When a loaded or newly spawned entity gets processed, its tracking ID is fetched from an increasing AtomicInteger counter in the line "private int id = ENTITY_COUNTER.incrementAndGet();" within net/Minecraft/world/entity/Entity class
However AtomicInteger is not safe from integer overflow, which allows for Entity ID to get into negative values after ~2.1 billion loaded entities.
When the ENTITY_COUNTER.incrementAndGet(); reaches -1 and subsequently 0 it now can assign the next entity an already allocated ID. If an old entity with said id is still alive and loaded - the new entity would collide with it, by having the same ID within net/minecraft/server/level/ChunkMap.addEntity() causing an IllegalStateException being thrown.
This allows for a crash exploit that happen on all entities spawned or loaded to cause a crash. This signifies an opportunity to exploit it on public servers by reloading significant amounts of entities over and over again, as well as poses a danger for servers that lack restarts, as the 4.2 billion overflow can be caused within 2-3 months of uninterrupted runtime naturally even without malicious intent.
Steps to reproduce:
Spawn 50-100 thousand entities in a chunk
Load and unload it repeatedly, using a redstone clock, moving a pearl or portals (can be simulated by changing the next id counter to -1 or 0 within the game memory)
Leave for hours-days. 100k entities reach the overflow within 10 hours, while a reasonable amount of 5-10k items would take a few days
Load or spawn new entities
If since the beginning of the process any entities weren't unloaded even once - their id is likely to collide with a newly appeared entity, causing a server crash
Screenshots of code snippets responsible are attached. The setup for reproducing the error will be available soon.
Possible fixes:
Store all currently used Ids and get the next available one instead of the increment (slow, but is a fix, as having 4.2 billion entities loaded at the same time is not possible even in theory)
Change the counter to 64 bit
If a collision is detected, iterate the entity ID and change it to the next available one instead of causing an unhandled exception and a server crash.
Setup to reproduce will be availiable to you in the nearest future
Thank you for helping us improve Minecraft! We saved your files: