search

elunna / hackem

SlashEM forked Unto Evil with a Splice of X and a dash of THEM.
Other
23 stars 8 forks source link

Found with fuzzer: "Blindf_off without otmp" #24

Closed elunna closed 1 year ago

elunna commented 1 year ago 

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7365859 in __GI_abort () at abort.c:79
#2  0x0000555555a44e78 in NH_abort () at end.c:236
#3  0x0000555555a4bc74 in panic (str=0x555556523120 "%s") at end.c:802
#4  0x0000555555f99ce3 in impossible (s=0x5555564781e0 "Blindf_off without otmp")
    at pline.c:518
#5  0x000055555594fcd5 in Blindf_off (otmp=0x0) at do_wear.c:1812
#6  0x0000555555fa8270 in break_armor () at polyself.c:1162
#7  0x0000555555fa4a31 in polymon (mntmp=500) at polyself.c:831
#8  0x0000555555fa19e8 in polyself (psflags=1) at polyself.c:655
#9  0x000055555583cc14 in wiz_polyself () at cmd.c:1209
#10 0x000055555582d81a in doextcmd () at cmd.c:370
#11 0x000055555586306f in rhack (cmd=0x5555567a4680 <in_line> "#") at cmd.c:5517
#12 0x0000555555763c00 in moveloop (resuming=0 '\000') at allmain.c:798
#13 0x00005555563bb426 in main (argc=0, argv=0x7fffffffe628) at ../sys/unix/unixmain.c:353
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = {__val = {0, 0, 0, 0, 0, 140737337632192, 93824997411658, 335544320, 
            140737341055120, 1073741824, 0, 140737342801568, 4294967295, 140737337360384, 
            140737342784672, 17660160457859536384}}
        pid = <optimized out>
        tid = <optimized out>
        ret = <optimized out>
#1  0x00007ffff7365859 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0xffffffff, sa_sigaction = 0xffffffff}, 
          sa_mask = {__val = {140737337360384, 140737342784672, 17660160457859536384, 
              140737488343536, 140737342801568, 18446744073709547520, 140737327112192, 
              140737345470680, 140737488344608, 140737488344608, 140737344339986, 
              17592186042942, 140737488338944, 140737341055120, 17660160457859536384, 
              140737488343936}}, sa_flags = 1864242688, sa_restorer = 0x7fffffffd540}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x0000555555a44e78 in NH_abort () at end.c:236
        gdb_prio = 1
        libc_prio = 2
        aborting = 1 '\001'
#3  0x0000555555a4bc74 in panic (str=0x555556523120 "%s") at end.c:802
        the_args = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffffffd610, 
            reg_save_area = 0x7fffffffd540}}
#4  0x0000555555f99ce3 in impossible (s=0x5555564781e0 "Blindf_off without otmp")
    at pline.c:518
        pbuf = "Blindf_off without otmp\000\000\000\000\000\000\000\000\000`\327\377\377\377\177\000\000\362\070\357UUU\000\000\340\326\377\377\377\177\000\000\320\326\377\377\377\177\000\000\332\372\377\377\377\017\000\000\000\001\000\000\001`\000\000\263\212\265A\000\000\000\000\340WOVUU\000\000\027\070\357UUU\000\000\000\000\000\000\000\000\000\000 of\000\377\177\000\000\000\000\000\000\001\000\000\000 \341\377\377\000\000\000\000\025\000\000\000\000\000\000\000`\327\377\377\377\177\000\000P\335\377\377t\177\000\000`\327\377\377\377\177\000\000㭮UUU\000\000`\327\377\377\377\177\000\000\020\334\377\377\377\177\000\000\320\362|VUU\000\000\"\001"...
        the_args = {{gp_offset = 8, fp_offset = 48, overflow_arg_area = 0x7fffffffdd00, 
            reg_save_area = 0x7fffffffdc20}}
#5  0x000055555594fcd5 in Blindf_off (otmp=0x0) at do_wear.c:1812
        was_blind = 1 '\001'
        changed = 0 '\000'
#6  0x0000555555fa8270 in break_armor () at polyself.c:1162
        l = 8
        eyewear = 0x5555567cf2d0 <obufs+1104> "blindfold"
        otmp = 0x60c000398080
#7  0x0000555555fa4a31 in polymon (mntmp=500) at polyself.c:831
        buf = "black pudding\000\000\000\300\340\377\377\377\177\000\000\234q\371UUU\000\000\240\337\377\377\377\177\000\000\000\070RVUU\000\000\263\212\265A\000\000\000\000@*RVUU\000\000wp\371UUU\000\000\n\000\000\000\000\000\000\000\020\000\000\000\060\000\000\000\320\340\377\377\377\177\000\000\360\337\377\377\377\177\000\000\017\000\000\000\000\000\000\000`\341\377\377\377\177\000\000\n\000\000\000\000\000\000\000p\374\377\377\377\017\000\000 \341\377\377\377\177\000\000\360\337\377\377\377\177\000\000PpvUUU\000\000p\374\377\377\377\017\000\000\000\026\036o^~\025\365\060\340\377\377\377\177\000\000`\346EVUU", '\000' <repeats 26 times>...
        sticky = 0 '\000'
        was_blind = 1 '\001'
        dochange = 0 '\000'
        mlvl = 10
        s = 0xf5157e5e6f1e1600 <error: Cannot access memory at address 0xf5157e5e6f1e1600>
#8  0x0000555555fa19e8 in polyself (psflags=1) at polyself.c:655
        buf = "%\000bFS2KOsg\000h77UXY#mXUj\224}uuVNGv\271\065\065AR", '\000' <repeats 220 times>
        old_light = 0
        new_light = -145434400
        mntmp = 500
        class = 59
        tryct = 200
        forcecontrol = 1 '\001'
        monsterpoly = 0 '\000'
        draconian = 0 '\000'
        draconian_only = 0 '\000'
        iswere = 0 '\000'
        isvamp = 0 '\000'
        controllable_poly = 0 '\000'
        yourrace = 0 '\000'
        old_uwvis = 0 '\000'
#9  0x000055555583cc14 in wiz_polyself () at cmd.c:1209
No locals.
#10 0x000055555582d81a in doextcmd () at cmd.c:370
        idx = 47
        retval = 12
        func = 0x55555583cc02 <wiz_polyself>
#11 0x000055555586306f in rhack (cmd=0x5555567a4680 <in_line> "#") at cmd.c:5517
        tlist = 0x555556663da0 <extcmdlist>
        res = -7280
        func = 0x55555582d56d <doextcmd>
        spkey = 0
        prefix_seen = 0 '\000'
        bad_command = 17 '\021'
        firsttime = 1 '\001'
#12 0x0000555555763c00 in moveloop (resuming=0 '\000') at allmain.c:798
        moveamt = 12
        wtcap = 0
        change = 0
        monscanmove = 0 '\000'
        timeout_start = 25193
        past_clock = 105876
        elf_regen = 1 '\001'
        orc_regen = 1 '\001'
        vamp_regen = 1 '\001'
#13 0x00005555563bb426 in main (argc=0, argv=0x7fffffffe628) at ../sys/unix/unixmain.c:353
        fd = -1
        dir = 0x0
        exact_username = 0 '\000'
        resuming = 0 '\000'
        plsel_once = 1 '\001'
elunna commented 1 year ago

Looks like this is caused by polymorphing into a form without a head, and eyewear is forced off. Could be an issue with goggles or masks.

When Blindf_off is called, a null obj is pased Blindf_off((struct obj *) 0); /* Null: skip usual off mesg */

However, the first check in Blindf_off is to check if obj IS NULL!

    if (!otmp) {
        impossible("Blindf_off without otmp");
        return;
    }
elunna commented 1 year ago

Fixed in commit 24a26823d