Raised This Month: $12 Target: $400
 3% 

[ANY/CSGO] cutlrbtree overflow, memory access


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
ekshon
Junior Member
Join Date: Nov 2020
Old 11-08-2020 , 11:56   [ANY/CSGO] cutlrbtree overflow, memory access
Reply With Quote #1

Following this tweet https://twitter.com/ZooL_Smith/statu...23189960478720 (all credits to ZooL) we have a knowledge why "CUtlRBTree overflow" crash happens. Every new unique string created (also every new entity) being added to a string pool which has a limit = 65536.

Please, don't ask "why you even need this?". This string pool is bugged because it's not purging itself on new round, which cause server crash after 1-2 hours of playing on some gamemodes.

IS IT POSSIBLE to get access to these strings and kill only those, which are lost their relevance?

There's a command which allows you to output all the strings - "dumpgamestringtable". If you search it on hl2 source code files, you can find "CGameStringPool" class:
https://github.com/ValveSoftware/sou...stringpool.cpp

Can we get an access to "m_Strings" of NON-entity class though the sourcemod, or maybe memory hack?

UPD:
In csgo's source code: https://github.com/perilouswithadoll...stringpool.cpp
we have this function:
Quote:
void CStringPool::FreeAll()
{
unsigned short i = m_Strings.FirstInorder();
while ( i != m_Strings.InvalidIndex() )
{
free( (void *)m_Strings[i] );
i = m_Strings.NextInorder(i);
}
m_Strings.RemoveAll();
}
This means it's possible to call it using "SDKCall", if you know the offset, am I right?

Last edited by ekshon; 11-08-2020 at 17:43. Reason: update
ekshon is offline
Ilusion9
Veteran Member
Join Date: Jun 2018
Location: Romania
Old 11-10-2020 , 06:45   Re: [ANY/CSGO] cutlrbtree overflow, memory access
Reply With Quote #2

Can this crash be related to https://crash.limetech.org/k6oh2z3avmqi ?
I have a deathrun server and this crash happens every 2 days with nothing related to sourcemod
__________________
Ilusion9 is offline
Ilusion9
Veteran Member
Join Date: Jun 2018
Location: Romania
Old 11-18-2020 , 14:43   Re: [ANY/CSGO] cutlrbtree overflow, memory access
Reply With Quote #3

PHP Code:

#include <sourcemod>
#include <sdktools>
#include <cstrike>
#pragma newdecls required

Handle g_FreeAll;

public 
void OnPluginStart()
{
    
Handle gamedata LoadGameConfigFile("memorycrash.games");

    
StartPrepSDKCall(SDKCall_Static);
    
PrepSDKCall_SetFromConf(gamedataSDKConf_Virtual"CStringPool::FreeAll");
    
PrepSDKCall_SetReturnInfo(SDKType_BoolSDKPass_Plain);
    
g_FreeAll EndPrepSDKCall();
    
    
delete gamedata;
    
    
HookEvent("round_prestart"Event_RoundPreStart);
}

public 
void Event_RoundPreStart(Event event, const char[] namebool dontBroadcast)
{
     
SDKCall(g_FreeAll);

You can do something like this if you know the offsets.
__________________
Ilusion9 is offline
ESK0
BANNED
Join Date: May 2014
Location: Czech Republic
Old 11-18-2020 , 16:03   Re: [ANY/CSGO] cutlrbtree overflow, memory access
Reply With Quote #4

Quote:
Originally Posted by Ilusion9 View Post
PHP Code:

#include <sourcemod>
#include <sdktools>
#include <cstrike>
#pragma newdecls required

Handle g_FreeAll;

public 
void OnPluginStart()
{
    
Handle gamedata LoadGameConfigFile("memorycrash.games");

    
StartPrepSDKCall(SDKCall_Static);
    
PrepSDKCall_SetFromConf(gamedataSDKConf_Virtual"CStringPool::FreeAll");
    
PrepSDKCall_SetReturnInfo(SDKType_BoolSDKPass_Plain);
    
g_FreeAll EndPrepSDKCall();
    
    
delete gamedata;
    
