remove intended bugs

Author: mlechu

game.c

@@ -184,10 +184,16 @@ piece_t new_piece(shape_t s) {
 game_t *new_game(game_t *g, char *gname) {
     if (!g) {
         g = calloc(sizeof(game_t), 1);
+    } else {
+         memset(g, 0, sizeof(game_t));
     }
+
     if (!gname) {
         gname = "";
     }
+    /* fixme add to game struct */
+    memset(bag, 0, sizeof bag);
+    bag_fullness = 7;
     g->p = new_piece(0);
     for (int i = 0; i < PIECE_PREVIEWS; i++) {
         g->preview[i] = rand_shape();
@@ -196,14 +202,19 @@ game_t *new_game(game_t *g, char *gname) {
     return g;
 }
 
-/* Return true if p overlaps with any placed piece in g
- * BUG: The piece can be above the board, so the returned value can be an
- * out-of-bounds read */
-/* Other than intentional leaks, do not call unless you're sure the piece is on
- * the board */
+/* Return true if p overlaps with any placed piece in g */
 shape_t check_dead(game_t *g, const piece_t *const p) {
     pos_t cells[4];
     get_cells(*p, cells);
+    int min_x = min4(cells[0].x, cells[1].x, cells[2].x, cells[3].x);
+    int max_x = max4(cells[0].x, cells[1].x, cells[2].x, cells[3].x);
+    int min_y = min4(cells[0].y, cells[1].y, cells[2].y, cells[3].y);
+    int max_y = max4(cells[0].y, cells[1].y, cells[2].y, cells[3].y);
+
+    if (min_x < 0 || min_y < 0 || max_x >= BOARD_W || max_y >= BOARD_H) {
+        return P_WALL;
+    }
+
     for (int i = 0; i < 4; i++) {
         shape_t on_board = g->board[cells[i].y][cells[i].x];
         if (on_board != P_NONE) {
@@ -344,24 +355,20 @@ shape_t print_game(game_t *g) {
  * hop over the cookie and rbp, so i copy the game pointer after the bad array
  * instead. */
 int clear_lines_write_shape(game_t *g) {
-    volatile struct {
-        score_t scores[5];
-        game_t *g2;
-    } tsp_bug = {{0, 100, 300, 500, 800}, g};
-
+    score_t scores[6] = {0, 100, 300, 500, 800, 1000};
     int should_clear = 0;
     int rowcnt[BOARD_H] = {0}; /* row fullness */
 
     pos_t curr_cells[4];
-    get_cells(tsp_bug.g2->p, curr_cells);
+    get_cells(g->p, curr_cells);
 
     for (int i = 0; i < 4; i++) {
         /* count the current piece */
         rowcnt[curr_cells[i].y]++;
     }
     for (int y = 0; y < BOARD_H; y++) {
         for (int x = 0; x < BOARD_W; x++) {
-            if (tsp_bug.g2->board[y][x] != P_NONE) {
+            if (g->board[y][x] != P_NONE) {
                 rowcnt[y]++;
             }
         }
@@ -374,8 +381,7 @@ int clear_lines_write_shape(game_t *g) {
     if (!should_clear) {
         /* writing the shape to the board */
         for (int i = 0; i < 4; i++) {
-            tsp_bug.g2->board[curr_cells[i].y][curr_cells[i].x] =
-                tsp_bug.g2->p.s;
+            g->board[curr_cells[i].y][curr_cells[i].x] = g->p.s;
         }
         return 0;
     }
@@ -384,51 +390,45 @@ int clear_lines_write_shape(game_t *g) {
      * triple gives score_i = 5 */
     int score_i = 0;
 
