oa_ded.x86_64 0.8.1 crash

[rm]

With 0.8.1 oa_ded.x86_64 had a server crash just now:

Code:

Item: 5 item_health
Item: 0 team_CTF_redflag
broadcast: print "Dark^7 got the RED flag!\n"
CTF: 0 1 0: Dark got the RED flag!
ClientUserinfoChanged: 0 n\Dark\t\2\model\angelyss/dark\hmodel\angelyss/dark\c1\4\c2\5\hc\70\w\0\l\0\skill\ 2.00\tt\2\tl\1
ClientUserinfoChanged: 3 n\Dark\t\1\model\angelyss/dark\hmodel\angelyss/dark\c1\4\c2\5\hc\70\w\0\l\0\skill\ 2.00\tt\5\tl\0
Item: 5 weapon_rocketlauncher
Client 5 connecting with 50 challenge ping
ClientConnect: 6
ClientUserinfoChanged: 6 n\uBik\t\3\model\james\hmodel\*james\g_redteam\\g_blueteam\\c1\7aaa\c2\7\hc\100\w\0\l\0\tt\0\tl\0
broadcast: print "uBik^7 connected\n"   
^1Error: BotConstructChat: message  too long
]*** stack smashing detected ***: . terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f03666a9d57]
/lib/libc.so.6(__fortify_fail+0x0)[0x7f03666a9d20]
.[0x47f87a]
======= Memory map: ========
00400000-004cc000 r-xp 00000000 fe:01 2684378213                         /r/hdd/i/soft/openarena-0.8.1/oa_ded.x86_64
006cb000-006d0000 rw-p 000cb000 fe:01 2684378213                         /r/hdd/i/soft/openarena-0.8.1/oa_ded.x86_64
006d0000-008a8000 rw-p 00000000 00:00 0 
0273c000-02865000 rw-p 00000000 00:00 0                                  [heap]
7f035b9bf000-7f035b9d5000 r-xp 00000000 08:12 16777374                   /lib/libgcc_s.so.1
7f035b9d5000-7f035bbd4000 ---p 00016000 08:12 16777374                   /lib/libgcc_s.so.1
7f035bbd4000-7f035bbd5000 rw-p 00015000 08:12 16777374                   /lib/libgcc_s.so.1
7f035bbd5000-7f035bbe8000 r-xp 00000000 08:12 17089150                   /lib/libresolv-2.10.2.so
7f035bbe8000-7f035bde7000 ---p 00013000 08:12 17089150                   /lib/libresolv-2.10.2.so
7f035bde7000-7f035bde8000 r--p 00012000 08:12 17089150                   /lib/libresolv-2.10.2.so
7f035bde8000-7f035bde9000 rw-p 00013000 08:12 17089150                   /lib/libresolv-2.10.2.so
7f035bde9000-7f035bdeb000 rw-p 00000000 00:00 0
7f035bdeb000-7f035bdf0000 r-xp 00000000 08:12 16777478                   /lib/libnss_dns-2.10.2.so
7f035bdf0000-7f035bfef000 ---p 00005000 08:12 16777478                   /lib/libnss_dns-2.10.2.so
7f035bfef000-7f035bff0000 r--p 00004000 08:12 16777478                   /lib/libnss_dns-2.10.2.so
7f035bff0000-7f035bff1000 rw-p 00005000 08:12 16777478                   /lib/libnss_dns-2.10.2.so
7f035bff1000-7f035c591000 r-xs 00000000 00:04 3590021                    /dev/zero (deleted)
7f035c591000-7f035c59c000 r-xp 00000000 08:12 17091631                   /lib/libnss_files-2.10.2.so
7f035c59c000-7f035c79b000 ---p 0000b000 08:12 17091631                   /lib/libnss_files-2.10.2.so
7f035c79b000-7f035c79c000 r--p 0000a000 08:12 17091631                   /lib/libnss_files-2.10.2.so
7f035c79c000-7f035c79d000 rw-p 0000b000 08:12 17091631                   /lib/libnss_files-2.10.2.so
7f035c79d000-7f035c7a7000 r-xp 00000000 08:12 17065645                   /lib/libnss_nis-2.10.2.so
7f035c7a7000-7f035c9a6000 ---p 0000a000 08:12 17065645                   /lib/libnss_nis-2.10.2.so
7f035c9a6000-7f035c9a7000 r--p 00009000 08:12 17065645                   /lib/libnss_nis-2.10.2.so
7f035c9a7000-7f035c9a8000 rw-p 0000a000 08:12 17065645                   /lib/libnss_nis-2.10.2.so
7f035c9a8000-7f035c9bd000 r-xp 00000000 08:12 17091470                   /lib/libnsl-2.10.2.so
7f035c9bd000-7f035cbbc000 ---p 00015000 08:12 17091470                   /lib/libnsl-2.10.2.so
7f035cbbc000-7f035cbbd000 r--p 00014000 08:12 17091470                   /lib/libnsl-2.10.2.so
7f035cbbd000-7f035cbbe000 rw-p 00015000 08:12 17091470                   /lib/libnsl-2.10.2.so
7f035cbbe000-7f035cbc0000 rw-p 00000000 00:00 0
7f035cbc0000-7f035cbc7000 r-xp 00000000 08:12 16961163                   /lib/libnss_compat-2.10.2.so
7f035cbc7000-7f035cdc6000 ---p 00007000 08:12 16961163                   /lib/libnss_compat-2.10.2.so