    
HookEvent("round_prestart"Event_RoundPreStart);
}

public 
void Event_RoundPreStart(Event event, const char[] namebool dontBroadcast)
{
     
SDKCall(g_FreeAll);

You can do something like this if you know the offsets.
Code:
Linux: \x55\x89\xE5\x56\x53\x83\xEC\x10\x8B\x75\x08\x8D\x46\x04
Windows: \x55\x8B\xEC\x83\xEC\x0C\x8D\x45\x08 (not sure)
ESK0 is offline
BHaType
Great Tester of Whatever
Join Date: Jun 2018
Old 11-18-2020 , 20:09   Re: [ANY/CSGO] cutlrbtree overflow, memory access
Reply With Quote #5

This calls 3 functions at once but you can find the signature and only call "CStringPool::FreeAll()"

Code

Gamedata


I didn't check because I don't have csgo
__________________
cry

Last edited by BHaType; 11-18-2020 at 20:12.
BHaType is offline
Send a message via AIM to BHaType
ekshon
Junior Member
Join Date: Nov 2020
Old 12-05-2020 , 03:51   Re: [ANY/CSGO] cutlrbtree overflow, memory access
Reply With Quote #6

Alright. Thank you guys in helipng me with this investigation!
Here's conclusion that might be helpful for anyone who's facing same problem:

Calling "FreeAll()" in round runtime wasn't a good idea, because you're losing map's logic. Every output stops working. Also, server crashes when you mp_restartgame 1. Maybe you should call it in pre-event of "round_restart"? I didn't try this. Forget about "FreeAll" then.

Call "void Remove( const char *pszValue )" instead. It allows you to remove a string by it's name, but here's another problem:

Every time you create an entity in runtime with VSCRIPT attached to it, it creates a wierd string with some unique ID and classname / targetname. Good thing you can get this unique ID and remove string in "OnEntityDestroyed" very easily.


Here's the code:

Code:
Handle sdkcall;

public void OnPluginStart()
{
	StartPrepSDKCall(SDKCall_Static);
        //signature is for windows
	PrepSDKCall_SetSignature(SDKLibrary_Server, "\x55\x8B\xEC\x56\x8D\x45\x08\xB9",8);
	PrepSDKCall_AddParameter(SDKType_String, SDKPass_Pointer);
	sdkcall = EndPrepSDKCall();
}

public void OnEntityDestroyed(int entity)
{
	char buffer[128];
	GetEntPropString(entity, Prop_Data, "m_iszScriptId", buffer, sizeof(buffer));	

	if (strlen(buffer) <= 0) return;
	
	SDKCall(sdkcall,buffer);
}
Credits to anarh1st47 for finding the signatures.

YOU CAN USE THIS METHOD TO REMOVE ANY UNWATNED STRING

Here's another solution, just 3 lines of code, that will remove only "m_iszScriptId" strings from stringpool.

Code:
public void OnEntityCreated(entity, const char[] classname)
{
    SetEntProp(entity,Prop_Data,"m_bForcePurgeFixedupStrings",true);
}
SOLVED

Last edited by ekshon; 12-05-2020 at 09:28. Reason: +image
ekshon is offline
Dragokas
Veteran Member
Join Date: Nov 2017
Location: Ukraine on fire
Old 12-05-2020 , 15:40   Re: [ANY/CSGO] cutlrbtree overflow, memory access
Reply With Quote #7

Just FYI,
I think your topic could be related to a similar issue in L4D2: [L4D2] Script Command Swap - Mem Leak Fix,
caused by using the console command to create VScript instead of logic_script entity.

Sorry for hijacking your topic.

I also have a problem with 1 time per week crash related to CUtlRBTree overflow.
But, my game is Left 4 Dead 1. There is no VScript system at all.

I'm just curious didn't you try to use CStringPool::FreeAll() method on MapEnd?

