Unity (game engine) really needs to start testing with ASan / HWAsan. They clearly aren't dedicating resources to this and they have some serious security issues. It's so blatantly broken and insecure. We've tried to report issues and it didn't go anywhere. It's disgustingly bad.
Conversation
Replying to
It's not even worth trying to report individual bugs at this point. Their code is pretty much continuously doing use-after-free, etc. during regular use. Hard to believe believe this is network-facing code written after 1999. Games have seriously screwed up development practices.
1
1
10
Unity games are broken on GrapheneOS not because the game engine depends on Play services but because it's continuously corrupting memory in regular usage. A bunch of the issues get detected by security features. Broken with non-hardened allocators, etc. too just not jemalloc...
3
1
11
Their approach to memory corruption appears to be entirely ignoring the problem unless the crashes and data corruption are so bad that a game can't run for 30 minutes without crashing. If it doesn't completely break with default allocator, etc. then apparently they don't care.
1
1
5
Seriously, use ASan / HWAsan and start fixing the blatant memory corruption. This is going to turn into a seriously embarrassing chain of security incidents. Reported serious issues including security-relevant ones and they did nothing. This is directly network-facing software.
1
1
6
Got someone else to try reporting issues and I made an attempt myself. Based on how blatant the issues are it's pretty clear they simply don't care. They don't even need ASan/HWAsan to find these bugs. Could use older approaches like Valgrind or primitive malloc debugging tools.
1
6
There are so many memory corruption bugs that there's no point even talking about something like fuzzing because Unity can't even open up a game menu during completely non-adversarial usage without a bunch of memory corruption bugs. Not talking about some minor issues either...
1
1
10