Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[physac] Heap use after free in physic_demo #485

Closed
Martinfx opened this issue Feb 24, 2018 · 6 comments
Closed

[physac] Heap use after free in physic_demo #485

Martinfx opened this issue Feb 24, 2018 · 6 comments

Comments

@Martinfx
Copy link
Contributor

Martinfx commented Feb 24, 2018
edited
Loading

Hello i have tried compile raylib with tool AddressSanitizer.
If you run psyhic_demo and add new object then:

mkdir build
cmake -DENABLE_ASAN=ON -DENABLE_UBSAN=ON ..
make
cd examples && ./physic_demo

./physics_demo 
INFO: Initializing raylib (v1.9.4-dev)
INFO: Trying to enable MSAA x4
INFO: Display device initialized successfully
INFO: Display size: 1920 x 1080
INFO: Render size: 800 x 450
INFO: Screen size: 800 x 450
INFO: Viewport offsets: 0, 0
INFO: GLAD: OpenGL extensions loaded successfully
INFO: OpenGL 3.3 Core profile supported
INFO: GPU: Vendor:   Intel Open Source Technology Center
INFO: GPU: Renderer: Mesa DRI Intel(R) Sandybridge Mobile 
INFO: GPU: Version:  3.3 (Core Profile) Mesa 17.2.8
INFO: GPU: GLSL:     3.30
INFO: Number of supported extensions: 148
INFO: [EXTENSION] DXT compressed textures supported
INFO: [EXTENSION] ETC2/EAC compressed textures supported
INFO: [EXTENSION] Anisotropic textures filtering supported (max: 16X)
INFO: [TEX ID 1] Texture created successfully (1x1 - 1 mipmaps)
INFO: [TEX ID 1] Base white texture loaded successfully
INFO: [SHDR ID 1] Shader compiled successfully
INFO: [SHDR ID 2] Shader compiled successfully
INFO: [SHDR ID 3] Shader program loaded successfully
INFO: [SHDR ID 3] Default shader loaded successfully
INFO: [CPU] Default buffers initialized successfully (lines, triangles, quads)
INFO: [VAO ID 1] Default buffers VAO initialized successfully (lines)
INFO: [VAO ID 2] Default buffers VAO initialized successfully (triangles)
INFO: [VAO ID 3] Default buffers VAO initialized successfully (quads)
INFO: OpenGL default states initialized successfully
INFO: [TEX ID 2] Texture created successfully (128x128 - 1 mipmaps)
INFO: [TEX ID 2] Default font loaded successfully
INFO: Target time per frame: 16.667 milliseconds
=================================================================
==9085==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500002c6b8 at pc 0x000000421cb8 bp 0x7f23c1e9bb60 sp 0x7f23c1e9bb50
READ of size 4 at 0x61500002c6b8 thread T1
    #0 0x421cb7 in IntegratePhysicsImpulses /home/asan/Documents/raylib/examples/../build/release/physac.h:1612
    #1 0x41d1d8 in PhysicsStep /home/asan/Documents/raylib/examples/../build/release/physac.h:1162
    #2 0x41c66f in PhysicsLoop /home/asan/Documents/raylib/examples/../build/release/physac.h:1061
    #3 0x7f23c98c26b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #4 0x7f23c92be41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x61500002c6b8 is located 56 bytes inside of 512-byte region [0x61500002c680,0x61500002c880)
freed by thread T0 here:
    #0 0x7f23ca07d2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x41b7b2 in DestroyPhysicsBody /home/asan/Documents/raylib/examples/../build/release/physac.h:899
    #2 0x4277a9 in main /home/asan/Documents/raylib/examples/physac/physics_demo.c:75
    #3 0x7f23c91d782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f23ca07d602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x4189ba in CreatePhysicsBodyPolygon /home/asan/Documents/raylib/examples/../build/release/physac.h:503
    #2 0x41799a in CreatePhysicsBodyCircle /home/asan/Documents/raylib/examples/../build/release/physac.h:388
    #3 0x4276fe in main /home/asan/Documents/raylib/examples/physac/physics_demo.c:68
    #4 0x7f23c91d782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Thread T1 created by T0 here:
    #0 0x7f23ca01b253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
    #1 0x417922 in InitPhysics /home/asan/Documents/raylib/examples/../build/release/physac.h:364
    #2 0x427321 in main /home/asan/Documents/raylib/examples/physac/physics_demo.c:37
    #3 0x7f23c91d782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free /home/asan/Documents/raylib/examples/../build/release/physac.h:1612 IntegratePhysicsImpulses
Shadow bytes around the buggy address:
  0x0c2a7fffd880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffd890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffd8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffd8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffd8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a7fffd8d0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c2a7fffd8e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffd8f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffd900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffd910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffd920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==9085==ABORTING
a3f added a commit to a3f/raylib that referenced this issue Feb 24, 2018
@a3f
CMake: Add options to use -fsanitize={address,undefined}
5ce618f 
To make bugs like raysan5#485, raysan5#486, raysan5#487 and raysan5#488 easier to find in future.
a3f added a commit that referenced this issue Feb 24, 2018
@a3f
CMake: Add options to use -fsanitize={address,undefined}
c9043b5 
To make bugs like #485, #486, #487 and #488 easier to find in future.
@raysan5
Copy link
Owner

raysan5 commented Feb 26, 2018

Maybe @victorfisac, creator of Physac library, could take a look to this issue.

@raysan5 raysan5 changed the title Heap use after free in physic_demo [physac] Heap use after free in physic_demo Feb 26, 2018
@victorfisac
Copy link
Contributor

@raysan5 @a3f I will take a look ASAP. Thanks for the report! :)

@victorfisac
Copy link
Contributor

Maybe fixed in #500

@a3f
Copy link
Contributor

a3f commented Mar 10, 2018

Heap-after-free still happens despite #500:

./physics_demo
INFO: Initializing raylib (v1.9.4-dev)
INFO: Trying to enable MSAA x4
INFO: Display device initialized successfully
INFO: Display size: 1680 x 1050
INFO: Render size: 800 x 450
INFO: Screen size: 800 x 450
INFO: Viewport offsets: 0, 0
INFO: GPU: Vendor:   Intel Inc.
INFO: GPU: Renderer: Intel Iris OpenGL Engine
INFO: GPU: Version:  4.1 INTEL-10.30.14
INFO: GPU: GLSL:     4.10
INFO: Number of supported extensions: 45
INFO: [EXTENSION] DXT compressed textures supported
INFO: [EXTENSION] Anisotropic textures filtering supported (max: 16X)
INFO: [EXTENSION] Debug Marker supported
INFO: [TEX ID 1] Texture created successfully (1x1 - 1 mipmaps)
INFO: [TEX ID 1] Base white texture loaded successfully
INFO: [SHDR ID 1] Shader compiled successfully
INFO: [SHDR ID 2] Shader compiled successfully
INFO: [SHDR ID 3] Shader program loaded successfully
INFO: [SHDR ID 3] Default shader loaded successfully
INFO: [CPU] Default buffers initialized successfully (lines, triangles, quads)
INFO: [VAO ID 1] Default buffers VAO initialized successfully (lines)
INFO: [VAO ID 2] Default buffers VAO initialized successfully (triangles)
INFO: [VAO ID 3] Default buffers VAO initialized successfully (quads)
INFO: OpenGL default states initialized successfully
INFO: [TEX ID 2] Texture created successfully (128x128 - 1 mipmaps)
INFO: [TEX ID 2] Default font loaded successfully
INFO: Target time per frame: 16.667 milliseconds
=================================================================
==25371==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500005e6c4 at pc 0x00010db11d97 bp 0x70000f259250 sp 0x70000f259248
READ of size 4 at 0x61500005e6c4 thread T8
    #0 0x10db11d96 in InitializePhysicsManifolds (physics_demo:x86_64+0x100028d96)
    #1 0x10db0d6e5 in PhysicsStep (physics_demo:x86_64+0x1000246e5)
    #2 0x10daed61c in PhysicsLoop (physics_demo:x86_64+0x10000461c)
    #3 0x7fff732636c0 in _pthread_body (libsystem_pthread.dylib:x86_64+0x36c0)
    #4 0x7fff7326356c in _pthread_start (libsystem_pthread.dylib:x86_64+0x356c)
    #5 0x7fff73262c5c in thread_start (libsystem_pthread.dylib:x86_64+0x2c5c)

0x61500005e6c4 is located 68 bytes inside of 512-byte region [0x61500005e680,0x61500005e880)
freed by thread T0 here:
    #0 0x10dfd0066 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59066)
    #1 0x10db040cb in DestroyPhysicsBody (physics_demo:x86_64+0x10001b0cb)
    #2 0x10db09615 in main (physics_demo:x86_64+0x100020615)
    #3 0x7fff72fd8114 in start (libdyld.dylib:x86_64+0x1114)

previously allocated by thread T0 here:
    #0 0x10dfcfe9c in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x58e9c)
    #1 0x10daedfd9 in CreatePhysicsBodyPolygon (physics_demo:x86_64+0x100004fd9)
    #2 0x10db091c0 in main (physics_demo:x86_64+0x1000201c0)
    #3 0x7fff72fd8114 in start (libdyld.dylib:x86_64+0x1114)

Thread T8 created by T0 here:
    #0 0x10dfc7676 in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x50676)
    #1 0x10daed561 in InitPhysics (physics_demo:x86_64+0x100004561)
    #2 0x10db081a8 in main (physics_demo:x86_64+0x10001f1a8)
    #3 0x7fff72fd8114 in start (libdyld.dylib:x86_64+0x1114)

SUMMARY: AddressSanitizer: heap-use-after-free (physics_demo:x86_64+0x100028d96) in InitializePhysicsManifolds
Shadow bytes around the buggy address:
  0x1c2a0000bc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2a0000bc90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2a0000bca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2a0000bcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2a0000bcc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c2a0000bcd0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x1c2a0000bce0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2a0000bcf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2a0000bd00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2a0000bd10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2a0000bd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25371==ABORTING
Abort trap: 6

@Martinfx
Copy link
Contributor Author

Martinfx commented Mar 13, 2018
edited
Loading

@victorfisac Yes still have physics bugs with heap-use-after-free

=================================================================
==10586==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150000136c4 at pc 0x00000054a9c1 bp 0x7fed52683190 sp 0x7fed52683188
READ of size 4 at 0x6150000136c4 thread T1
    #0 0x54a9c0 in InitializePhysicsManifolds asan/raylib/examples/../build/release/physac.h:1582:61
    #1 0x545c92 in PhysicsStep asan/raylib/examples/../build/release/physac.h:1153:31
    #2 0x5267da in PhysicsLoop asan/raylib/examples/../build/release/physac.h:1061:13
    #3 0x7fed5b1fb6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #4 0x7fed5929441c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x6150000136c4 is located 68 bytes inside of 512-byte region [0x615000013680,0x615000013880)
freed by thread T0 here:
    #0 0x4eff10 in __interceptor_cfree.localalias.0 (asan/raylib/build/examples/physics_demo+0x4eff10)
    #1 0x53c972 in DestroyPhysicsBody asan/raylib/examples/../build/release/physac.h:899:9
    #2 0x541e68 in main asan/raylib/examples/physac/physics_demo.c:75:70
    #3 0x7fed591ad82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
    #0 0x4f00d8 in __interceptor_malloc (asan/raylib/build/examples/physics_demo+0x4f00d8)
    #1 0x527163 in CreatePhysicsBodyPolygon asan/raylib/examples/../build/release/physac.h:503:40
    #2 0x541a31 in main asan/raylib/examples/physac/physics_demo.c:67:54
    #3 0x7fed591ad82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

Thread T1 created by T0 here:
    #0 0x44767d in pthread_create (asan/raylib/build/examples/physics_demo+0x44767d)
    #1 0x526709 in InitPhysics asan/raylib/examples/../build/release/physac.h:364:9
    #2 0x540af0 in main asan/raylib/examples/physac/physics_demo.c:37:5
    #3 0x7fed591ad82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free asan/raylib/examples/../build/release/physac.h:1582:61 in InitializePhysicsManifolds
Shadow bytes around the buggy address:
  0x0c2a7fffa680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffa690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffa6a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffa6b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffa6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a7fffa6d0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c2a7fffa6e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffa6f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffa700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffa710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10586==ABORTING

@raysan5 raysan5 mentioned this issue Apr 29, 2018
Closed
@raysan5
Copy link
Owner

raysan5 commented Apr 29, 2018

Moved to own repo: victorfisac/Physac#35

@raysan5 raysan5 closed this as completed Apr 29, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Martinfx @a3f @raysan5 @victorfisac