#372 PlayerItemList::serialize ASan crash

Closed
opened 2 years ago by image · 0 comments
image commented 2 years ago
=================================================================
==31942==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a019ac0ec8 at pc 0x55555661f75f bp 0x7fffe6a87680 sp 0x7fffe6a87678
READ of size 4 at 0x61a019ac0ec8 thread T47
#[1;37;40m00:03:40 #[1;37;40mI #[1;37;40mCommand   : #[1;37;40mcommand: destroy 32 0
#[0;37;40m    #0 0x55555661f75e in PlayerItemList::serialize(Player*, unsigned short) ../WorldServer/Items/Items.cpp:3346
    #1 0x555555ca2a03 in Player::SendInventoryUpdate(unsigned short) ../WorldServer/Player.cpp:2215
    #2 0x555555ca2ab2 in Player::UpdateInventory(unsigned int) ../WorldServer/Player.cpp:2220
    #3 0x55555636aacc in Commands::Command_Inventory(Client*, Seperator*, EQ2_RemoteCommandString*) ../WorldServer/Commands/Commands.cpp:6440
    #4 0x5555563eb66e in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:5185
    #5 0x555555fa9bf0 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1814
    #6 0x555555fbf848 in Client::Process(bool) ../WorldServer/client.cpp:2994
    #7 0x555555a05ea0 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3183
    #8 0x555555a12723 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1387
    #9 0x555555a1e9c3 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6867
    #10 0x7ffff6fbcfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
    #11 0x7ffff68274ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)

0x61a019ac0ec8 is located 1096 bytes inside of 1184-byte region [0x61a019ac0a80,0x61a019ac0f20)
freed by thread T47 here:
    #0 0x7ffff72e0128 in operator delete(void*, unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xec128)
    #1 0x55555662bebd in PlayerItemList::DestroyItem(unsigned short) ../WorldServer/Items/Items.cpp:3175
    #2 0x55555636aaa6 in Commands::Command_Inventory(Client*, Seperator*, EQ2_RemoteCommandString*) ../WorldServer/Commands/Commands.cpp:6439
    #3 0x5555563eb66e in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:5185
    #4 0x555555fa9bf0 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1814
    #5 0x555555fbf848 in Client::Process(bool) ../WorldServer/client.cpp:2994
    #6 0x555555a05ea0 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3183
    #7 0x555555a12723 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1387
    #8 0x555555a1e9c3 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6867
    #9 0x7ffff6fbcfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486

previously allocated by thread T47 here:
    #0 0x7ffff72ded30 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xead30)
    #1 0x5555565f4201 in WorldDatabase::LoadCharacterItemList(unsigned int, unsigned int, Player*, unsigned short) ../WorldServer/Items/ItemsDB.cpp:1263
    #2 0x555555f7a9bc in Client::SendLoginInfo() ../WorldServer/client.cpp:369
    #3 0x555555fbf6b8 in Client::Process(bool) ../WorldServer/client.cpp:2970
    #4 0x555555a05ea0 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3183
    #5 0x555555a12723 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1387
    #6 0x555555a1e9c3 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6867
    #7 0x7ffff6fbcfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486

Thread T47 created by T23 here:
    #0 0x7ffff7244db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
    #1 0x5555559df01b in ZoneServer::Init() ../WorldServer/zoneserver.cpp:308
    #2 0x555555de0785 in ZoneList::Get(char const*, bool) ../WorldServer/World.cpp:568
    #3 0x555555f8dde6 in Client::Zone(char const*, bool) ../WorldServer/client.cpp:4101
    #4 0x555555b8b5ba in Sign::HandleUse(Client*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) ../WorldServer/Sign.cpp:278
    #5 0x555555fa7dc1 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1689
    #6 0x555555fbf848 in Client::Process(bool) ../WorldServer/client.cpp:2994
    #7 0x555555a05ea0 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3183
    #8 0x555555a12723 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1387
    #9 0x555555a1e9c3 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6867
    #10 0x7ffff6fbcfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486

Thread T23 created by T0 here:
    #0 0x7ffff7244db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
    #1 0x5555559df01b in ZoneServer::Init() ../WorldServer/zoneserver.cpp:308
    #2 0x555555de0eb0 in ZoneList::Get(unsigned int, bool) ../WorldServer/World.cpp:595
    #3 0x555555f0c850 in Client::SetCurrentZone(unsigned int) ../WorldServer/client.cpp:3346
    #4 0x5555561e66c1 in WorldDatabase::loadCharacter(char const*, unsigned int, Client*) ../WorldServer/WorldDatabase.cpp:1784
    #5 0x555555f9a5b4 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9787
    #6 0x555555f9f2a4 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1059
    #7 0x555555fbf848 in Client::Process(bool) ../WorldServer/client.cpp:2994
    #8 0x555555fc244c in ClientList::Process() ../WorldServer/client.cpp:3278
    #9 0x555555c691a6 in main ../WorldServer/net.cpp:458
    #10 0x7ffff675209a in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free ../WorldServer/Items/Items.cpp:3346 in PlayerItemList::serialize(Player*, unsigned short)
Shadow bytes around the buggy address:
  0x0c3483350180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3483350190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34833501a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34833501b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34833501c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c34833501d0: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x0c34833501e0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c34833501f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3483350200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3483350210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3483350220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31942==ABORTING
``` ================================================================= ==31942==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a019ac0ec8 at pc 0x55555661f75f bp 0x7fffe6a87680 sp 0x7fffe6a87678 READ of size 4 at 0x61a019ac0ec8 thread T47 #[1;37;40m00:03:40 #[1;37;40mI #[1;37;40mCommand : #[1;37;40mcommand: destroy 32 0 #[0;37;40m #0 0x55555661f75e in PlayerItemList::serialize(Player*, unsigned short) ../WorldServer/Items/Items.cpp:3346 #1 0x555555ca2a03 in Player::SendInventoryUpdate(unsigned short) ../WorldServer/Player.cpp:2215 #2 0x555555ca2ab2 in Player::UpdateInventory(unsigned int) ../WorldServer/Player.cpp:2220 #3 0x55555636aacc in Commands::Command_Inventory(Client*, Seperator*, EQ2_RemoteCommandString*) ../WorldServer/Commands/Commands.cpp:6440 #4 0x5555563eb66e in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:5185 #5 0x555555fa9bf0 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1814 #6 0x555555fbf848 in Client::Process(bool) ../WorldServer/client.cpp:2994 #7 0x555555a05ea0 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3183 #8 0x555555a12723 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1387 #9 0x555555a1e9c3 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6867 #10 0x7ffff6fbcfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486 #11 0x7ffff68274ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce) 0x61a019ac0ec8 is located 1096 bytes inside of 1184-byte region [0x61a019ac0a80,0x61a019ac0f20) freed by thread T47 here: #0 0x7ffff72e0128 in operator delete(void*, unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xec128) #1 0x55555662bebd in PlayerItemList::DestroyItem(unsigned short) ../WorldServer/Items/Items.cpp:3175 #2 0x55555636aaa6 in Commands::Command_Inventory(Client*, Seperator*, EQ2_RemoteCommandString*) ../WorldServer/Commands/Commands.cpp:6439 #3 0x5555563eb66e in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:5185 #4 0x555555fa9bf0 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1814 #5 0x555555fbf848 in Client::Process(bool) ../WorldServer/client.cpp:2994 #6 0x555555a05ea0 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3183 #7 0x555555a12723 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1387 #8 0x555555a1e9c3 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6867 #9 0x7ffff6fbcfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486 previously allocated by thread T47 here: #0 0x7ffff72ded30 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xead30) #1 0x5555565f4201 in WorldDatabase::LoadCharacterItemList(unsigned int, unsigned int, Player*, unsigned short) ../WorldServer/Items/ItemsDB.cpp:1263 #2 0x555555f7a9bc in Client::SendLoginInfo() ../WorldServer/client.cpp:369 #3 0x555555fbf6b8 in Client::Process(bool) ../WorldServer/client.cpp:2970 #4 0x555555a05ea0 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3183 #5 0x555555a12723 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1387 #6 0x555555a1e9c3 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6867 #7 0x7ffff6fbcfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486 Thread T47 created by T23 here: #0 0x7ffff7244db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0) #1 0x5555559df01b in ZoneServer::Init() ../WorldServer/zoneserver.cpp:308 #2 0x555555de0785 in ZoneList::Get(char const*, bool) ../WorldServer/World.cpp:568 #3 0x555555f8dde6 in Client::Zone(char const*, bool) ../WorldServer/client.cpp:4101 #4 0x555555b8b5ba in Sign::HandleUse(Client*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) ../WorldServer/Sign.cpp:278 #5 0x555555fa7dc1 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1689 #6 0x555555fbf848 in Client::Process(bool) ../WorldServer/client.cpp:2994 #7 0x555555a05ea0 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3183 #8 0x555555a12723 in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1387 #9 0x555555a1e9c3 in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6867 #10 0x7ffff6fbcfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486 Thread T23 created by T0 here: #0 0x7ffff7244db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0) #1 0x5555559df01b in ZoneServer::Init() ../WorldServer/zoneserver.cpp:308 #2 0x555555de0eb0 in ZoneList::Get(unsigned int, bool) ../WorldServer/World.cpp:595 #3 0x555555f0c850 in Client::SetCurrentZone(unsigned int) ../WorldServer/client.cpp:3346 #4 0x5555561e66c1 in WorldDatabase::loadCharacter(char const*, unsigned int, Client*) ../WorldServer/WorldDatabase.cpp:1784 #5 0x555555f9a5b4 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9787 #6 0x555555f9f2a4 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1059 #7 0x555555fbf848 in Client::Process(bool) ../WorldServer/client.cpp:2994 #8 0x555555fc244c in ClientList::Process() ../WorldServer/client.cpp:3278 #9 0x555555c691a6 in main ../WorldServer/net.cpp:458 #10 0x7ffff675209a in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free ../WorldServer/Items/Items.cpp:3346 in PlayerItemList::serialize(Player*, unsigned short) Shadow bytes around the buggy address: 0x0c3483350180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c3483350190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c34833501a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c34833501b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c34833501c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c34833501d0: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd 0x0c34833501e0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa 0x0c34833501f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3483350200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3483350210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3483350220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==31942==ABORTING ```
Sign in to join this conversation.
Loading...
Cancel
Save
There is no content yet.