Viewing Issue Advanced Details
ID Category [?] Severity [?] Reproducibility Date Submitted Last Update
05875 Misc. Critical (emulator) Always Mar 9, 2015, 23:03 Mar 3, 2021, 15:07
Tester Firewave View Status Public Platform MAME (Self-compiled)
Assigned To Robbbert Resolution Fixed OS
Status [?] Resolved Driver
Version 0.159 Fixed in Version 0.230 Build Debug
Fixed in Git Commit 0633a88 Github Pull Request #
Summary 05875: magictg: AddressSanitizer: heap-buffer-overflow
Description
==3519==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00005b320 at pc 0x00000523ca4b bp 0x7fffa5f0e540 sp 0x7fffa5f0e538
READ of size 4 at 0x61d00005b320 thread T0
    #0 0x523ca4a in magictg_state::zr36120_r(address_space&, unsigned int, unsigned int) /home/notroot/trunk/src/mame/drivers/magictg.c:468:5
    #1 0x80abfaf in delegate_base<unsigned int, address_space&, unsigned int, unsigned int, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam, _noparam>::operator()(address_space&, unsigned int, unsigned int) const /home/notroot/trunk/src/lib/util/delegate.h:652:76
    #2 0x80abfaf in handler_entry_read::read32(address_space&, unsigned int, unsigned int) const /home/notroot/trunk/src/emu/memory.c:360
    #3 0x80abfaf in address_space_specific<unsigned int, (endianness_t)1, true>::read_native(unsigned int) /home/notroot/trunk/src/emu/memory.c:1096
    #4 0x80ac25b in address_space_specific<unsigned int, (endianness_t)1, true>::read_dword_static(address_space_specific<unsigned int, (endianness_t)1, true>&, unsigned int) /home/notroot/trunk/src/emu/memory.c:1444:99
    #5 0x7f51da090c88 (<unknown module>)

0x61d00005b320 is located 16 bytes to the right of 2192-byte region [0x61d00005aa80,0x61d00005b310)
allocated by thread T0 here:
    #0 0x114f82b in __interceptor_malloc /home/ben/development/llvm/3.5/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
    #1 0x8b430e8 in osd_malloc(unsigned long) /home/notroot/trunk/src/osd/modules/lib/osdlib_unix.c:75:9
    #2 0x841ab91 in malloc_file_line(unsigned long, char const*, int, bool, bool, bool) /home/notroot/trunk/src/lib/util/corealloc.c:112:50
    #3 0x5240e6a in operator new(unsigned long, char const*, int, zeromem_t const&) /home/notroot/trunk/src/lib/util/corealloc.h:77:142
    #4 0x5240e6a in device_t* driver_device_creator<magictg_state>(machine_config const&, char const*, device_t*, unsigned int) /home/notroot/trunk/src/emu/driver.h:287
    #5 0x805e50d in machine_config::device_add(device_t*, char const*, device_t* (*)(machine_config const&, char const*, device_t*, unsigned int), unsigned int) /home/notroot/trunk/src/emu/mconfig.c:144:22
    #6 0x523e06b in construct_machine_config_magictg(machine_config&, device_t*, device_t*) /home/notroot/trunk/src/mame/drivers/magictg.c:896:8
    #7 0x805d546 in machine_config::machine_config(game_driver const&, emu_options&) /home/notroot/trunk/src/emu/mconfig.c:33:2
    #8 0x8048a5d in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:214:18
    #9 0x7e7a97c in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:220:15
    #10 0x575e57b in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:322:9
    #11 0x7f51eb1aeec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/notroot/trunk/src/mame/drivers/magictg.c:468 magictg_state::zr36120_r(address_space&, unsigned int, unsigned int)
Shadow bytes around the buggy address:
  0x0c3a80003610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a80003620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a80003630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a80003640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a80003650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a80003660: 00 00 fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a80003670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a80003680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a80003690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a800036a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a800036b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
Steps To Reproduce
Additional Information
Github Commit
Flags
Regression Version
Affected Sets / Systems magictg
Attached Files
 
Relationships
There are no relationship linked to this issue.
Notes
5
User avatar
No.11510
B2K24
Senior Tester
Mar 11, 2015, 18:49
edited on: Mar 11, 2015, 18:49
-----------------------------------------------------
Exception at EIP=0000000002B3F97D (mips3_frontend::describe(opcode_desc&, opcode
_desc const*)+0x0083): ACCESS VIOLATION
While attempting to read memory at 00000000893FF1B0
-----------------------------------------------------
RAX=00000000893FF1B0 RBX=0000000057B51FF0 RCX=000000004CBEF638 RDX=00000000583D1
7B8
RSI=0000000000000001 RDI=0000000044885BF0 RBP=0000000000227F90 RSP=0000000000227
F50
 R8=0000000000000000  R9=0000000000000000 R10=0000000000000000 R11=0000000000000
246
R12=0000000000000018 R13=0000000000000006 R14=0000000000000000 R15=0000000000000
000
-----------------------------------------------------
Stack crawl:
  0000000000227F60: 0000000002B3F97D (mips3_frontend::describe(opcode_desc&, opc
ode_desc const*)+0x0083)
  0000000000228020: 0000000002B376CC (drc_frontend::describe_one(unsigned int, o
pcode_desc const*)+0x0128)
  00000000002283B0: 0000000002B3735A (drc_frontend::describe_code(unsigned int)+
0x01d0)
  0000000000228500: 00000000025D846A (mips3_device::code_compile_block(unsigned
char, unsigned int)+0x0098)
  0000000000228550: 0000000002738CA4 (mips3_device::execute_run()+0x0098)
  0000000000228580: 0000000003BFF882 (device_execute_interface::run()+0x0022)
  0000000000228640: 0000000002D29488 (device_scheduler::timeslice()+0x0316)
  0000000000228710: 0000000002D9A444 (running_machine::run(bool)+0x02b0)
  000000000022F4F0: 0000000002DA8E5A (machine_manager::execute()+0x01f8)
  000000000022F750: 0000000002E2CD7F (cli_frontend::execute(int, char**)+0x085f)

