[SW] Cannot start a new game twice

Post by **Talon1024** » Tue May 11, 2021 1:37 am

If I try to start a new Shadow Warrior game twice, the game crashes. It looks like something is messing with the pointers to the replacement map loading/setup functions. When I try to do so with an AddressSanitizer-enabled build, I get this:

Code: Select all

==4952==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55dd7d1ac658 at pc 0x55dd7ad7b957 bp 0x7ffd411badf0 sp 0x7ffd411bade0
READ of size 8 at 0x55dd7d1ac658 thread T0
    #0 0x55dd7ad7b956 in TPointer<ShadowWarrior::USER>::Data() const ../source/common/utility/tarray.h:1455
    #1 0x55dd7ab2cdca in processWeapon ../source/games/sw/src/input.cpp:83
    #2 0x55dd7ab2d5f2 in ShadowWarrior::GameInterface::GetInput(InputPacket*, ControlInfo*) ../source/games/sw/src/input.cpp:176
    #3 0x55dd79e5017b in G_BuildTiccmd(ticcmd_t*) ../source/core/mainloop.cpp:125
    #4 0x55dd79e4395e in NetUpdate() ../source/core/d_net.cpp:996
    #5 0x55dd79e52f35 in TryRunTics() ../source/core/mainloop.cpp:510
    #6 0x55dd79e53834 in MainLoop() ../source/core/mainloop.cpp:685
    #7 0x55dd79e61a26 in RunGame() ../source/core/gamecontrol.cpp:1053
    #8 0x55dd79e5daad in GameMain() ../source/core/gamecontrol.cpp:556
    #9 0x55dd799e4b5d in main ../source/common/platform/posix/sdl/i_main.cpp:194
    #10 0x7f37ce5180b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #11 0x55dd799d67ed in _start (/home/kevinc/Games/code/Raze/build_asan/raze+0x7807ed)

0x55dd7d1ac658 is located 24 bytes to the right of global variable 'SectUser' defined in '../source/games/sw/src/sector.cpp:85:21' (0x55dd7d1a4640) of size 32768
0x55dd7d1ac658 is located 8 bytes to the left of global variable 'User' defined in '../source/games/sw/src/sector.cpp:86:16' (0x55dd7d1ac660) of size 131072
SUMMARY: AddressSanitizer: global-buffer-overflow ../source/common/utility/tarray.h:1455 in TPointer<ShadowWarrior::USER>::Data() const
Shadow bytes around the buggy address:
  0x0abc2fa2d870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abc2fa2d880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abc2fa2d890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abc2fa2d8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abc2fa2d8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0abc2fa2d8c0: 00 00 00 00 00 00 00 00 f9 f9 f9[f9]00 00 00 00
  0x0abc2fa2d8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abc2fa2d8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abc2fa2d8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abc2fa2d900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abc2fa2d910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4952==ABORTING

Post by **Graf Zahl** » Tue May 11, 2021 1:59 am

I can't get it to crash, but after adding a range check the OOB write access to User could be reproduced and elimintated.
Please recheck with the latest master if this helps.

Post by **Talon1024** » Tue May 11, 2021 2:04 am

Unfortunately, the crash still happens for me:

Code: Select all

==6224==ERROR: AddressSanitizer: global-buffer-overflow on address 0x562b9714a168 at pc 0x562b95612e61 bp 0x7ffea448cac0 sp 0x7ffea448cab0
READ of size 2 at 0x562b9714a168 thread T0
    #0 0x562b95612e60 in spritetype::backupang() ../source/build/include/buildtypes.h:310
    #1 0x562b95b6bc12 in ShadowWarrior::UpdatePlayerSpriteAngle(ShadowWarrior::PLAYERstruct*) ../source/games/sw/src/player.cpp:1506
    #2 0x562b95b6bed7 in ShadowWarrior::DoPlayerTurn(ShadowWarrior::PLAYERstruct*, float, double) ../source/games/sw/src/player.cpp:1520
    #3 0x562b95aec7ae in ShadowWarrior::GameInterface::GetInput(InputPacket*, ControlInfo*) ../source/games/sw/src/input.cpp:188
    #4 0x562b94e0f17b in G_BuildTiccmd(ticcmd_t*) ../source/core/mainloop.cpp:125
    #5 0x562b94e0295e in NetUpdate() ../source/core/d_net.cpp:996
    #6 0x562b94e11f35 in TryRunTics() ../source/core/mainloop.cpp:510
    #7 0x562b94e12834 in MainLoop() ../source/core/mainloop.cpp:685
    #8 0x562b94e20a26 in RunGame() ../source/core/gamecontrol.cpp:1053
    #9 0x562b94e1caad in GameMain() ../source/core/gamecontrol.cpp:556
    #10 0x562b949a3b5d in main ../source/common/platform/posix/sdl/i_main.cpp:194
    #11 0x7f99cd2ff0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #12 0x562b949957ed in _start (/home/kevinc/Games/code/Raze/build_asan/raze+0x7807ed)

0x562b9714a168 is located 8 bytes to the right of global variable 'wall_s' defined in '../source/build/src/engine.cpp:635:17' (0x562b9708a160) of size 786432
0x562b9714a168 is located 24 bytes to the left of global variable 'sprite_s' defined in '../source/build/src/engine.cpp:636:12' (0x562b9714a180) of size 1114112
SUMMARY: AddressSanitizer: global-buffer-overflow ../source/build/include/buildtypes.h:310 in spritetype::backupang()
Shadow bytes around the buggy address:
  0x0ac5f2e213d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac5f2e213e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac5f2e213f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac5f2e21400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac5f2e21410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ac5f2e21420: 00 00 00 00 00 00 00 00 00 00 00 00 f9[f9]f9 f9
  0x0ac5f2e21430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac5f2e21440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac5f2e21450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac5f2e21460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac5f2e21470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==6224==ABORTING

Post by **Graf Zahl** » Tue May 11, 2021 2:27 am

Please try again. Looking closer, it seems that the backend can call the game's input routine once during the time span when the game's level data is completely taken down. This, of course, must be blocked.

Post by **Talon1024** » Tue May 11, 2021 2:28 am

Fixed! Thanks, Graf.

ZDoom