM activity is to terminate the VM. The engine ideally shouldn't do that by segfaulting (e.g. due to hitting a no execute page) though :-) > If the QVM is "by design" unsafe then the only > good fix for this will have to come from FrozenSand or whatever they > are called these days. On the other hand, if the QVM is supposed to be > safe, then I guess it's a VM bug. Advice? I can only guess due to lack of information. I think there are two bugs. The hack mentioned in another post indicates that a buffer overflow in the game code is the core reason for the crash. That bug can only be fixed by the vendor of that code. The segfault in the x86 VM is likely a bug too though. The x86 VM should exit in a similar way as the interpreter. The x86_64 has more checks, would be interesting to see how that one behaves. So I'd appreciate more information about how to trigger the crash. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) _______________________________________________ ioquake3 mailing list [email protected] http://lists.ioquake.org/listinfo.cgi/ioquake3-ioquake.org By sending this message I agree to love ioquake3 and libsdl.
