search

elunna / hackem

SlashEM forked Unto Evil with a Splice of X and a dash of THEM.
Other
23 stars 8 forks source link

Found with fuzzer: monster already dead? #9

Closed elunna closed 1 year ago

elunna commented 1 year ago 
Program received signal SIGINT, Interrupt.
__GI___xstat (vers=vers@entry=1, name=name@entry=0x7ffff74f8929 "/etc/localtime", 
    buf=buf@entry=0x7fffffffd990) at ../sysdeps/unix/sysv/linux/wordsize-64/xstat.c:35
35  ../sysdeps/unix/sysv/linux/wordsize-64/xstat.c: No such file or directory.
Starting program: /home/lunatunez/games/hackemdir/hackem -D -u wizard 2>err.log
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGINT, Interrupt.
0x00007ffff7450fd2 in __GI___libc_read (fd=0, buf=0x619000000a80, nbytes=1024)
    at ../sysdeps/unix/sysv/linux/read.c:26
26  ../sysdeps/unix/sysv/linux/read.c: No such file or directory.
Continuing.

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7365859 in __GI_abort () at abort.c:79
#2  0x0000555555a44c60 in NH_abort () at end.c:236
#3  0x0000555555a4ba5c in panic (str=0x55555651b6c0 "%s") at end.c:802
#4  0x0000555555f98c03 in impossible (s=0x5555564b97a0 "monster already dead?")
    at pline.c:518
#5  0x0000555555ba5665 in ucast_wizard_spell (mattk=0x5555567b8fc0 <youmonst>, 
    mtmp=0x611000179200, dmg=34, spellnum=4) at mcastu.c:2011
#6  0x0000555555ba5412 in castum (mtmp=0x611000179200, mattk=0x555556602d14 <mons+60660>)
    at mcastu.c:1965
#7  0x000055555629f160 in hmonas (mon=0x611000179200, as=-1, weapon_attacks=1 '\001')
    at uhitm.c:4091
#8  0x0000555556249413 in attack (mtmp=0x611000179200) at uhitm.c:577
#9  0x0000555555ac70ee in domove_core () at hack.c:1813
#10 0x0000555555ab0ab6 in domove () at hack.c:1516
#11 0x0000555555862ec2 in rhack (cmd=0x55555679b640 <in_line> "8") at cmd.c:5477
#12 0x0000555555761c00 in moveloop (resuming=0 '\000') at allmain.c:798
#13 0x00005555563b4127 in main (argc=0, argv=0x7fffffffe658) at ../sys/unix/unixmain.c:353

