heap-use-after-free in ReplaceChain #9256

Milek7 · 2021-05-12T19:34:52Z

Version of OpenTTD

5dbc6dcf8, Linux, AddressSanitizer

Actual result

=================================================================
==26627==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000625ebc at pc 0x564324118f3e bp 0x7fd73266c7d0 sp 0x7fd73266c7c0
READ of size 4 at 0x616000625ebc thread T34 (ottd:game)
    #0 0x564324118f3d in ReplaceChain(Vehicle**, DoCommandFlag, bool, bool*) (/home/milek7/ottd3/build/openttd+0xc46f3d)
    #1 0x56432411c07c in CmdAutoreplaceVehicle(unsigned int, DoCommandFlag, unsigned int, unsigned int, char const*) (/home/milek7/ottd3/build/openttd+0xc4a07c)
    #2 0x5643241792de in DoCommand(unsigned int, unsigned int, unsigned int, DoCommandFlag, unsigned int, char const*) (/home/milek7/ottd3/build/openttd+0xca72de)
    #3 0x5643248da087 in CallVehicleTicks() (/home/milek7/ottd3/build/openttd+0x1408087)
    #4 0x56432454ec86 in StateGameLoop() (/home/milek7/ottd3/build/openttd+0x107cc86)
    #5 0x564323eb960e in ClientNetworkGameSocketHandler::GameLoop() (/home/milek7/ottd3/build/openttd+0x9e760e)
    #6 0x564323ea347c in NetworkGameLoop() (/home/milek7/ottd3/build/openttd+0x9d147c)
    #7 0x564324557474 in GameLoop() (/home/milek7/ottd3/build/openttd+0x1085474)
    #8 0x5643240dcad2 in VideoDriver::GameLoop() (/home/milek7/ottd3/build/openttd+0xc0aad2)
    #9 0x5643240dd307 in VideoDriver::GameThread() (/home/milek7/ottd3/build/openttd+0xc0b307)
    #10 0x5643240dfd77 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<StartNewThread<void (*)(VideoDriver*), VideoDriver*>(std::thread*, char const*, void (*&&)(VideoDriver*), VideoDriver*&&)::{lambda(char const*, void (*&&)(VideoDriver*), VideoDriver*&&)#1}, char const*, void (*)(VideoDriver*), VideoDriver*> > >::_M_run() (/home/milek7/ottd3/build/openttd+0xc0dd77)
    #11 0x7fd79222d5f3 in execute_native_thread_routine /home/milek7/gcc-git/src/gcc/libstdc++-v3/src/c++11/thread.cc:82
    #12 0x7fd792393298 in start_thread (/usr/lib/libpthread.so.0+0x9298)
    #13 0x7fd791f18052 in __GI___clone (/usr/lib/libc.so.6+0xff052)

0x616000625ebc is located 60 bytes inside of 568-byte region [0x616000625e80,0x6160006260b8)
freed by thread T34 (ottd:game) here:
    #0 0x7fd794a1ccb9 in __interceptor_free /home/milek7/gcc-git/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x564324021eff in Pool<Vehicle, unsigned int, 512ul, 1044480ul, (PoolType)1, false, true>::PoolItem<&_vehicle_pool>::operator delete(void*) (/home/milek7/ottd3/build/openttd+0xb4feff)

previously allocated by thread T34 (ottd:game) here:
    #0 0x7fd794a1d229 in __interceptor_calloc /home/milek7/gcc-git/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:154
    #1 0x5643248c5e22 in Pool<Vehicle, unsigned int, 512ul, 1044480ul, (PoolType)1, false, true>::GetNew(unsigned long) (/home/milek7/ottd3/build/openttd+0x13f3e22)

Thread T34 (ottd:game) created by T0 here:
    #0 0x7fd794983907 in __interceptor_pthread_create /home/milek7/gcc-git/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x7fd79222d8ea in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) /home/milek7/gcc-git/src/gcc-build/x86_64-pc-linux-gnu/libstdc++-v3/include/x86_64-pc-linux-gnu/bits/gthr-default.h:663
    #2 0x564324b2b367  (/home/milek7/ottd3/build/openttd+0x1659367)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/milek7/ottd3/build/openttd+0xc46f3d) in ReplaceChain(Vehicle**, DoCommandFlag, bool, bool*)
Shadow bytes around the buggy address:
  0x0c2c800bcb80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800bcb90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800bcba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800bcbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800bcbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2c800bcbd0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c2c800bcbe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c800bcbf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c800bcc00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c800bcc10: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c2c800bcc20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==26627==ABORTING

Steps to reproduce

Happened twice during TURN test game. Sadly this wasn't debug build.

The text was updated successfully, but these errors were encountered:

Collateral change: ScriptEventVehicleAutoReplaced is now only called when the head engine changes, so only when the VehicleID of the consist changes.

frosch123 mentioned this issue May 12, 2021

Fix #9256, 12e43c697d2: invalid read after free. #9258

Merged

frosch123 closed this as completed in 5bd8144 May 12, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

heap-use-after-free in ReplaceChain #9256

heap-use-after-free in ReplaceChain #9256

Milek7 commented May 12, 2021

heap-use-after-free in ReplaceChain #9256

heap-use-after-free in ReplaceChain #9256

Comments

Milek7 commented May 12, 2021

Version of OpenTTD

Actual result

Steps to reproduce