A variant of NetHack that is designed to be a much more challenging experience than the original, drawing inspiration and content from various existing variants along with adding unique and never-before-seen custom content.
Other
53
stars
22
forks
source link
heap-use-after-free after 'Your dark elven chain mail crumbles into fragments!' #143
==73452==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0004349ca at pc 0x55af3fb6b12e bp 0x7ffe1957eb40 sp 0x7ffe1957eb30
READ of size 5 at 0x60c0004349ca thread T0
#0 0x55af3fb6b12d in missmu /home/user/Documents/EvilHack/src/mhitu.c:271
#1 0x55af3fb8a637 in mattacku /home/user/Documents/EvilHack/src/mhitu.c:1048
#2 0x55af3fd0a80f in dochug /home/user/Documents/EvilHack/src/monmove.c:994
#3 0x55af3fcf60e2 in dochugw /home/user/Documents/EvilHack/src/monmove.c:176
#4 0x55af3fc667f1 in movemon /home/user/Documents/EvilHack/src/mon.c:1427
#5 0x55af3f6808ff in moveloop /home/user/Documents/EvilHack/src/allmain.c:218
#6 0x55af40237f85 in main ../sys/unix/unixmain.c:353lmain.c:344
#7 0x7f250dc01d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0x7f250dc01e3f in __libc_start_main_impl ../csu/libc-start.c:392
#9 0x55af3f67eac4 in _start (/home/user/games/evilhackdir/evilhack+0x1e9ac4)
0x60c0004349ca is located 74 bytes inside of 128-byte region [0x60c000434980,0x60c000434a00)
freed by thread T0 here:
#0 0x7f250e1a9537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x55af3fc28adc in dealloc_obj /home/user/Documents/EvilHack/src/mkobj.c:2515
#2 0x55af3ff4b55d in obfree /home/user/Documents/EvilHack/src/shk.c:1030
#3 0x55af3f9db5d5 in delobj_core /home/user/Documents/EvilHack/src/invent.c:1268
#4 0x55af3f9db249 in delobj /home/user/Documents/EvilHack/src/invent.c:1232
#5 0x55af3f8e50d2 in breakobj /home/user/Documents/EvilHack/src/dothrow.c:2442
#6 0x55af3f8e68a1 in break_glass_obj /home/user/Documents/EvilHack/src/dothrow.c:2634
#7 0x55af3fb6b04f in missmu /home/user/Documents/EvilHack/src/mhitu.c:266
#8 0x55af3fb8a637 in mattacku /home/user/Documents/EvilHack/src/mhitu.c:1048
#9 0x55af3fd0a80f in dochug /home/user/Documents/EvilHack/src/monmove.c:994
#10 0x55af3fcf60e2 in dochugw /home/user/Documents/EvilHack/src/monmove.c:176
#11 0x55af3fc667f1 in movemon /home/user/Documents/EvilHack/src/mon.c:1427
#12 0x55af3f6808ff in moveloop /home/user/Documents/EvilHack/src/allmain.c:218
#13 0x55af40237f85 in main ../sys/unix/unixmain.c:353
#14 0x7f250dc01d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
#0 0x7f250e1a9887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55af3f68a8e4 in alloc /home/user/Documents/EvilHack/src/alloc.c:46
#2 0x55af3fc1c336 in mksobj /home/user/Documents/EvilHack/src/mkobj.c:867
#3 0x55af3fc188bf in mkobj /home/user/Documents/EvilHack/src/mkobj.c:350
#4 0x55af3fc1822f in mkobj_at /home/user/Documents/EvilHack/src/mkobj.c:275
#5 0x55af3fbf9804 in makelevel /home/user/Documents/EvilHack/src/mklev.c:1088
#6 0x55af3fbfaaf3 in mklev /home/user/Documents/EvilHack/src/mklev.c:1218
#7 0x55af3f73f3d9 in wiz_makemap /home/user/Documents/EvilHack/src/cmd.c:894
#8 0x55af3f770729 in rhack /home/user/Documents/EvilHack/src/cmd.c:5577
#9 0x55af3f686e00 in moveloop /home/user/Documents/EvilHack/src/allmain.c:816
#10 0x55af40237f85 in main ../sys/unix/unixmain.c:353
#11 0x7f250dc01d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-use-after-free /home/user/Documents/EvilHack/src/mhitu.c:271 in missmu
Shadow bytes around the buggy address:
0x0c188007e8e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c188007e8f0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c188007e900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c188007e910: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c188007e920: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c188007e930: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
0x0c188007e940: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c188007e950: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c188007e960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c188007e970: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c188007e980: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==73452==ABORTING
Backtrace:
(rr) bt
#0 __sanitizer::internal__exit (exitcode=1) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_linux.cpp:448
#1 0x00007f250e1d32d7 in __sanitizer::Die () at ../../../../src/libsanitizer/sanitizer_common/sanitizer_termination.cpp:59
#2 0x00007f250e1b277c in __asan::ScopedInErrorReport::~ScopedInErrorReport (this=0x7ffe1957dec6, __in_chrg=<optimized out>)
at ../../../../src/libsanitizer/asan/asan_report.cpp:190
#3 0x00007f250e1b2015 in __asan::ReportGenericError (pc=94211176575278, bp=bp@entry=140729323612992, sp=sp@entry=140729323612976,
addr=106377754397130, is_write=is_write@entry=false, access_size=5, exp=0, fatal=true) at ../../../../src/libsanitizer/asan/asan_report.cpp:478
#4 0x00007f250e1b3638 in __asan::__asan_report_load_n (addr=<optimized out>, size=<optimized out>)
at ../../../../src/libsanitizer/asan/asan_rtl.cpp:146
#5 0x000055af3fb6b12e in missmu (mtmp=0x6110003cbe40, target=19, roll=14, mattk=0x55af4045c420 <mons+5120>) at mhitu.c:271
#6 0x000055af3fb8a638 in mattacku (mtmp=0x6110003cbe40) at mhitu.c:1048
#7 0x000055af3fd0a810 in dochug (mtmp=0x6110003cbe40) at monmove.c:994
#8 0x000055af3fcf60e3 in dochugw (mtmp=0x6110003cbe40) at monmove.c:176
#9 0x000055af3fc667f2 in movemon () at mon.c:1427
#10 0x000055af3f680900 in moveloop (resuming=0 '\000') at allmain.c:218
#11 0x000055af40237f86 in main (argc=0, argv=0x7ffe1957f668) at ../sys/unix/unixmain.c:353
# misc info.
(rr) p moves
$1 = 5400294
(rr) p u.uz
$2 = {dnum = 0 '\000', dlevel = 2 '\002'}
(rr) p u.umonnum
$3 = 471
(rr) p u.umonster
$4 = 471
(rr) p urace.malenum
$5 = 239
(rr) p toplines
$7 = "You die... Your dark elven chain mail deflects the lynx's attack. Your dark elven chain mail crumbles into fragments!", '\000' <repeats 180 times>
k21971
commented
1 year ago
Looks like armor is being destroyed here: https://github.com/k21971/EvilHack/blob/8b2e3b012e59dfbc2b5dd071ca1b4eee8d907030/src/mhitu.c#L266
and then referenced again here: https://github.com/k21971/EvilHack/blob/8b2e3b012e59dfbc2b5dd071ca1b4eee8d907030/src/mhitu.c#L271
ASAN output:
Backtrace: