| ID | Category [?] | Severity [?] | Reproducibility | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 06835 | Misc. | Critical (emulator) | Always | Jan 8, 2018, 09:49 | Nov 5, 2022, 09:01 |
| Tester | Firewave | View Status | Public | Platform | |
| Assigned To | Resolution | Open | OS | ||
| Status [?] | Acknowledged | Driver | |||
| Version | 0.193 | Fixed in Version | Build | ||
| Fixed in Git Commit | Github Pull Request # | ||||
| Summary |
 06835: megadriv, megadrij: AddressSanitizer: heap-buffer-overflow with -cart starodys |
||||
| Description |
==112120==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62900072c200 at pc 0x000009e3e96a bp 0x7ffc1ac48190 sp 0x7ffc1ac48188
WRITE of size 2 at 0x62900072c200 thread T0
#0 0x9e3e969 in write /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/bus/megadrive/rom.cpp:1500:28
#1 0x9e3e969 in non-virtual thunk to md_rom_starodys_device::write(address_space&, unsigned int, unsigned short, unsigned short) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/bus/megadrive/rom.cpp
#2 0x9e26b43 in base_md_cart_slot_device::write(address_space&, unsigned int, unsigned short, unsigned short) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/bus/megadrive/md_slot.cpp:965:11
#3 0xe2c0a3d in operator() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:544:11
#4 0xe2c0a3d in write16 /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.cpp:469
#5 0xe2c0a3d in write_native /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.cpp:1172
#6 0xe2c0a3d in write_direct<unsigned short, true> /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.cpp:1337
#7 0xe2c0a3d in address_space_specific<unsigned short, (endianness_t)1, 0, true>::write_word(unsigned int, unsigned short, unsigned short) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.cpp:1479
#8 0xb13d51d in m68000_base_device::m68000_write_byte(unsigned int, unsigned char) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.cpp:1249:11
#9 0xb2f92e9 in operator() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:544:11
#10 0xb2f92e9 in m68ki_write_8_fc /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.h:681
#11 0xb2f92e9 in m68ki_write_8 /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.h:428
#12 0xb2f92e9 in m68000_base_device::m68k_op_move_8_ai_d() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kops.cpp:16153
#13 0xb1332d1 in m68000_base_device::execute_run() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.cpp:806:5
#14 0xb13582f in non-virtual thunk to m68000_base_device::execute_run() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.cpp
#15 0xe78e272 in run /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/diexec.h:188:15
#16 0xe78e272 in device_scheduler::timeslice() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:481
#17 0xe6a324b in running_machine::run(bool) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:357:17
#18 0x8cd10e0 in mame_machine_manager::execute() /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:236:19
#19 0x8e1e0d3 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:257:22
#20 0x8e20ee0 in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:273:3
#21 0x8cd3717 in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:336:18
#22 0x8acddf2 in main /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:216:9
#23 0x7f780e82d82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#24 0x1431838 in _start (/mnt/mame/mame64_as+0x1431838)
Address 0x62900072c200 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/bus/megadrive/rom.cpp:1500:28 in write
Shadow bytes around the buggy address:
0x0c52800dd7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800dd800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800dd810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800dd820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800dd830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c52800dd840:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800dd850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800dd860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800dd870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800dd880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800dd890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
|
||||
| Steps To Reproduce | |||||
| Additional Information | |||||
| Github Commit | |||||
| Flags | |||||
| Regression Version | |||||
| Affected Sets / Systems | megadriv, megadrij | ||||
|
Attached Files
|
|||||
 No.14641
Firewave Senior Tester
Jan 9, 2018, 22:01
|
m_nvram has a size of 0x2000 and the code tries to access it at 0x3000. This asserts in a Visual Studio debug build. |
|---|---|
|
No.20731
Firewave Senior Tester
Nov 5, 2022, 09:01
|
0.249 on Linux reports:
==1469==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290007ae200 at pc 0x7f2896842383 bp 0x7ffff87a5aa0 sp 0x7ffff87a5a98
WRITE of size 2 at 0x6290007ae200 thread T0
#0 0x7f2896842382 in md_rom_starodys_device::write(unsigned int, unsigned short, unsigned short) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/bus/megadrive/rom.cpp:1574:28
