search

HerculesWS / Hercules

Hercules is a collaborative software development project revolving around the creation of a robust massively multiplayer online role playing game (MMORPG) server package. Written in C, the program is very versatile and provides NPCs, warps and modifications. The project is jointly managed by a group of volunteers located around the world as well as a tremendous community providing QA and support. Hercules is a continuation of the original Athena project.
http://herc.ws
GNU General Public License v3.0
881 stars 755 forks source link

ServerCrashes upon reloadpcdb #2811

Open MrKeiKun opened 3 years ago

MrKeiKun commented 3 years ago

Describe the bug with ./configure --enable-manager=no --enable-sanitize=full --enable-epoll Jobchanging -> @reloadpcdb and vice versa crashes server

To Reproduce Steps to reproduce the behavior:

  1. Create character
  2. Select newly created character
  3. Enter command @job 4062
  4. Enter command @reloadpcdb
  5. See Error

Expected behavior Able to jobchange and @reloadpcdb (vice versa) without server crashing

System specs (please complete the following information):

asan out

=================================================================
==3364884==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200002cf50 at pc 0x000000c9cb04 bp 0x7ffc66e53650 sp 0x7ffc66e53640
READ of size 4 at 0x61200002cf50 thread T0
    #0 0xc9cb03 in pc_maxbaselv /home/kei/Hercules/src/map/pc.c:7319
    #1 0xca6335 in pc_jobchange /home/kei/Hercules/src/map/pc.c:9200
    #2 0xca6335 in pc_jobchange /home/kei/Hercules/src/map/pc.c:9107
    #3 0x4f6f9f in atcommand_jobchange /home/kei/Hercules/src/map/atcommand.c:1028
    #4 0x5114ca in atcommand_exec /home/kei/Hercules/src/map/atcommand.c:10697
    #5 0xcb7a31 in pc_process_chat_message /home/kei/Hercules/src/map/pc.c:12564
    #6 0x7d7319 in clif_process_chat_message /home/kei/Hercules/src/map/clif.c:10475
    #7 0x77edf3 in clif_parse_GlobalMessage /home/kei/Hercules/src/map/clif.c:11593
    #8 0x75538c in clif_parse /home/kei/Hercules/src/map/clif.c:24314
    #9 0x1372784 in do_sockets /home/kei/Hercules/src/common/socket.c:1073
    #10 0x41abd1 in main /home/kei/Hercules/src/common/core.c:539
    #11 0x7f7b118f56a2 in __libc_start_main (/lib64/libc.so.6+0x236a2)
    #12 0x41c09d in _start (/home/kei/Hercules/map-server+0x41c09d)

0x61200002cf50 is located 144 bytes inside of 280-byte region [0x61200002cec0,0x61200002cfd8)
freed by thread T0 here:
    #0 0x7f7b142b47b0 in __interceptor_free (/lib64/libasan.so.5+0xef7b0)
    #1 0xc2aed7 in pc_clear_exp_groups /home/kei/Hercules/src/map/pc.c:12711
    #2 0xc6383e in pc_readdb /home/kei/Hercules/src/map/pc.c:11940
    #3 0x450331 in atcommand_reloadpcdb /home/kei/Hercules/src/map/atcommand.c:3866
    #4 0x5114ca in atcommand_exec /home/kei/Hercules/src/map/atcommand.c:10697
    #5 0xcb7a31 in pc_process_chat_message /home/kei/Hercules/src/map/pc.c:12564
    #6 0x7d7319 in clif_process_chat_message /home/kei/Hercules/src/map/clif.c:10475
    #7 0x77edf3 in clif_parse_GlobalMessage /home/kei/Hercules/src/map/clif.c:11593
    #8 0x75538c in clif_parse /home/kei/Hercules/src/map/clif.c:24314
    #9 0x1372784 in do_sockets /home/kei/Hercules/src/common/socket.c:1073
    #10 0x41abd1 in main /home/kei/Hercules/src/common/core.c:539
    #11 0x7f7b118f56a2 in __libc_start_main (/lib64/libc.so.6+0x236a2)

previously allocated by thread T0 here:
    #0 0x7f7b142b4fb8 in __interceptor_realloc (/lib64/libasan.so.5+0xeffb8)
    #1 0x135f45e in aRealloc_ /home/kei/Hercules/src/common/memmgr.c:139
    #2 0xc2cfb8 in pc_read_exp_db_sub_class /home/kei/Hercules/src/map/pc.c:11859
    #3 0xcb71d4 in pc_read_exp_db_sub /home/kei/Hercules/src/map/pc.c:11878
    #4 0xc23dbe in pc_read_exp_db /home/kei/Hercules/src/map/pc.c:11902
    #5 0xc6387c in pc_readdb /home/kei/Hercules/src/map/pc.c:11941
    #6 0xcce6a6 in do_init_pc /home/kei/Hercules/src/map/pc.c:12793
    #7 0xcce6a6 in do_init_pc /home/kei/Hercules/src/map/pc.c:12784
    #8 0xabaaeb in do_init /home/kei/Hercules/src/map/map.c:6777
    #9 0x41aac7 in main /home/kei/Hercules/src/common/core.c:534
    #10 0x7f7b118f56a2 in __libc_start_main (/lib64/libc.so.6+0x236a2)

SUMMARY: AddressSanitizer: heap-use-after-free /home/kei/Hercules/src/map/pc.c:7319 in pc_maxbaselv
Shadow bytes around the buggy address:
  0x0c247fffd990: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c247fffd9a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fffd9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fffd9c0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c247fffd9d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c247fffd9e0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0c247fffd9f0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c247fffda00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c247fffda10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c247fffda20: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c247fffda30: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3364884==ABORTING
MrKeiKun commented 3 years ago

Screenshot of another method to replicate the crash:

Steps:

  1. @job 4061
  2. @reloadpcdb
  3. @job 4062
sgsilva commented 3 years ago

He i got same problem: @reloadpcdb @job 4061 Server crash.