OOB Access due to Index Confusion in SquirrelLang [CVE-2021-41556]
There is an out-of-bounds access that occures by causing Squirel to lookup a method in the array of class fields.
When accessing class fields and methods a lookup is performed on the attributes name to determine its index within one of two internal arrays (one for fields, one for methods). The most-significant byte of this index is a bit-field which is used to indicate which of the arrays the index corresponds to: 0x02000000
for fields, 0x01000000
for methods.
The problem is that the number of classes is not limited to prevent the index from properly expanding into that bit and fooling the _isfield()
macro that checks the field bit. An attacker could craft a class with more than 0x020000XX methods, but only 1 field. The _isfield()
check will pass, and the index of 0x000000XX (the bit-field will be masked out) will be looked up on the field array going out of bounds).
To exploit this the author crafts a string that immitates the expected SQObjectPtr
structure that the field array usually contains, and can prepare the heap to place it next to the _defaultvalues
array and tricks Squirrel into returning an array that points to 0x0
and contains 0xffffffffffffffff
elements giving access to the entire address space.