  000000000022FDF0: 000000000209B0D9 (utf8_main(int, char**)+0x020d)
  000000000022FE50: 0000000003131169 (wmain+0x00b9)
  000000000022FF20: 00000000004013CA (__tmainCRTStartup+0x024a)
  000000000022FF50: 00000000004014F8 (mainCRTStartup+0x0018)
  000000000022FF80: 0000000076A25A4D (BaseThreadInitThunk+0x000d)
  000000000022FFD0: 0000000076EBBA01 (RtlUserThreadStart+0x0021)
User avatar
No.14302
Kale
Developer
Oct 18, 2017, 23:33
fwiw I'm getting this, which is odd (game can't access ui_manager at all!)

-----------------------------------------------------
Exception at EIP=00000000012584fa (__dynamic_cast+0x001a): ACCESS VIOLATION
While attempting to read memory at 0000000081636a50
-----------------------------------------------------
RAX=0000000081636a60 RBX=000000002d563bd0 RCX=000000002d563bd0 RDX=000000002d563
bd0
RSI=fffffffffffffffe RDI=00000000015e6420 RBP=00000000015e7430 RSP=0000000000237
d40
 R8=00000000015e6420  R9=fffffffffffffffe R10=e462687564633131 R11=8101010101010
100
R12=00000000015e6420 R13=fffffffffffffffe R14=000000000023ebc0 R15=0000000000237
e50
-----------------------------------------------------
Stack crawl:
  0000000000237dc0: 00000000012584fa (__dynamic_cast+0x001a)
  0000000000237f00: 0000000000551f49 (mame_ui_manager::image_handler_ingame()+0x
00b9)
  0000000000238220: 0000000000554165 (mame_ui_manager::handler_ingame(render_con
tainer&)+0x03b5)
  0000000000238250: 00000000011d8864 (std::_Function_handler<unsigned int (rende
r_container&), std::_Bind<std::_Mem_fn<unsigned int (mame_ui_manager::*)(render_
container&)> (mame_ui_manager*, std::_Placeholder<1>)> >::_M_invoke(std::_Any_da
ta const&, render_container&)+0x0024)
  0000000000238350: 0000000000552d82 (mame_ui_manager::update_and_render(render_
container&)+0x0152)
  0000000000238380: 000000000051bb20 (emulator_info::draw_user_interface(running
_machine&)+0x0020)
  0000000000238410: 0000000000ade59d (video_manager::frame_update(bool)+0x003d)
  00000000002384a0: 0000000000ab3acd (screen_device::vblank_begin()+0x03ed)
  0000000000238510: 0000000000ab76e5 (screen_device::device_timer(emu_timer&, un
signed int, int, void*)+0x0275)
  00000000002385c0: 0000000000aaf002 (device_scheduler::timeslice()+0x04e2)
  00000000002386c0: 0000000000a6fa58 (running_machine::run(bool)+0x0388)
  000000000023f270: 000000000051d963 (mame_machine_manager::execute()+0x01e3)
  000000000023f510: 000000000058b8f9 (cli_frontend::start_execution(mame_machine
_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::cha
r_traits<char>, std::allocator<char> > > > const&)+0x03f9)
  000000000023f680: 000000000058bd75 (cli_frontend::execute(std::vector<std::__c
xx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::al
locator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<
char> > > >&)+0x0045)
  000000000023f6e0: 000000000051baca (emulator_info::start_frontend(emu_options&
, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<
char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, s
td::char_traits<char>, std::allocator<char> > > >&)+0x002a)
  000000000023fe50: 00000000012acb6d (main+0x013d)
  000000000023ff20: 00000000004013f8 (__tmainCRTStartup+0x0248)
  000000000023ff50: 000000000040151b (mainCRTStartup+0x001b)
  000000000023ff80: 00007ffb0b8c13d2 (BaseThreadInitThunk+0x0022)
  000000000023ffd0: 00007ffb0ca854f4 (RtlUserThreadStart+0x0034)
User avatar
No.18509
Robbbert
Senior Tester
Mar 3, 2021, 06:28
edited on: Mar 3, 2021, 06:28
Game crashes at start without needing a debug build.
(0.229)
User avatar
No.18510
Osso
Moderator
Mar 3, 2021, 06:32
edited on: Mar 3, 2021, 06:39
The problem is as_regs is an array of 19, but at line 499 there's res = m_zr36120.as_regs[offset]; and offset can go up to 0x200, causing an oveflow.

EDIT: doh, see you already was on it :)
User avatar
No.18511
Robbbert
Senior Tester
Mar 3, 2021, 15:07
The game is a very long way from working, however the buffer overrun situation (the subject of this report) has been fixed.