-    if (tsp_bug.g2->p.s == P_T) {
+    if (g->p.s == P_T) {
         /* puts("is T"); */
-        piece_t new_p = tsp_bug.g2->p;
-        new_p.pos.y = tsp_bug.g2->p.pos.y - 1;
+        piece_t new_p = g->p;
+        new_p.pos.y = g->p.pos.y - 1;
 
         pos_t cells[4];
         get_cells(new_p, cells);
         int min_y = min4(cells[0].y, cells[1].y, cells[2].y, cells[3].y);
         if (min_y >= 0 && check_dead(g, &new_p)) {
-            /* BUG: If we find a t-spin (last piece was a t piece AND it cannot
-             * be moved up one spot AND we clear at least one line) we try to
-             * boost the score by setting score_i. Since the line clear counting
-             * happens after regardless, we get max points for a t-spin single,
-             * and two possible leaks for 2 and 3 cleared lines respectively.
-             */
-            score_i = 3;
+            score_i = 2;
         }
     }
 
     /* writing the shape to the board */
     for (int i = 0; i < 4; i++) {
-        tsp_bug.g2->board[curr_cells[i].y][curr_cells[i].x] = tsp_bug.g2->p.s;
+        g->board[curr_cells[i].y][curr_cells[i].x] = g->p.s;
     }
 
     int src_y = BOARD_H - 1;
     /* I suppose an overflow when shifting things down could also be good */
     for (int dst_y = BOARD_H - 1; dst_y >= 0; dst_y--, src_y--) {
         if (src_y < 0) { /* nothing to shift; copy a blank line */
             for (int x = 0; x < BOARD_W; x++) {
-                tsp_bug.g2->board[dst_y][x] = P_NONE;
+                g->board[dst_y][x] = P_NONE;
             }
         } else {
             while (rowcnt[src_y] == BOARD_W && src_y >= 0) { /* clear */
                 src_y--;
                 score_i++;
             }
             for (int x = 0; x < BOARD_W; x++) {
-                tsp_bug.g2->board[dst_y][x] = tsp_bug.g2->board[src_y][x];
+                g->board[dst_y][x] = g->board[src_y][x];
             }
         }
     }
 
     /* printf("score_i: %d\n", score_i); */
     fflush(stdout);
-    return tsp_bug.scores[score_i];
+    return scores[score_i];
 }
 
 /* Shift the queue forward, filling in the new spot, and throwing away curr.

makefile

@@ -1,15 +1,13 @@
 DEBUG := 0
 
 CC := gcc
-CCFLAGS := -I .
+CCFLAGS := -I . -fcf-protection=full -fstack-protector-all -O2
 BFLAGS := --no-lines
 
 ifeq ($(DEBUG), 1)
-	CCFLAGS += -g -Wall -Wextra -Wpedantic
+	CCFLAGS += -g -Wall -Wextra -Wpedantic -fsanitize=address -fsanitize=undefined -fsanitize=signed-integer-overflow -fsanitize-undefined-trap-on-error
 # CCFLAGS += -fno-pie -no-pie
 # BFLAGS += -Wcounterexamples
-else
-	CCFLAGS += -O1
 endif
 
 OUTDIR := out
@@ -52,39 +50,32 @@ $(OUTDIR)/tetrominobot: tetrominobot.c $(OUTDIR)/game $(OUTDIR)/robot $(OUTDIR)/
 tx: $(OUTDIR)/tx
 
 tx_clean:
-	rsync -rva --exclude $(OUTDIR) --exclude .git . $(VM_IP):tbot
-	ssh -A $(VM_IP) "cd tbot && make clean"
+	rsync -rva --exclude $(OUTDIR) --exclude .git . $(VM_IP):tbot2
+	ssh -A $(VM_IP) "cd tbot2 && make clean"
 
 $(OUTDIR)/tx: robot.c game.c tetrominobot.c |$(OUTDIR)
-	rsync -rva --exclude $(OUTDIR) --exclude .git . $(VM_IP):tbot
-	ssh -A $(VM_IP) "cd tbot && make handouts"
-	scp -r $(VM_IP):~/tbot/$(OUTDIR)/* ./$(OUTDIR)/
-# scp $(VM_IP):~/tbot/$(OUTDIR)/tetrominobot $(OUTDIR)/tx
+	rsync -rva --exclude $(OUTDIR) --exclude .git . $(VM_IP):tbot2
+	ssh -A $(VM_IP) "cd tbot2 && make handouts"
+	scp -r $(VM_IP):~/tbot2/$(OUTDIR)/* ./$(OUTDIR)/
 
