search

richardjs / zoe

AI engine for the strategy game Hive
GNU General Public License v3.0
2 stars 0 forks source link

Buffer overflow in iterate #16

Closed edre closed 1 year ago

edre commented 1 year ago

Seen in worker launched from bestmove:

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000070 at pc 0x55e9251d68ab bp 0x7ffe3440c330 sp 0x7ffe3440c328
READ of size 8 at 0x602000000070 thread T0
    #0 0x55e9251d68aa in iterate (/home/edre/code/games/zoe/src/zoe_uhp+0xdb8aa) (BuildId: 95bedde276c2860075aab6cbbeb5f52b48caf504)
    #1 0x55e9251d676f in iterate (/home/edre/code/games/zoe/src/zoe_uhp+0xdb76f) (BuildId: 95bedde276c2860075aab6cbbeb5f52b48caf504)
    #2 0x55e9251d676f in iterate (/home/edre/code/games/zoe/src/zoe_uhp+0xdb76f) (BuildId: 95bedde276c2860075aab6cbbeb5f52b48caf504)
    #3 0x55e9251d6c20 in mcts (/home/edre/code/games/zoe/src/zoe_uhp+0xdbc20) (BuildId: 95bedde276c2860075aab6cbbeb5f52b48caf504)
    #4 0x55e9251f5bd1 in think (/home/edre/code/games/zoe/src/zoe_uhp+0xfabd1) (BuildId: 95bedde276c2860075aab6cbbeb5f52b48caf504)
    #5 0x55e9251fa1d8 in bestmove (/home/edre/code/games/zoe/src/zoe_uhp+0xff1d8) (BuildId: 95bedde276c2860075aab6cbbeb5f52b48caf504)
    #6 0x55e9251faaa3 in uhp_loop (/home/edre/code/games/zoe/src/zoe_uhp+0xffaa3) (BuildId: 95bedde276c2860075aab6cbbeb5f52b48caf504)
    #7 0x55e9251d3c07 in main (/home/edre/code/games/zoe/src/zoe_uhp+0xd8c07) (BuildId: 95bedde276c2860075aab6cbbeb5f52b48caf504)
    #8 0x7fdd65332aac  (/lib/ld-musl-x86_64.so.1+0x1baac)

0x602000000071 is located 0 bytes after 1-byte region [0x602000000070,0x602000000071)
allocated by thread T0 here:
    #0 0x55e92519918e in malloc /home/buildozer/aports/main/llvm-runtimes/src/llvm-project-16.0.3.src/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x55e9251d5f5f in Node_expand (/home/edre/code/games/zoe/src/zoe_uhp+0xdaf5f) (BuildId: 95bedde276c2860075aab6cbbeb5f52b48caf504)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/edre/code/games/zoe/src/zoe_uhp+0xdb8aa) (BuildId: 95bedde276c2860075aab6cbbeb5f52b48caf504) in iterate

0 bytes after a 1-byte region sounds like it's probably dereferencing a pointer returned from a malloc(0). In the context of Node_expand, that would be a node with zero children. The game state definitely had moves available so I don't know.

richardjs commented 1 year ago

As described in #15, this issue may be resolved by actually initializing the extremely important coords system. Can you see if you can still reproduce it? (I haven't yet been able to.)

edre commented 1 year ago

I now get a different out of bounds read. See https://github.com/richardjs/zoe/issues/15#issuecomment-1548915259

richardjs commented 1 year ago

I believe this is solved--see explanation in #15. But let me know if you still encounter the issue.