2019-12-07 07:30 CET

View Issue Details Jump to Notes ] Related Changesets ]
IDProjectCategoryView StatusLast Update
0005763Spring engineGeneralpublic2017-09-16 12:36
Reporterabma 
Assigned ToKloot 
PrioritynormalSeveritycrashReproducibilityhave not tried
StatusresolvedResolutionfixed 
Product Version103.0 +git 
Target Version104.0Fixed in Version 
Summary0005763: buffer overflow in rts/ExternalAI/AICallback.cpp:1268
Description[f=-000001] Warning: [Watchdog] Hang detection triggered for Spring 103.0.1-1410-g38fcf02 develop (Debug Signal-NaNs Headless).
[f=-000001] Warning: (in threads: {main,load,audio}={1,0,0})
[f=-000001] [CrashHandler] Warning: Suspended-thread Stacktrace (main) for Spring 103.0.1-1410-g38fcf02 develop (Debug Signal-NaNs Headless):
[f=-000001] [CrashHandler] Warning: Unable to create suspended stacktrace
[f=-000001] Warning: [Watchdog] Hang detection triggered for Spring 103.0.1-1410-g38fcf02 develop (Debug Signal-NaNs Headless).
[f=-000001] Warning: (in threads: {main,load,audio}={1,0,0})
[f=-000001] [CrashHandler] Warning: Suspended-thread Stacktrace (main) for Spring 103.0.1-1410-g38fcf02 develop (Debug Signal-NaNs Headless):
[f=-000001] [CrashHandler] Warning: Unable to create suspended stacktrace
[f=-000001] Warning: [Watchdog] Hang detection triggered for Spring 103.0.1-1410-g38fcf02 develop (Debug Signal-NaNs Headless).
[f=-000001] Warning: (in threads: {main,load,audio}={1,0,0})
[f=-000001] [CrashHandler] Warning: Suspended-thread Stacktrace (main) for Spring 103.0.1-1410-g38fcf02 develop (Debug Signal-NaNs Headless):
[f=-000001] [CrashHandler] Warning: Unable to create suspended stacktrace
[f=-000001] Warning: [Watchdog] Hang detection triggered for Spring 103.0.1-1410-g38fcf02 develop (Debug Signal-NaNs Headless).
[f=-000001] Warning: (in threads: {main,load,audio}={1,0,0})
[f=-000001] [CrashHandler] Warning: Suspended-thread Stacktrace (main) for Spring 103.0.1-1410-g38fcf02 develop (Debug Signal-NaNs Headless):
[f=-000001] [CrashHandler] Warning: Unable to create suspended stacktrace
=================================================================
==7260==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060006bb5bc at pc 0x000000fb5045 bp 0x7ffc5ff1a310 sp 0x7ffc5ff1a300
WRITE of size 4 at 0x6060006bb5bc thread T0 (spring-main)
    #0 0xfb5044 in CAICallback::GetFeatures(int*, int, float3 const&, float) ../../rts/ExternalAI/AICallback.cpp:1268
    #1 0x1013cba in skirmishAiCallback_getFeaturesIn ../../rts/ExternalAI/SSkirmishAICallbackImpl.cpp:4388
    #2 0x7f74edc2cbbf in springLegacyAI::CAIAICallback::GetFeatures(int*, int, float3 const&, float) ../../AI/Wrappers/LegacyCpp/AIAICallback.cpp:1130
    0000003 0x7f74edb2a4ea in cBuilder::UpdateKnownFeatures(int const&, UnitInfo*) ../../AI/Skirmish/RAI/Builder.cpp:1362
    0000004 0x7f74edb225ea in cBuilder::UBuilderIdle(int const&, UnitInfo*) ../../AI/Skirmish/RAI/Builder.cpp:897
    0000005 0x7f74edb42739 in cUnitManager::UnitIdle(int, UnitInfo*) ../../AI/Skirmish/RAI/UnitManager.cpp:115
    #6 0x7f74edbaffd9 in cRAI::UnitIdle(int) ../../AI/Skirmish/RAI/RAI.cpp:534
    #7 0x7f74edc09f0e in springLegacyAI::CAIUnitIdleEvent::Run(springLegacyAI::IGlobalAI&, springLegacyAI::IGlobalAICallback*) (/tmp/spring/tests/usr/local/share/games/spring/AI/Skirmish/RAI/0.601/libSkirmishAI.so+0x15af0e)
    #8 0x7f74edc0676e in springLegacyAI::CAIAI::handleEvent(int, void const*) ../../AI/Wrappers/LegacyCpp/AIAI.cpp:150
    #9 0x7f74edbf6963 in handleEvent ../../AI/Skirmish/RAI/AIExport.cpp:100
    0000010 0x1043bce in CSkirmishAILibrary::HandleEvent(int, int, void const*) const ../../rts/ExternalAI/SkirmishAILibrary.cpp:94
    #11 0x104e5aa in CSkirmishAIWrapper::HandleEvent(int, void const*) const ../../rts/ExternalAI/SkirmishAIWrapper.cpp:467
    0000012 0x104c6bb in CSkirmishAIWrapper::UnitIdle(int) ../../rts/ExternalAI/SkirmishAIWrapper.cpp:315
    0000013 0xfe18cb in CEngineOutHandler::UnitIdle(CUnit const&) ../../rts/ExternalAI/EngineOutHandler.cpp:229
    0000014 0x12e3362 in CCommandAI::FinishCommand() ../../rts/Sim/Units/CommandAI/CommandAI.cpp:1605
    #15 0x1307561 in CMobileCAI::FinishCommand() ../../rts/Sim/Units/CommandAI/MobileCAI.cpp:1019
    #16 0x12c2372 in CBuilderCAI::FinishCommand() ../../rts/Sim/Units/CommandAI/BuilderCAI.cpp:559
    #17 0x13064c7 in CMobileCAI::StopMoveAndFinishCommand() ../../rts/Sim/Units/CommandAI/MobileCAI.cpp:955
    #18 0x12c2ce3 in CBuilderCAI::ExecuteBuildCmd(Command&) ../../rts/Sim/Units/CommandAI/BuilderCAI.cpp:620
    #19 0x12c1f64 in CBuilderCAI::SlowUpdate() ../../rts/Sim/Units/CommandAI/BuilderCAI.cpp:530
    0000020 0x1364d61 in CUnit::SlowUpdate() ../../rts/Sim/Units/Unit.cpp:1096
    #21 0x13c7ce5 in CBuilder::SlowUpdate() ../../rts/Sim/Units/UnitTypes/Builder.cpp:552
    #22 0x13b2c0f in CUnitHandler::Update() ../../rts/Sim/Units/UnitHandler.cpp:314
    #23 0x6466f1 in CGame::SimFrame() ../../rts/Game/Game.cpp:1590
    0000024 0x8be457 in CGame::ClientReadNet() ../../rts/Net/NetCommands.cpp:510
    #25 0x63fc99 in CGame::Update() ../../rts/Game/Game.cpp:1060
    0000026 0xec4e03 in SpringApp::Update() ../../rts/System/SpringApp.cpp:853
    0000027 0xec512c in SpringApp::Run() ../../rts/System/SpringApp.cpp:887
    #28 0xe8a20e in Run(int, char**) ../../rts/System/Main.cpp:43
    0000029 0xe8a2cc in main ../../rts/System/Main.cpp:92
    #30 0x7f75132e282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #31 0x5da898 in _start (/tmp/spring/tests/usr/local/bin/spring-headless+0x5da898)

