Mojira Archive
MC-196046

Rail duplication exploits

Not to be confused with the slime rail duplication exploit; this one is different.

 

While there are two separate duplication exploits reported here, they heavily overlap in how they occur, and thus have overlapping fixes.

First type:
Setup: https://i.imgur.com/NiFNPwn.png
Note: the rails pointing to the left must be powered for this to work.

To duplicate the rail, simply activate the piston. When the piston
tries to push the rail over the hole, the rail will break but
will supply two rail items.

When the blockstate's place callback is invoked, the rail block
will try to adjust its state to correctly point to neighbours.
However, when it sets the block data, the set type call figures
out that the rail shouldn't exist, and so removes the block and
drops the items. However, the caller doesn't check if this happened.

After the neighbour adjustment call completes, physics are invoked
on the rail block state, which again figure out the rail state
shouldn't exist, and they drop the blocks.

The problem here is the physics call on the rail state that doesn't
exist in the world. The fix here is to simply use the world state.

Several checks were placed in the neighbour update logic to avoid
any further issues from this code section.

Second type:
Setup: https://i.imgur.com/RwFOVdg.png

In order to duplicate the rail, you must place the rail on top of the gold
block with the minecart over the rail (doesn't need to be fully on,
just enough to make the rail powered).

When the rail block is pushed, it runs the same logic as the first type.
However, the rail block isn't destroyed during the neighbour updating,
rather it is destroyed on the following physics call.

The problem here is the block data is not updated after the physics call,
which in this case results in the detector rail attempting to power the
moved rail. When the rail is powered via the setType call, the call
again realises the block shouldn't exist - and drops the blocks.

 

I've made a patch that fixes the issue, and attached the world I used to duplicate the rails and test the fix. The world was provided to me by the person who discovered the exploit.

 

The patch is targeted at Paper, so it means it's using spigot mappings.

Patch: https://gist.github.com/Spottedleaf/9e80769eb31692beea3eecd054e4cc09

 

Fixed

Spottedleaf

[Mojang] Felix Jones

2020-07-25, 02:47 AM

2020-08-03, 12:20 PM

2020-08-03, 12:20 PM

0

0

Unconfirmed

(Unassigned)

1.16.1

1.16.2 Pre-release 2