FULL BACKTRACE

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = {__val = {0, 0, 0, 0, 0, 140737337632192, 93824997411122, 335544320, 
            140737341055120, 1073741824, 0, 140737342801568, 4294967295, 140737337360384, 
            140737342784672, 10313041896011840768}}
        pid = <optimized out>
        tid = <optimized out>
        ret = <optimized out>
#1  0x00007ffff7365859 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0xffffffff, sa_sigaction = 0xffffffff}, 
          sa_mask = {__val = {140737337360384, 140737342784672, 10313041896011840768, 
              140737488342576, 140737342801568, 18446744073709547520, 140737327112192, 
              140737345470680, 140737488343648, 140737488343648, 140737344339986, 
              17592186042822, 140737488334848, 140737341055120, 10313041896011840768, 
              140737488342976}}, sa_flags = -1384006400, sa_restorer = 0x7fffffffd180}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x0000555555a44c60 in NH_abort () at end.c:236
        gdb_prio = 1
        libc_prio = 2
        aborting = 1 '\001'
#3  0x0000555555a4ba5c in panic (str=0x55555651b6c0 "%s") at end.c:802
        the_args = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffffffd250, 
            reg_save_area = 0x7fffffffd180}}
#4  0x0000555555f98c03 in impossible (s=0x5555564b97a0 "monster already dead?")
    at pline.c:518
        pbuf = "monster already dead?\000\000\000\342\301;VUU\000\000\000\000\000\000\000\000\000\000\020\001\000\000\320`\000\000 \323\377\377\377\177\000\000a\000<VUU\000\000\021\000\000\000\000\000\000\000 \324\377\377\377\177\000\000\000\324\377\377\377\177\000\000 \324\377\377\377\177\000\000P\323\377\377\377\177\000\000\251\n<VUU\000\000\200\323\377\377\377\377\377\377\020\001\000\000\320`\000\000\020\001\000\000\320`\000\000\000\324\377\377\377\177\000\000\240\323\377\377\377\177\000\000\024\071=VUU\000\000 \324\377\377\377\177\000\000\000\000\000\000\001\000\000\000\r\000\000\000\000\000\000\000\025\000\000\000\000\000\000\000\320\323\377\377\377\177\000\000"...
        the_args = {{gp_offset = 8, fp_offset = 48, overflow_arg_area = 0x7fffffffd940, 
            reg_save_area = 0x7fffffffd860}}
#5  0x0000555555ba5665 in ucast_wizard_spell (mattk=0x5555567b8fc0 <youmonst>, 
    mtmp=0x611000179200, dmg=34, spellnum=4) at mcastu.c:2011
        resisted = 0 '\000'
        yours = 1 '\001'
#6  0x0000555555ba5412 in castum (mtmp=0x611000179200, mattk=0x555556602d14 <mons+60660>)
    at mcastu.c:1965
        dmg = 34
        ml = 14
        ret = 1
        spellnum = 4
        directed = 0 '\000'
#7  0x000055555629f160 in hmonas (mon=0x611000179200, as=-1, weapon_attacks=1 '\001')
    at uhitm.c:4091
        mattk = 0x555556602d14 <mons+60660>
        alt_attk = {aatyp = 179 '\263', adtyp = 138 '\212', damn = 181 '\265', damd = 65 'A'}
        weapon = 0x0
        originalweapon = 0xd00000005
        altwep = 0 '\000'
        weapon_used = 0 '\000'
        stop_attacking = 0 '\000'
        i = 3
        tmp = 32
        armorpenalty = 0
        sum = {1, 1, 2, 0, -8976, 32767}
        dhit = 1
        attknum = 2
        dieroll = 2
        monster_survived = 0 '\000'
        Old_Upolyd = 1 '\001'
#8  0x0000555556249413 in attack (mtmp=0x611000179200) at uhitm.c:577
        mdat = 0x5555565f8ae0 <mons+19136>
        maxweight = 20
#9  0x0000555555ac70ee in domove_core () at hack.c:1813
        mtmp = 0x611000179200
        tmpr = <optimized out>
        x = 13 '\r'
        y = 5 '\005'
        trap = 0x0
        wtcap = 0
        recharged = 0 '\000'
        walk_sewage = 0 '\000'
        chainx = 0 '\000'
        chainy = 0 '\000'
        ballx = 0 '\000'
        bally = 0 '\000'
        bc_control = 0
        cause_delay = 0 '\000'
        u_with_boulder = 0 '\000'
#10 0x0000555555ab0ab6 in domove () at hack.c:1516
        ux1 = 13
        uy1 = 4
#11 0x0000555555862ec2 in rhack (cmd=0x55555679b640 <in_line> "8") at cmd.c:5477
        spkey = 0
        prefix_seen = 0 '\000'
        bad_command = 85 'U'
        firsttime = 1 '\001'
#12 0x0000555555761c00 in moveloop (resuming=0 '\000') at allmain.c:798
        moveamt = 6
        wtcap = 0
        change = 0
        monscanmove = 0 '\000'
        timeout_start = 25658
        past_clock = -3351
        elf_regen = 1 '\001'
        orc_regen = 1 '\001'
        vamp_regen = 1 '\001'
#13 0x00005555563b4127 in main (argc=0, argv=0x7fffffffe658) at ../sys/unix/unixmain.c:353
        fd = -1
        dir = 0x0
        exact_username = 0 '\000'
        resuming = 0 '\000'
        plsel_once = 1 '\001'
elunna commented 1 year ago

ucast_wizard_spell trying to cast a spell at a monster that is already dead. spellnum 4 = MGC_HASTE_SELF

elunna commented 1 year ago

Popped up again - different spell 

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff7363859 in __GI_abort () at abort.c:79
#2  0x0000555555a4d4df in NH_abort () at end.c:236
#3  0x0000555555a542e9 in panic (str=0x5555565429e0 "%s") at end.c:802
#4  0x0000555555fac05c in impossible (s=0x5555564df620 "monster already dead?")
    at pline.c:518
#5  0x0000555555bb3b2c in ucast_wizard_spell (mattk=0x5555567dcee0 <youmonst>, 
    mtmp=0x61100018b7c0, dmg=42, spellnum=3) at mcastu.c:1999
#6  0x0000555555bb38d9 in castum (mtmp=0x61100018b7c0, mattk=0x55555662cd14 <mons+60660>)
    at mcastu.c:1953
#7  0x00005555562c1316 in hmonas (mon=0x61100018b7c0, as=-1, weapon_attacks=1 '\001')
    at uhitm.c:4090
#8  0x000055555626b91a in attack (mtmp=0x61100018b7c0) at uhitm.c:577
#9  0x0000555555ad0a39 in domove_core () at hack.c:1827
#10 0x0000555555aba401 in domove () at hack.c:1530
#11 0x000055555586885f in rhack (cmd=0x5555567c9f40 <in_line> "8") at cmd.c:5493
#12 0x0000555555767f7b in moveloop (resuming=0 '\000') at allmain.c:823
#13 0x00005555563d7c7d in main (argc=0, argv=0x7fffffffe628) at ../sys/unix/unixmain.c:353
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = {__val = {0, 0, 0, 0, 0, 140737335783280, 93824997446065, 335544320, 
            140737341046928, 1073741824, 0, 140737342793376, 4294967295, 140737337360384, 
            140737342776480, 1872445340174085888}}
        pid = <optimized out>
        tid = <optimized out>
        ret = <optimized out>
#1  0x00007ffff7363859 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0xffffffff, sa_sigaction = 0xffffffff}, 
          sa_mask = {__val = {140737337360384, 140737342776480, 1872445340174085888, 
              140737488342496, 140737342793376, 18446744073709547520, 140737327104000, 
              140737345462488, 140737488343568, 140737488343568, 140737344331794, 
              17592186042812, 140737488334848, 140737341046928, 1872445340174085888, 
              140737488342896}}, sa_flags = -1033277696, sa_restorer = 0x7fffffffd130}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x0000555555a4d4df in NH_abort () at end.c:236
        gdb_prio = 1
        libc_prio = 2
        aborting = 1 '\001'
#3  0x0000555555a542e9 in panic (str=0x5555565429e0 "%s") at end.c:802
        the_args = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffffffd200, 
            reg_save_area = 0x7fffffffd130}}
#4  0x0000555555fac05c in impossible (s=0x5555564df620 "monster already dead?")
    at pline.c:518
        pbuf = "monster already dead?\000\000\000\070\375=VUU\000\000\000\000\000\000\000\000\000\000\020\001\000\000\320`\000\000\320\322\377\377\377\177\000\000\267;>VUU\000\000\021\000\000\000\000\000\000\000\320\323\377\377\377\177\000\000\260\323\377\377\377\177\000\000\320\323\377\377\377\177\000\000\000\323\377\377\377\177\000\000\377E>VUU\000\000\060\323\377\377\377\377\377\377\020\001\000\000\320`\000\000\020\001\000\000\320`\000\000\260\323\377\377\377\177\000\000P\323\377\377\377\177\000\000jt?VUU\000\000\320\323\377\377\377\177\000\000\000\000\000\000\001\000\000\000\064\000\000\000\000\000\000\000\025\000\000\000\000\000\000\000\200\323\377\377\377\177\000\000"...
        the_args = {{gp_offset = 8, fp_offset = 48, overflow_arg_area = 0x7fffffffd8f0, 
            reg_save_area = 0x7fffffffd810}}
#5  0x0000555555bb3b2c in ucast_wizard_spell (mattk=0x5555567dcee0 <youmonst>, 
    mtmp=0x61100018b7c0, dmg=42, spellnum=3) at mcastu.c:1999
        resisted = 0 '\000'
        yours = 1 '\001'
#6  0x0000555555bb38d9 in castum (mtmp=0x61100018b7c0, mattk=0x55555662cd14 <mons+60660>)
    at mcastu.c:1953
        dmg = 42
        ml = 14
        ret = 1
        spellnum = 3
        directed = 0 '\000'
#7  0x00005555562c1316 in hmonas (mon=0x61100018b7c0, as=-1, weapon_attacks=1 '\001')
    at uhitm.c:4090
        mattk = 0x55555662cd14 <mons+60660>
        alt_attk = {aatyp = 179 '\263', adtyp = 138 '\212', damn = 181 '\265', damd = 65 'A'}
        weapon = 0x0
        originalweapon = 0x340000000d
        altwep = 0 '\000'
        weapon_used = 0 '\000'
        stop_attacking = 0 '\000'
        i = 3
        tmp = 41
        armorpenalty = 0
        sum = {1, 1, 2, 0, -9056, 32767}
        dhit = 1
        attknum = 2
        dieroll = 2
        monster_survived = 0 '\000'
        Old_Upolyd = 1 '\001'
#8  0x000055555626b91a in attack (mtmp=0x61100018b7c0) at uhitm.c:577
        mdat = 0x555556624ea0 <mons+28288>
        maxweight = 30
#9  0x0000555555ad0a39 in domove_core () at hack.c:1827
        mtmp = 0x61100018b7c0
        tmpr = <optimized out>
        x = 52 '4'
        y = 13 '\r'
        trap = 0x0
        wtcap = 0
        recharged = 0 '\000'
        walk_sewage = 0 '\000'
        chainx = 0 '\000'
        chainy = 0 '\000'
        ballx = 0 '\000'
        bally = 0 '\000'
        bc_control = 0
        cause_delay = 0 '\000'
        u_with_boulder = 0 '\000'
#10 0x0000555555aba401 in domove () at hack.c:1530
        ux1 = 52
        uy1 = 12
#11 0x000055555586885f in rhack (cmd=0x5555567c9f40 <in_line> "8") at cmd.c:5493
        spkey = 0
        prefix_seen = 0 '\000'
        bad_command = 29 '\035'
        firsttime = 1 '\001'
#12 0x0000555555767f7b in moveloop (resuming=0 '\000') at allmain.c:823
        moveamt = 12
        wtcap = 0
        change = 0
        monscanmove = 0 '\000'
        timeout_start = 26897
        past_clock = 73557
        elf_regen = 1 '\001'
        orc_regen = 1 '\001'
        vamp_regen = 1 '\001'
#13 0x00005555563d7c7d in main (argc=0, argv=0x7fffffffe628) at ../sys/unix/unixmain.c:353
        fd = -1
        dir = 0x0
        exact_username = 0 '\000'
        resuming = 0 '\000'
        plsel_once = 1 '\001'