Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NWN: Use-after-free when dismissing legal fade quad too quickly #507

Open
DrMcCoy opened this issue Mar 21, 2019 · 0 comments
Open

NWN: Use-after-free when dismissing legal fade quad too quickly #507

DrMcCoy opened this issue Mar 21, 2019 · 0 comments
Labels
bug Graphics NWN Neverwinter Nights regression

Comments

@DrMcCoy
Copy link
Member

DrMcCoy commented Mar 21, 2019

When dismissing the legal billboard fade quad thingie too early in NW (by, for example, hammering the mouse button during NWN startup), there's a use-after-free:

=================================================================
==7597==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a001651310 at pc 0x55df93ffc5c1 bp 0x7f39552db610 sp 0x7f39552db600
READ of size 8 at 0x61a001651310 thread T2
    #0 0x55df93ffc5c0 in Graphics::Aurora::AnimationThread::registerModelInternal(Graphics::Aurora::Model*) /home/drmccoy/projects/xoreos/xoreos/src/graphics/aurora/animationthread.cpp:149
    #1 0x55df93ffd540 in Graphics::Aurora::AnimationThread::registerQueuedModels() /home/drmccoy/projects/xoreos/xoreos/src/graphics/aurora/animationthread.cpp:143
    #2 0x55df93ffe9fe in Graphics::Aurora::AnimationThread::threadMethod() /home/drmccoy/projects/xoreos/xoreos/src/graphics/aurora/animationthread.cpp:105
    #3 0x55df94731823 in Common::Thread::threadHelper(void*) /home/drmccoy/projects/xoreos/xoreos/src/common/thread.cpp:108
    #4 0x55df94734aaf in int std::__invoke_impl<int, int (*)(void*), void*>(std::__invoke_other, int (*&&)(void*), void*&&) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/bits/invoke.h:60
    #5 0x55df94734aaf in std::__invoke_result<int (*)(void*), void*>::type std::__invoke<int (*)(void*), void*>(int (*&&)(void*), void*&&) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/bits/invoke.h:95
    #6 0x55df94734aaf in decltype (__invoke((_S_declval<0ul>)(), (_S_declval<1ul>)())) std::thread::_Invoker<std::tuple<int (*)(void*), void*> >::_M_invoke<0ul, 1ul>(std::_Index_tuple<0ul, 1ul>) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:244
    #7 0x55df94734aaf in std::thread::_Invoker<std::tuple<int (*)(void*), void*> >::operator()() /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:253
    #8 0x55df94734aaf in std::thread::_State_impl<std::thread::_Invoker<std::tuple<int (*)(void*), void*> > >::_M_run() /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:196
    #9 0x7f396a0f7bdd in execute_native_thread_routine /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libstdc++-v3/src/c++11/thread.cc:80
    #10 0x7f396c774469 in start_thread /var/tmp/portage/sys-libs/glibc-2.28-r5/work/glibc-2.28/nptl/pthread_create.c:486
    #11 0x7f3969293f3e in clone (/lib64/libc.so.6+0x105f3e)

0x61a001651310 is located 144 bytes inside of 1352-byte region [0x61a001651280,0x61a0016517c8)
freed by thread T8 here:
    #0 0x7f396c87f210 in operator delete(void*) /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libsanitizer/asan/asan_new_delete.cc:135
    #1 0x55df92d58637 in Engines::NWN::FadeModel::~FadeModel() /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/gui/legal.cpp:90
    #2 0x55df92d58637 in void Common::DeallocatorDefault::destroy<Engines::NWN::FadeModel>(Engines::NWN::FadeModel*) /home/drmccoy/projects/xoreos/xoreos/src/common/deallocator.h:44
    #3 0x55df92d58637 in Common::ScopedPtrBase<Engines::NWN::FadeModel, Common::DeallocatorDefault>::reset(Engines::NWN::FadeModel*) /home/drmccoy/projects/xoreos/xoreos/src/common/scopedptr.h:88
    #4 0x55df92d58637 in Engines::NWN::Legal::fadeIn() /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/gui/legal.cpp:165
    #5 0x55df92b69fff in Engines::NWN::Game::mainMenu(bool, bool) /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/game.cpp:165
    #6 0x55df92b6ab19 in Engines::NWN::Game::run() /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/game.cpp:82
    #7 0x55df92b3fe7b in Engines::NWN::NWNEngine::run() /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/nwn.cpp:131
    #8 0x55df9312ac56 in Engines::GameInstanceEngine::run() /home/drmccoy/projects/xoreos/xoreos/src/engines/enginemanager.cpp:225
    #9 0x55df9312cc10 in Engines::EngineManager::run(Engines::GameInstance&) const /home/drmccoy/projects/xoreos/xoreos/src/engines/enginemanager.cpp:252
    #10 0x55df9312e5bb in Engines::GameThread::threadMethod() /home/drmccoy/projects/xoreos/xoreos/src/engines/gamethread.cpp:87
    #11 0x55df94731823 in Common::Thread::threadHelper(void*) /home/drmccoy/projects/xoreos/xoreos/src/common/thread.cpp:108
    #12 0x55df94734aaf in int std::__invoke_impl<int, int (*)(void*), void*>(std::__invoke_other, int (*&&)(void*), void*&&) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/bits/invoke.h:60
    #13 0x55df94734aaf in std::__invoke_result<int (*)(void*), void*>::type std::__invoke<int (*)(void*), void*>(int (*&&)(void*), void*&&) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/bits/invoke.h:95
    #14 0x55df94734aaf in decltype (__invoke((_S_declval<0ul>)(), (_S_declval<1ul>)())) std::thread::_Invoker<std::tuple<int (*)(void*), void*> >::_M_invoke<0ul, 1ul>(std::_Index_tuple<0ul, 1ul>) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:244
    #15 0x55df94734aaf in std::thread::_Invoker<std::tuple<int (*)(void*), void*> >::operator()() /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:253
    #16 0x55df94734aaf in std::thread::_State_impl<std::thread::_Invoker<std::tuple<int (*)(void*), void*> > >::_M_run() /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:196
    #17 0x7f396a0f7bdd in execute_native_thread_routine /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libstdc++-v3/src/c++11/thread.cc:80