Crash details:
__________________
Expert of CMD/VBS/VB6. Malware analyst. L4D fun (Bloody Witch & FreeZone)
[My plugins] [My tools] [GitHub] [Articles] [HiJackThis+] [Donate]

Last edited by Dragokas; 12-05-2020 at 15:41.
Dragokas is offline
ekshon
Junior Member
Join Date: Nov 2020
Old 12-05-2020 , 22:47   Re: [ANY/CSGO] cutlrbtree overflow, memory access
Reply With Quote #8

Quote:
Originally Posted by Dragokas View Post
Just FYI,
I think your topic could be related to a similar issue in L4D2: [L4D2] Script Command Swap - Mem Leak Fix,
caused by using the console command to create VScript instead of logic_script entity.

Sorry for hijacking your topic.

I also have a problem with 1 time per week crash related to CUtlRBTree overflow.
But, my game is Left 4 Dead 1. There is no VScript system at all.

I'm just curious didn't you try to use CStringPool::FreeAll() method on MapEnd?
No, I never tried to call "FreeAll" on map end. I think there are more lists using CUtlRBTree type, not only "gamestringpool". But this one is the most common that causes crash. You can dump it with commands:

Code:
sv_cheats 1
developer 1
dumpgamestringtable
The limit is 65536. Try mp_restartgame 1 and look if it's leaking. Also, you might using some map which creates entities in run time with unique names, etc. Or, you're using game_text to print some uniqe strings on player's screen.
ekshon is offline
Hawkins
Senior Member
Join Date: Jul 2021
Old 05-02-2022 , 19:10   Re: [ANY/CSGO] cutlrbtree overflow, memory access
Reply With Quote #9

spams this in error logs when trying to use in L4D2:
PHP Code:
L 05/03/2022 00:45:43: [SMException reportedProperty "m_bForcePurgeFixedupStrings" not found (entity 0/worldspawn)
L 05/03/2022 00:45:43: [SMBlamingstringpool_fix.smx
L 05
/03/2022 00:45:43: [SMCall stack trace:
L 05/03/2022 00:45:43: [SM]   [0SetEntProp
L 05
/03/2022 00:45:43: [SM]   [1Line 14d:\L4D Stuff\4. VS SourcePawn\stringpool_fix.sp::OnEntityCreated
L 05
/03/2022 00:45:43: [SMException reportedProperty "m_bForcePurgeFixedupStrings" not found (entity 32/cs_team_manager)
L 05/03/2022 00:45:43: [SMBlamingstringpool_fix.smx 

Last edited by Hawkins; 05-02-2022 at 19:12.
Hawkins is offline
Bacardi
Veteran Member
Join Date: Jan 2010
Location: mom's basement
Old 05-03-2022 , 09:13   Re: [ANY/CSGO] cutlrbtree overflow, memory access
Reply With Quote #10

Quote:
Originally Posted by Hawkins View Post
spams this in error logs when trying to use in L4D2:
PHP Code:
L 05/03/2022 00:45:43: [SMException reportedProperty "m_bForcePurgeFixedupStrings" not found (entity 0/worldspawn)
L 05/03/2022 00:45:43: [SMBlamingstringpool_fix.smx
L 05
/03/2022 00:45:43: [SMCall stack trace:
L 05/03/2022 00:45:43: [SM]   [0SetEntProp
L 05
/03/2022 00:45:43: [SM]   [1Line 14d:\L4D Stuff\4. VS SourcePawn\stringpool_fix.sp::OnEntityCreated
L 05
/03/2022 00:45:43: [SMException reportedProperty "m_bForcePurgeFixedupStrings" not found (entity 32/cs_team_manager)
L 05/03/2022 00:45:43: [SMBlamingstringpool_fix.smx 
PHP Code:
public void OnEntityCreated(entity, const char[] classname)
{
    if(
HasEntProp(entityProp_Data"m_bForcePurgeFixedupStrings")
        
SetEntProp(entityProp_Data"m_bForcePurgeFixedupStrings"true);

__________________
Do not Private Message @me
Bacardi is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 04:16.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode