search

RPCS3 / rpcs3

PlayStation 3 emulator and debugger
https://rpcs3.net/
GNU General Public License v2.0
15.66k stars 1.93k forks source link

ASAN heap-use-after-free error in welcome_dialog #16278

Closed oltolm closed 3 weeks ago

oltolm commented 3 weeks ago 
=================================================================
==17604==ERROR: AddressSanitizer: heap-use-after-free on address 0x11e9423ad0e0 at pc 0x000001c1028f bp 0x0076935f66f0 sp 0x0076935f6738
READ of size 1 at 0x11e9423ad0e0 thread T0
    #0 0x000001c1028e in welcome_dialog::does_user_want_dark_theme() const C:/src/rpcs3/rpcs3/rpcs3qt/welcome_dialog.h:22:10
    #1 0x000001b9baa5 in gui_application::Init() C:/src/rpcs3/rpcs3/rpcs3qt/gui_application.cpp:165:16
    #2 0x000000de298b in qMain(int, char**) C:/src/rpcs3/rpcs3/main.cpp:1068:17
    #3 0x000001d3c3a7 in main C:/M/B/src/mingw-w64/mingw-w64-crt/crt/crtexewin.c:67:10
    #4 0x000000d41302 in __tmainCRTStartup C:/M/B/src/mingw-w64/mingw-w64-crt/crt/crtexe.c:259:15
    #5 0x000000d41155 in .l_startw C:/M/B/src/mingw-w64/mingw-w64-crt/crt/crtexe.c:149:9
    #6 0x7ffe6e9b7373  (C:\WINDOWS\System32\KERNEL32.DLL+0x180017373)
    #7 0x7ffe6ee1cc90  (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18004cc90)

0x11e9423ad0e0 is located 64 bytes inside of 72-byte region [0x11e9423ad0a0,0x11e9423ad0e8)
freed by thread T0 here:
    #0 0x7ffe19598341 in operator delete(void*) (C:\msys64\clang64\bin\libclang_rt.asan_dynamic-x86_64.dll+0x180058341)
    #1 0x0000036592d3 in welcome_dialog::~welcome_dialog() C:/src/rpcs3/rpcs3/rpcs3qt/welcome_dialog.cpp:96:1
    #2 0x7ffe1a76d813 in QDialog::exec() (E:\build-rpcs3-clang\bin\Qt6Widgets.dll+0x18028d813)
    #3 0x000001b9ba91 in gui_application::Init() C:/src/rpcs3/rpcs3/rpcs3qt/gui_application.cpp:163:12
    #4 0x000000de298b in qMain(int, char**) C:/src/rpcs3/rpcs3/main.cpp:1068:17
    #5 0x000001d3c3a7 in main C:/M/B/src/mingw-w64/mingw-w64-crt/crt/crtexewin.c:67:10
    #6 0x000000d41302 in __tmainCRTStartup C:/M/B/src/mingw-w64/mingw-w64-crt/crt/crtexe.c:259:15
    #7 0x000000d41155 in .l_startw C:/M/B/src/mingw-w64/mingw-w64-crt/crt/crtexe.c:149:9
    #8 0x7ffe6e9b7373  (C:\WINDOWS\System32\KERNEL32.DLL+0x180017373)
    #9 0x7ffe6ee1cc90  (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18004cc90)

previously allocated by thread T0 here:
    #0 0x7ffe19597ae1 in operator new(unsigned long long) (C:\msys64\clang64\bin\libclang_rt.asan_dynamic-x86_64.dll+0x180057ae1)
    #1 0x000001b9b9c6 in gui_application::Init() C:/src/rpcs3/rpcs3/rpcs3qt/gui_application.cpp:162:29
    #2 0x000000de298b in qMain(int, char**) C:/src/rpcs3/rpcs3/main.cpp:1068:17
    #3 0x000001d3c3a7 in main C:/M/B/src/mingw-w64/mingw-w64-crt/crt/crtexewin.c:67:10
    #4 0x000000d41302 in __tmainCRTStartup C:/M/B/src/mingw-w64/mingw-w64-crt/crt/crtexe.c:259:15
    #5 0x000000d41155 in .l_startw C:/M/B/src/mingw-w64/mingw-w64-crt/crt/crtexe.c:149:9
    #6 0x7ffe6e9b7373  (C:\WINDOWS\System32\KERNEL32.DLL+0x180017373)
    #7 0x7ffe6ee1cc90  (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18004cc90)

SUMMARY: AddressSanitizer: heap-use-after-free C:/src/rpcs3/rpcs3/rpcs3qt/welcome_dialog.h:22:10 in welcome_dialog::does_user_want_dark_theme() const
Shadow bytes around the buggy address:
  0x11e9423ace00: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
  0x11e9423ace80: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x11e9423acf00: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
  0x11e9423acf80: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x11e9423ad000: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
=>0x11e9423ad080: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fa fa fa
  0x11e9423ad100: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x11e9423ad180: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
  0x11e9423ad200: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x11e9423ad280: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x11e9423ad300: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17604==ABORTING
        welcome_dialog* welcome = new welcome_dialog(m_gui_settings, false);
        welcome->exec();

        if (welcome->does_user_want_dark_theme())
        {
            m_gui_settings->SetValue(gui::m_currentStylesheet, "Darker Style by TheMitoSan");
        }

Error happens when calling welcome->does_user_want_dark_theme() because welcome is destroyed by exec already. This happens because of this code in welcome_dialog.cpp

    setAttribute(Qt::WA_DeleteOnClose);
elad335 commented 3 weeks ago

Fix has been uploaded to https://github.com/RPCS3/rpcs3/pull/16273