7f035cdc6000-7f035cdc7000 r--p 00006000 08:12 16961163                   /lib/libnss_compat-2.10.2.so
7f035cdc7000-7f035cdc8000 rw-p 00007000 08:12 16961163                   /lib/libnss_compat-2.10.2.so
7f035cdc8000-7f03665ca000 rw-p 00000000 00:00 0
7f03665ca000-7f0366714000 r-xp 00000000 08:12 17091479                   /lib/libc-2.10.2.so
7f0366714000-7f0366914000 ---p 0014a000 08:12 17091479                   /lib/libc-2.10.2.so
7f0366914000-7f0366918000 r--p 0014a000 08:12 17091479                   /lib/libc-2.10.2.so
7f0366918000-7f0366919000 rw-p 0014e000 08:12 17091479                   /lib/libc-2.10.2.so
7f0366919000-7f036691e000 rw-p 00000000 00:00 0
7f036691e000-7f036699f000 r-xp 00000000 08:12 17089152                   /lib/libm-2.10.2.so
7f036699f000-7f0366b9e000 ---p 00081000 08:12 17089152                   /lib/libm-2.10.2.so
7f0366b9e000-7f0366b9f000 r--p 00080000 08:12 17089152                   /lib/libm-2.10.2.so
7f0366b9f000-7f0366ba0000 rw-p 00081000 08:12 17089152                   /lib/libm-2.10.2.so
7f0366ba0000-7f0366ba2000 r-xp 00000000 08:12 17091638                   /lib/libdl-2.10.2.so
7f0366ba2000-7f0366da2000 ---p 00002000 08:12 17091638                   /lib/libdl-2.10.2.so
7f0366da2000-7f0366da3000 r--p 00002000 08:12 17091638                   /lib/libdl-2.10.2.so
7f0366da3000-7f0366da4000 rw-p 00003000 08:12 17091638                   /lib/libdl-2.10.2.so
7f0366da4000-7f0366dc1000 r-xp 00000000 08:12 17091349                   /lib/ld-2.10.2.so
7f0366f21000-7f0366fa4000 rw-p 00000000 00:00 0
7f0366fb4000-7f0366fc0000 rw-p 00000000 00:00 0
7f0366fc0000-7f0366fc1000 r--p 0001c000 08:12 17091349                   /lib/ld-2.10.2.so
7f0366fc1000-7f0366fc2000 rw-p 0001d000 08:12 17091349                   /lib/ld-2.10.2.so
7fff07327000-7fff07383000 rw-p 00000000 00:00 0                          [stack]
7fff073ff000-7fff07400000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Received signal 6, exiting...                                            ----- Server Shutdown (Signal caught) -----
Sending heartbeat to dpmaster.deathmask.net
Sending heartbeat to dpmaster.deathmask.net
==== ShutdownGame ====
ShutdownGame:
------------------------------------------------------------
AAS shutdown.
----- Server Shutdown (Server fatal crashed: VM_Free(qagame) on running vm) -----
Sending heartbeat to dpmaster.deathmask.net
Sending heartbeat to dpmaster.deathmask.net
==== ShutdownGame ====
ShutdownGame:
recursive error after: VM_Free(qagame) on running vm

Worked fine for a couple of days before this. Anyone seen something like this, any ideas why this happened?

[Falkland]

[...]
Worked fine for a couple of days before this. Anyone seen something like this, any ideas why this happened?

I guess you are using Fedora or OpenSuSE because nor Debian's , nor the default binary is compiled with smash stack protection   ( -fstack-protector -D_FORTIFY_SOURCE=2  gcc flags ) ...

anyway :

...
"Smashing the stack" colloquially refers to exploiting a buffer overflow (where do you think that buffer is? On the heap? No, it's on the stack, so the overflow is a stack overflow) deliberately in order to change the return address.

The OS can't distinguish malicious intent from an accident, however, so it assumes that anything that tries to overwrite the return address is an attempted stack smash.
...

where "malicious intent" means smashing the stack to obtain unauthorized priviledged accesses ( eg a root shell execution or a remote shell execution or even a back-door )

The server was killed because the smash stack protection ( available since gcc-4.1 and since MS Visual Studio 2003 ) detected a smash stack event.

I usually compile also my own client with smash stack protection and I've suggested to compile official binaries with this and other protections : http://openarena.ws/board/index.php?topic=1933.msg27771#msg27771