0x6060006bb5bc is located 0 bytes to the right of 60-byte region [0x6060006bb580,0x6060006bb5bc)
allocated by thread T0 (spring-main) here:
    #0 0x7f75150b06b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
    #1 0x7f74edb2a328 in cBuilder::UpdateKnownFeatures(int const&, UnitInfo*) ../../AI/Skirmish/RAI/Builder.cpp:1361
    #2 0x7f74edb225ea in cBuilder::UBuilderIdle(int const&, UnitInfo*) ../../AI/Skirmish/RAI/Builder.cpp:897
    0000003 0x7f74edb42739 in cUnitManager::UnitIdle(int, UnitInfo*) ../../AI/Skirmish/RAI/UnitManager.cpp:115
    0000004 0x7f74edbaffd9 in cRAI::UnitIdle(int) ../../AI/Skirmish/RAI/RAI.cpp:534
    0000005 0x7f74edc09f0e in springLegacyAI::CAIUnitIdleEvent::Run(springLegacyAI::IGlobalAI&, springLegacyAI::IGlobalAICallback*) (/tmp/spring/tests/usr/local/share/games/spring/AI/Skirmish/RAI/0.601/libSkirmishAI.so+0x15af0e)
    #6 0x7f74edc0676e in springLegacyAI::CAIAI::handleEvent(int, void const*) ../../AI/Wrappers/LegacyCpp/AIAI.cpp:150
    #7 0x7f74edbf6963 in handleEvent ../../AI/Skirmish/RAI/AIExport.cpp:100
    #8 0x1043bce in CSkirmishAILibrary::HandleEvent(int, int, void const*) const ../../rts/ExternalAI/SkirmishAILibrary.cpp:94
    #9 0x104e5aa in CSkirmishAIWrapper::HandleEvent(int, void const*) const ../../rts/ExternalAI/SkirmishAIWrapper.cpp:467
    0000010 0x104c6bb in CSkirmishAIWrapper::UnitIdle(int) ../../rts/ExternalAI/SkirmishAIWrapper.cpp:315
    #11 0xfe18cb in CEngineOutHandler::UnitIdle(CUnit const&) ../../rts/ExternalAI/EngineOutHandler.cpp:229
    0000012 0x12e3362 in CCommandAI::FinishCommand() ../../rts/Sim/Units/CommandAI/CommandAI.cpp:1605
    0000013 0x1307561 in CMobileCAI::FinishCommand() ../../rts/Sim/Units/CommandAI/MobileCAI.cpp:1019
    0000014 0x12c2372 in CBuilderCAI::FinishCommand() ../../rts/Sim/Units/CommandAI/BuilderCAI.cpp:559
    #15 0x13064c7 in CMobileCAI::StopMoveAndFinishCommand() ../../rts/Sim/Units/CommandAI/MobileCAI.cpp:955
    #16 0x12c2ce3 in CBuilderCAI::ExecuteBuildCmd(Command&) ../../rts/Sim/Units/CommandAI/BuilderCAI.cpp:620
    #17 0x12c1f64 in CBuilderCAI::SlowUpdate() ../../rts/Sim/Units/CommandAI/BuilderCAI.cpp:530
    #18 0x1364d61 in CUnit::SlowUpdate() ../../rts/Sim/Units/Unit.cpp:1096
    #19 0x13c7ce5 in CBuilder::SlowUpdate() ../../rts/Sim/Units/UnitTypes/Builder.cpp:552
    0000020 0x13b2c0f in CUnitHandler::Update() ../../rts/Sim/Units/UnitHandler.cpp:314
    #21 0x6466f1 in CGame::SimFrame() ../../rts/Game/Game.cpp:1590
    #22 0x8be457 in CGame::ClientReadNet() ../../rts/Net/NetCommands.cpp:510
    #23 0x63fc99 in CGame::Update() ../../rts/Game/Game.cpp:1060
    0000024 0xec4e03 in SpringApp::Update() ../../rts/System/SpringApp.cpp:853
    #25 0xec512c in SpringApp::Run() ../../rts/System/SpringApp.cpp:887
    0000026 0xe8a20e in Run(int, char**) ../../rts/System/Main.cpp:43
    0000027 0xe8a2cc in main ../../rts/System/Main.cpp:92
    #28 0x7f75132e282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../rts/ExternalAI/AICallback.cpp:1268 CAICallback::GetFeatures(int*, int, float3 const&, float)
Shadow bytes around the buggy address:
  0x0c0c800cf660: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c800cf670: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c800cf680: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c800cf690: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c800cf6a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c800cf6b0: 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa
  0x0c0c800cf6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c800cf6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c800cf6e0: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c0c800cf6f0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 04
  0x0c0c800cf700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
==7260==ABORTING
Additional Informationhttp://buildbot.springrts.com/builders/validationtests/builds/5519/steps/validation%20test_4/logs/stdio
TagsNo tags attached.
Checked infolog.txt for Errors
Attached Files

-Relationships
+Relationships

-Notes

~0018398

Kloot (developer)

Fix 9837521394f44a40edccdd5c6b727d66c2ef537e committed to develop branch: fix 0005763 after 13517d8e7b7654a0178c8904896251b64bb03d9d#diff-5f8d61f00d2ba54bf017a831c6336272L1259
also fix unchecked maxFeatureIDs argument in CAICallback::GetFeatures/2, repo: spring changeset id: 8771
+Notes

+Related Changesets

-Issue History
Date Modified Username Field Change
2017-09-16 11:57 abma New Issue
2017-09-16 12:36 Kloot Changeset attached => spring develop 98375213
2017-09-16 12:36 Kloot Note Added: 0018398
2017-09-16 12:36 Kloot Assigned To => Kloot
2017-09-16 12:36 Kloot Status new => resolved
2017-09-16 12:36 Kloot Resolution open => fixed
+Issue History