-D_IMG := tbot_img
-D_CON := tbot_container
+D_IMG := tbot2_img
+D_CON := tbot2_container
 D_BUILD := /build
 
 $(HDIR):
 	mkdir -p $(HDIR)
 
-handouts: robot.c game.c tetrominobot.c player-manual.org makefile $(OUTDIR)/docker_tbot_cont |$(HDIR)
+handouts: robot.c game.c tetrominobot.c player-manual.org makefile $(OUTDIR)/docker_tbot2_cont |$(HDIR)
 	docker restart $(D_CON)
 	docker cp . $(D_CON):$(D_BUILD)
 	docker exec $(D_CON) /bin/bash -c 'cd $(D_BUILD) && make'
-	docker exec $(D_CON) /bin/bash -c 'cd $(D_BUILD) && make'
-ifneq ($(DEBUG),1)
 	docker exec $(D_CON) /bin/bash -c 'strip --strip-all $(D_BUILD)/$(OUTDIR)/tetrominobot'
-endif
-	docker cp $(D_CON):$(D_BUILD)/$(OUTDIR)/tetrominobot $(HDIR)
 	docker cp $(D_CON):$(D_BUILD)/$(OUTDIR)/tetrominobot $(HDIR)
-	docker cp $(D_CON):/lib/x86_64-linux-gnu/libc.so.6 $(HDIR)
-	docker cp $(D_CON):/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 $(HDIR)
 	docker stop $(D_CON)
 	cp ./player-manual.org $(HDIR)
 	cp ./simple.tbot $(HDIR)
 
-$(OUTDIR)/docker_tbot_image: dockerfile |$(OUTDIR)
+$(OUTDIR)/docker_tbot2_image: dockerfile |$(OUTDIR)
 	touch $@
 # clean
 	docker stop $(D_CON) || true
@@ -93,7 +84,7 @@ $(OUTDIR)/docker_tbot_image: dockerfile |$(OUTDIR)
 # build
 	docker build . -t $(D_IMG) --platform=linux/amd64
 
-$(OUTDIR)/docker_tbot_cont: $(OUTDIR)/docker_tbot_image |$(OUTDIR)
+$(OUTDIR)/docker_tbot2_cont: $(OUTDIR)/docker_tbot2_image |$(OUTDIR)
 	touch $@
 # clean
 	docker stop $(D_CON) || true

parse.y

@@ -106,7 +106,7 @@ cond_if
     }
 }
 | fcall
-| PRINT '(' exp ')' { printf("%ld\n", $3); }
+| PRINT '(' exp ')' { if (cond_active) { printf("%ld\n", $3); } }
 /* or macro call? */
 ;
 
@@ -174,7 +174,8 @@ semicolon.opt:
 
 void yyerror (game_t *g, tbot_t *t, char *s) {
     (void)g;
-    fprintf (stderr, "at pos %ld (\"%c\"): %s\n", t->ppos, t->prog[t->ppos], s);
+    char checked = strlen(t->prog) > t->ppos ? t->prog[t->ppos] : '?';
+    fprintf(stderr, "at pos %ld (\"%c\"): %s\n", t->ppos, checked, s);
     exit(1);
 }
 

readme.org

@@ -1,5 +1,18 @@
+* tbot2
+see tetrominobot; this is hopefully the bugless version. tell people to use the pwn binary for
+practice, but the one running on the server has been changed for this challenge, and no funny
+business is allowed for this one anyway. i'll try to make this one as secure as
+possible. suggestions are welcome.
+
+note we still want to run with the same libc since the rand() piece generator is deterministic with
+the input, and this allows people to test locally using the pwn binary
+
+Going with 30k iterations for now. How many points for a flag? 8k?
+
+30k cycles * (1 piece dropped per ~30 cycles) * (4 cells per piece dropped) * (1 line cleared per
+10 cells) * (100 point mimimum per line cleared) = ~40k points estimated possible
+
 * tetrominobot
-You can call yourself an AI engineer after this one
 
 ** details
 The program allows the player to create little tetris bots. minus pwn, the intention would be to get
@@ -23,86 +36,8 @@ There won't be loops beyond the outer loop, but workarounds using counters are p
 
 todo add grammar
 
-** exploit
-
-It might suffice to do either bug 1 or bug 2 interchangably (1 probably being more useful; 2 is
-mostly there because having a t-spin leak is funny). 3 should be mandatory.
-
-*** optional bug: srand (piece generator) control
-Intentionally lazy rng so the player can get deterministic and known pieces with a little
-effort. makes bugs 1+2 a lot easier.
-- Before running the bot we call srand(x) where x is a small unsigned number that is the sum of all
-  bytes in the player input
-- The parser stops at an EOF character and so the user can put whatever they like after one.
-- Like in the real game, pieces are repeatedly drawn from a bag of 7, so this just controls the
-  permutations (the player can't just ask for I pieces). however it makes things much easier to
-  programmatically generate the after-eof garbage and get the same sequence of pieces every time, no
-  matter what they are.
-
-I'll use this bug for now to try and make intended bugs more attractive than any unintended ones.
-however, it would make for an interesting challenge to use real randomness.
-
-*** bug 1: libc leak through the ceiling
-- Like in the real game, pieces existing above the visible board does not kill you
-  - you die when a new piece can't spawn (usually in the top-middle of the board)
-- An address or some other interesting data is stored above the board in memory
-  - libc? address of game memory for a ropchain?
-- Piece movement functions return 0 for success or a number describing what the piece ran into
-- Like in the real game, there is no "move up" function, but if you are rotating a piece close to
-  some obstacles, there is a bunch of "kick" positions that are tried, and many of these positions
-  bump the rotated piece up
-
-*** bug 2: base addr leak with a t-spin
-- the score delta when clearing n lines is array[n] where array is 4 constant ints stored on the
-  stack
-- t-spins generally give a player more points than the raw amount of lines cleared
-  - this is when the piece dropped was a T and the T is "under" some existing pieces
-- it is possible to clear 1, 2, or 3 lines with a t-spin
-- have the can't-move-T-up check set n=3 (maybe 4? maybe long ints?). Then have the line clearing
-  check increment it with additional lines cleared
-- score will increment by whatever interesting data lies after the array. player can access the
-  score in their bot.
-
-decided to go with 2 lines good enough for a leak. i don't even know how to do a t-spin triple lol
-
-*** bug 3: arbitrary call using bad debug mode and buggy cmdline arg parser
-- bot name can be entered through argv, or through an initial fgets if not found.
-  - Debug mode can only be enabled thru argv
-  - everything is put together, so any bot name starting with - and containing d enables debug
-- debug mode allows for an extra game function and adds it to the end of the game function table in
-  the null spot
-  - where the null spot was previously used as the end indicator
-- the player-writable memory is allocated right after the gfunctable
-- gfunctable is a record of char *name and func *s
-- player will need to
-  - call a predetermined string in the program
-  - find the pointer (hard) to this string and put this in mem[0] (easy)
-  - find a pointer (hard) to whatever they'd like and write it to mem[1] (easy)
-  - probably write a rop chain? onegadget might be possible, don't really have time to check
-- This is all made easier by the fact the player can re-run the program with a different bot until
-  they quit or things segfault.
-
-this seems convoluted but i'm imagining it would be pretty easy to be suspicious of the f*table and
-the player memory being so close together. i just need to make sure this doesn't open up any boring
-ways of finding good addresses (please use the ceiling bug and/or the t-spin bug)
-
-
-current working bug demo minus pie which calls rot_l by its address:
-
-~{ mem[0] = 4219153; mem[1] = 4207180; call(help) }~
-
-
 ** flag
-- maple{tell the marketing department that we use 99% fewer CPU cycles than competing apps}
-
-
-* todo
-in descending order of importance
-
-- piece timeout?
-- ask people to debug cmdline args
-- print should only do so when debugging
-- test game functions
+- maple{?}
 
 
 * building