previously allocated by thread T8 here:
    #0 0x7f396c87e3a0 in operator new(unsigned long) /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libsanitizer/asan/asan_new_delete.cc:90
    #1 0x55df92d56437 in Engines::NWN::Legal::Legal() /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/gui/legal.cpp:137
    #2 0x55df92b69ff3 in Engines::NWN::Game::mainMenu(bool, bool) /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/game.cpp:163
    #3 0x55df92b6ab19 in Engines::NWN::Game::run() /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/game.cpp:82
    #4 0x55df92b3fe7b in Engines::NWN::NWNEngine::run() /home/drmccoy/projects/xoreos/xoreos/src/engines/nwn/nwn.cpp:131
    #5 0x55df9312ac56 in Engines::GameInstanceEngine::run() /home/drmccoy/projects/xoreos/xoreos/src/engines/enginemanager.cpp:225
    #6 0x55df9312cc10 in Engines::EngineManager::run(Engines::GameInstance&) const /home/drmccoy/projects/xoreos/xoreos/src/engines/enginemanager.cpp:252
    #7 0x55df9312e5bb in Engines::GameThread::threadMethod() /home/drmccoy/projects/xoreos/xoreos/src/engines/gamethread.cpp:87
    #8 0x55df94731823 in Common::Thread::threadHelper(void*) /home/drmccoy/projects/xoreos/xoreos/src/common/thread.cpp:108
    #9 0x55df94734aaf in int std::__invoke_impl<int, int (*)(void*), void*>(std::__invoke_other, int (*&&)(void*), void*&&) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/bits/invoke.h:60
    #10 0x55df94734aaf in std::__invoke_result<int (*)(void*), void*>::type std::__invoke<int (*)(void*), void*>(int (*&&)(void*), void*&&) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/bits/invoke.h:95
    #11 0x55df94734aaf in decltype (__invoke((_S_declval<0ul>)(), (_S_declval<1ul>)())) std::thread::_Invoker<std::tuple<int (*)(void*), void*> >::_M_invoke<0ul, 1ul>(std::_Index_tuple<0ul, 1ul>) /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:244
    #12 0x55df94734aaf in std::thread::_Invoker<std::tuple<int (*)(void*), void*> >::operator()() /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:253
    #13 0x55df94734aaf in std::thread::_State_impl<std::thread::_Invoker<std::tuple<int (*)(void*), void*> > >::_M_run() /usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/include/g++-v8/thread:196
    #14 0x7f396a0f7bdd in execute_native_thread_routine /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libstdc++-v3/src/c++11/thread.cc:80

Thread T2 created by T0 here:
    #0 0x7f396c7e0a73 in __interceptor_pthread_create /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libsanitizer/asan/asan_interceptors.cc:202
    #1 0x7f396a0f7ec4 in __gthread_create /var/tmp/portage/sys-devel/gcc-8.3.0/work/build/x86_64-pc-linux-gnu/libstdc++-v3/include/x86_64-pc-linux-gnu/bits/gthr-default.h:662
    #2 0x7f396a0f7ec4 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libstdc++-v3/src/c++11/thread.cc:135
    #3 0x55df93acddae in Graphics::GraphicsManager::init() /home/drmccoy/projects/xoreos/xoreos/src/graphics/graphics.cpp:158
    #4 0x55df922eb2d9 in init /home/drmccoy/projects/xoreos/xoreos/src/xoreos.cpp:313
    #5 0x55df922eb2d9 in main /home/drmccoy/projects/xoreos/xoreos/src/xoreos.cpp:189
    #6 0x7f39691b0c06 in __libc_start_main ../csu/libc-start.c:308

Thread T8 created by T0 here:
    #0 0x7f396c7e0a73 in __interceptor_pthread_create /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libsanitizer/asan/asan_interceptors.cc:202
    #1 0x7f396a0f7ec4 in __gthread_create /var/tmp/portage/sys-devel/gcc-8.3.0/work/build/x86_64-pc-linux-gnu/libstdc++-v3/include/x86_64-pc-linux-gnu/bits/gthr-default.h:662
    #2 0x7f396a0f7ec4 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) /var/tmp/portage/sys-devel/gcc-8.3.0/work/gcc-8.3.0/libstdc++-v3/src/c++11/thread.cc:135
    #3 0x55df9313046b in Engines::GameThread::run() /home/drmccoy/projects/xoreos/xoreos/src/engines/gamethread.cpp:79
    #4 0x55df922eb6e8 in main /home/drmccoy/projects/xoreos/xoreos/src/xoreos.cpp:202
    #5 0x7f39691b0c06 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /home/drmccoy/projects/xoreos/xoreos/src/graphics/aurora/animationthread.cpp:149 in Graphics::Aurora::AnimationThread::registerModelInternal(Graphics::Aurora::Model*)
Shadow bytes around the buggy address:
  0x0c34802c2210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c34802c2220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c34802c2230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c34802c2240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c34802c2250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c34802c2260: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34802c2270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34802c2280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34802c2290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34802c22a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34802c22b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7597==ABORTING
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Graphics NWN Neverwinter Nights regression
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@DrMcCoy