Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[physac] Heap use after free in physics_shatter #486

Closed
Martinfx opened this issue Feb 24, 2018 · 6 comments
Closed

[physac] Heap use after free in physics_shatter #486

Martinfx opened this issue Feb 24, 2018 · 6 comments

Comments

@Martinfx
Copy link
Contributor

Martinfx commented Feb 24, 2018
edited
Loading

Hello i have tried compile raylib with tool AddressSanitizer.

mkdir build
cmake -DENABLE_ASAN=ON -DENABLE_UBSAN=ON ..
make

./physics_shatter

./physics_shatter 
INFO: Initializing raylib (v1.9.4-dev)
INFO: Trying to enable MSAA x4
INFO: Display device initialized successfully
INFO: Display size: 1920 x 1080
INFO: Render size: 800 x 450
INFO: Screen size: 800 x 450
INFO: Viewport offsets: 0, 0
INFO: GLAD: OpenGL extensions loaded successfully
INFO: OpenGL 3.3 Core profile supported
INFO: GPU: Vendor:   Intel Open Source Technology Center
INFO: GPU: Renderer: Mesa DRI Intel(R) Sandybridge Mobile 
INFO: GPU: Version:  3.3 (Core Profile) Mesa 17.2.8
INFO: GPU: GLSL:     3.30
INFO: Number of supported extensions: 148
INFO: [EXTENSION] DXT compressed textures supported
INFO: [EXTENSION] ETC2/EAC compressed textures supported
INFO: [EXTENSION] Anisotropic textures filtering supported (max: 16X)
INFO: [TEX ID 1] Texture created successfully (1x1 - 1 mipmaps)
INFO: [TEX ID 1] Base white texture loaded successfully
INFO: [SHDR ID 1] Shader compiled successfully
INFO: [SHDR ID 2] Shader compiled successfully
INFO: [SHDR ID 3] Shader program loaded successfully
INFO: [SHDR ID 3] Default shader loaded successfully
INFO: [CPU] Default buffers initialized successfully (lines, triangles, quads)
INFO: [VAO ID 1] Default buffers VAO initialized successfully (lines)
INFO: [VAO ID 2] Default buffers VAO initialized successfully (triangles)
INFO: [VAO ID 3] Default buffers VAO initialized successfully (quads)
INFO: OpenGL default states initialized successfully
INFO: [TEX ID 2] Texture created successfully (128x128 - 1 mipmaps)
INFO: [TEX ID 2] Default font loaded successfully
INFO: Target time per frame: 16.667 milliseconds
=================================================================
==9333==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500002c950 at pc 0x0000004210b7 bp 0x7ff1ca09bdc0 sp 0x7ff1ca09bdb0
READ of size 4 at 0x61500002c950 thread T1
    #0 0x4210b6 in IntegratePhysicsForces /home/asan/Documents/raylib/examples/../build/release/physac.h:1572
    #1 0x423aec in IntegratePhysicsVelocity /home/asan/Documents/raylib/examples/../build/release/physac.h:1715
    #2 0x41d24c in PhysicsStep /home/asan/Documents/raylib/examples/../build/release/physac.h:1170
    #3 0x41c66f in PhysicsLoop /home/asan/Documents/raylib/examples/../build/release/physac.h:1061
    #4 0x7ff1d1b886b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #5 0x7ff1d158441c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x61500002c950 is located 80 bytes inside of 512-byte region [0x61500002c900,0x61500002cb00)
freed by thread T0 here:
    #0 0x7ff1d23432ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0x41b91e in ResetPhysics /home/asan/Documents/raylib/examples/../build/release/physac.h:931
    #2 0x427388 in main /home/asan/Documents/raylib/examples/physac/physics_shatter.c:53
    #3 0x7ff1d149d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7ff1d2343602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x4189ba in CreatePhysicsBodyPolygon /home/asan/Documents/raylib/examples/../build/release/physac.h:503
    #2 0x427415 in main /home/asan/Documents/raylib/examples/physac/physics_shatter.c:56
    #3 0x7ff1d149d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Thread T1 created by T0 here:
    #0 0x7ff1d22e1253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
    #1 0x417922 in InitPhysics /home/asan/Documents/raylib/examples/../build/release/physac.h:364
    #2 0x4272c1 in main /home/asan/Documents/raylib/examples/physac/physics_shatter.c:37
    #3 0x7ff1d149d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free /home/asan/Documents/raylib/examples/../build/release/physac.h:1572 IntegratePhysicsForces
Shadow bytes around the buggy address:
  0x0c2a7fffd8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffd8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffd8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffd900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffd910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a7fffd920: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0c2a7fffd930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffd940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffd950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffd960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffd970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==9333==ABORTING
a3f added a commit to a3f/raylib that referenced this issue Feb 24, 2018
@a3f
CMake: Add options to use -fsanitize={address,undefined}
5ce618f 
To make bugs like raysan5#485, raysan5#486, raysan5#487 and raysan5#488 easier to find in future.
a3f added a commit that referenced this issue Feb 24, 2018
@a3f
CMake: Add options to use -fsanitize={address,undefined}
c9043b5 
To make bugs like #485, #486, #487 and #488 easier to find in future.
@raysan5 raysan5 changed the title Heap use after free in physics_shatter [physac] Heap use after free in physics_shatter Feb 26, 2018
@raysan5
Copy link
Owner

raysan5 commented Feb 26, 2018

Maybe @victorfisac, creator of Physac library, could take a look to this issue.

@victorfisac
Copy link
Contributor

@raysan5 @a3f I will take a look ASAP. Thanks for the report! :)

@victorfisac
Copy link
Contributor

Maybe fixed in #500

@a3f
Copy link
Contributor

a3f commented Mar 10, 2018

Still happens despite #500:

./physics_shatter
INFO: Initializing raylib (v1.9.4-dev)
INFO: Trying to enable MSAA x4
INFO: Display device initialized successfully
INFO: Display size: 1680 x 1050
INFO: Render size: 800 x 450
INFO: Screen size: 800 x 450
INFO: Viewport offsets: 0, 0
INFO: GPU: Vendor:   Intel Inc.
INFO: GPU: Renderer: Intel Iris OpenGL Engine
INFO: GPU: Version:  4.1 INTEL-10.30.14
INFO: GPU: GLSL:     4.10
INFO: Number of supported extensions: 45
INFO: [EXTENSION] DXT compressed textures supported
INFO: [EXTENSION] Anisotropic textures filtering supported (max: 16X)
INFO: [EXTENSION] Debug Marker supported
INFO: [TEX ID 1] Texture created successfully (1x1 - 1 mipmaps)
INFO: [TEX ID 1] Base white texture loaded successfully
INFO: [SHDR ID 1] Shader compiled successfully
INFO: [SHDR ID 2] Shader compiled successfully
INFO: [SHDR ID 3] Shader program loaded successfully
INFO: [SHDR ID 3] Default shader loaded successfully
INFO: [CPU] Default buffers initialized successfully (lines, triangles, quads)
INFO: [VAO ID 1] Default buffers VAO initialized successfully (lines)
INFO: [VAO ID 2] Default buffers VAO initialized successfully (triangles)
INFO: [VAO ID 3] Default buffers VAO initialized successfully (quads)
INFO: OpenGL default states initialized successfully
INFO: [TEX ID 2] Texture created successfully (128x128 - 1 mipmaps)
INFO: [TEX ID 2] Default font loaded successfully
INFO: Target time per frame: 16.667 milliseconds
=================================================================
==25607==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000023fa0 at pc 0x0001036fc936 bp 0x7000085e5520 sp 0x7000085e5518
WRITE of size 4 at 0x615000023fa0 thread T8
    #0 0x1036fc935 in IntegratePhysicsForces (physics_shatter:x86_64+0x100027935)
    #1 0x103708ec5 in IntegratePhysicsVelocity (physics_shatter:x86_64+0x100033ec5)
    #2 0x1036f8c29 in PhysicsStep (physics_shatter:x86_64+0x100023c29)
    #3 0x1036d97bc in PhysicsLoop (physics_shatter:x86_64+0x1000047bc)
    #4 0x7fff732636c0 in _pthread_body (libsystem_pthread.dylib:x86_64+0x36c0)
    #5 0x7fff7326356c in _pthread_start (libsystem_pthread.dylib:x86_64+0x356c)
    #6 0x7fff73262c5c in thread_start (libsystem_pthread.dylib:x86_64+0x2c5c)

0x615000023fa0 is located 32 bytes inside of 512-byte region [0x615000023f80,0x615000024180)
freed by thread T0 here:
    #0 0x103bb6066 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59066)
    #1 0x1036f026b in DestroyPhysicsBody (physics_shatter:x86_64+0x10001b26b)
    #2 0x1036e9767 in PhysicsShatter (physics_shatter:x86_64+0x100014767)
    #3 0x1036f4cb7 in main (physics_shatter:x86_64+0x10001fcb7)
    #4 0x7fff72fd8114 in start (libdyld.dylib:x86_64+0x1114)

previously allocated by thread T0 here:
    #0 0x103bb5e9c in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x58e9c)
    #1 0x1036da179 in CreatePhysicsBodyPolygon (physics_shatter:x86_64+0x100005179)
    #2 0x1036f45bc in main (physics_shatter:x86_64+0x10001f5bc)
    #3 0x7fff72fd8114 in start (libdyld.dylib:x86_64+0x1114)

Thread T8 created by T0 here:
    #0 0x103bad676 in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x50676)
    #1 0x1036d9701 in InitPhysics (physics_shatter:x86_64+0x100004701)
    #2 0x1036f42cf in main (physics_shatter:x86_64+0x10001f2cf)
    #3 0x7fff72fd8114 in start (libdyld.dylib:x86_64+0x1114)

SUMMARY: AddressSanitizer: heap-use-after-free (physics_shatter:x86_64+0x100027935) in IntegratePhysicsForces
Shadow bytes around the buggy address:
  0x1c2a000047a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2a000047b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2a000047c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2a000047d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c2a000047e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c2a000047f0: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x1c2a00004800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2a00004810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2a00004820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2a00004830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2a00004840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25607==ABORTING
Abort trap: 6

@Martinfx
Copy link
Contributor Author

Martinfx commented Mar 13, 2018
edited
Loading

@victorfisac Yes still have physics bugs with heap-use-after-free.

==10233==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150000109cc at pc 0x000000543100 bp 0x7fb23bf837d0 sp 0x7fb23bf837c8
WRITE of size 4 at 0x6150000109cc thread T1
    #0 0x5430ff in PhysicsStep asan/raylib/examples/../build/release/physac.h:1101:26
    #1 0x5267da in PhysicsLoop asan/raylib/examples/../build/release/physac.h:1061:13
    #2 0x7fb244ac76b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #3 0x7fb242b6041c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x6150000109cc is located 76 bytes inside of 512-byte region [0x615000010980,0x615000010b80)
freed by thread T0 here:
    #0 0x4eff10 in __interceptor_cfree.localalias.0 (asan/raylib/build/examples/physics_shatter+0x4eff10)
    #1 0x53c972 in DestroyPhysicsBody asan/raylib/examples/../build/release/physac.h:899:9
    #2 0x5361aa in PhysicsShatter asan/raylib/examples/../build/release/physac.h:662:17
    #3 0x5413da in main asan/raylib/examples/physac/physics_shatter.c:66:42
    #4 0x7fb242a7982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

previously allocated by thread T0 here:
    #0 0x4f00d8 in __interceptor_malloc (asan/raylib/build/examples/physics_shatter+0x4f00d8)
    #1 0x527163 in CreatePhysicsBodyPolygon asan/raylib/examples/../build/release/physac.h:503:40
    #2 0x540d3c in main asan/raylib/examples/physac/physics_shatter.c:41:24
    #3 0x7fb242a7982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

Thread T1 created by T0 here:
    #0 0x44767d in pthread_create (asan/raylib/build/examples/physics_shatter+0x44767d)
    #1 0x526709 in InitPhysics asan/raylib/examples/../build/release/physac.h:364:9
    #2 0x540a71 in main asan/raylib/examples/physac/physics_shatter.c:37:5
    #3 0x7fb242a7982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free asan/raylib/examples/../build/release/physac.h:1101:26 in PhysicsStep
Shadow bytes around the buggy address:
  0x0c2a7fffa0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffa0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffa100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fffa110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c2a7fffa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a7fffa130: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x0c2a7fffa140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffa150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffa160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fffa170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fffa180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==10233==ABORTING

@raysan5 raysan5 mentioned this issue Apr 29, 2018
Closed
@raysan5
Copy link
Owner

raysan5 commented Apr 29, 2018

Moved to own repo: victorfisac/Physac#35

@raysan5 raysan5 closed this as completed Apr 29, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Martinfx @a3f @raysan5 @victorfisac