#1 0x7f2896842501 in non-virtual thunk to md_rom_starodys_device::write(unsigned int, unsigned short, unsigned short) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/bus/megadrive/rom.cpp
#2 0x7f289681961d in base_md_cart_slot_device::write(unsigned int, unsigned short, unsigned short) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/bus/megadrive/md_slot.cpp:964:11
#3 0x7f28a3f235e2 in operator() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/lib/util/delegate.h:765:11
#4 0x7f28a3f235e2 in std::enable_if<(((std::is_same<emu::device_delegate<void (unsigned int, unsigned short, unsigned short)>, emu::device_delegate<void (unsigned int, unsigned char, unsigned char)> >::value) || (std::is_same<emu::device_delegate<void (unsigned int, unsigned short, unsigned short)>, emu::device_delegate<void (unsigned int, unsigned short, unsigned short)> >::value)) || (std::is_same<emu::device_delegate<void (unsigned int, unsigned short, unsigned short)>, emu::device_delegate<void (unsigned int, unsigned int, unsigned int)> >::value)) || (std::is_same<emu::device_delegate<void (unsigned int, unsigned short, unsigned short)>, emu::device_delegate<void (unsigned int, unsigned long, unsigned long)> >::value), void>::type handler_entry_write_delegate<1, 0, emu::device_delegate<void (unsigned int, unsigned short, unsigned short)> >::write_impl<emu::device_delegate<void (unsigned int, unsigned short, unsigned short)> >(unsigned int, unsigned short, unsigned short) const /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_hedp.cpp:115:2
#5 0x7f28a3f23458 in handler_entry_write_delegate<1, 0, emu::device_delegate<void (unsigned int, unsigned short, unsigned short)> >::write(unsigned int, unsigned short, unsigned short) const /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_hedp.cpp:150:2
#6 0x7f289925026b in void dispatch_write<1, 1, 0>(unsigned int, unsigned int, emu::detail::handler_entry_size<1>::uX, emu::detail::handler_entry_size<1>::uX, handler_entry_write<1, 0> const* const*) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:1577:47
#7 0x7f289adc8ad7 in write_native /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:1741:3
#8 0x7f289adc8ad7 in operator() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:1639:90
#9 0x7f289adc8ad7 in void memory_write_generic<1, 0, (util::endianness)1, 1, true, emu::detail::memory_access_specific<1, 1, 0, (util::endianness)1>::wop()::'lambda'(unsigned int, unsigned short, unsigned short)>(emu::detail::memory_access_specific<1, 1, 0, (util::endianness)1>::wop()::'lambda'(unsigned int, unsigned short, unsigned short), unsigned int, emu::detail::handler_entry_size<1>::uX, emu::detail::handler_entry_size<1>::uX) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:921:10
#10 0x7f289ada51d1 in write_word /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:1659:56
#11 0x7f289ada51d1 in operator() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.cpp:1352:61
#12 0x7f289ada51d1 in __invoke_impl<void, (lambda at ../../../../../src/devices/cpu/m68000/m68kcpu.cpp:1352:14) &, unsigned int, unsigned char> /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/invoke.h:61:14
#13 0x7f289ada51d1 in __invoke_r<void, (lambda at ../../../../../src/devices/cpu/m68000/m68kcpu.cpp:1352:14) &, unsigned int, unsigned char> /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/invoke.h:111:2
#14 0x7f289ada51d1 in std::_Function_handler<void (unsigned int, unsigned char), m68000_base_device::init16(address_space&, address_space&)::$_11>::_M_invoke(std::_Any_data const&, unsigned int&&, unsigned char&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/std_function.h:290:9
#15 0x7f289b01db39 in std::function<void (unsigned int, unsigned char)>::operator()(unsigned int, unsigned char) const /usr/bin/../lib/gcc/x86_64-linux-gnu/12/../../../../include/c++/12/bits/std_function.h:591:9
#16 0x7f289b019655 in m68000_base_device::m68ki_write_8_fc(unsigned int, unsigned int, unsigned int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.h:689:2
#17 0x7f289b011b4d in m68000_base_device::m68ki_write_8(unsigned int, unsigned int) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.h:432:58
#18 0x7f289aed6b42 in m68000_base_device::x1080_move_b_071234fc() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kops.cpp:14917:2
#19 0x7f289ad7e803 in m68000_base_device::execute_run() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.cpp:909:5
#20 0x7f289ad8085f in non-virtual thunk to m68000_base_device::execute_run() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m68000/m68kcpu.cpp
#21 0x7f28a97145b7 in run /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/diexec.h:190:15
#22 0x7f28a97145b7 in device_scheduler::timeslice() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:456:14
#23 0x7f28a95b2067 in running_machine::run(bool) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:329:17
#24 0x7f28a16c1caf in mame_machine_manager::execute() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:290:19
#25 0x7f28a2a79026 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:275:22
#26 0x7f28a2a7cb6f in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:291:3
#27 0x7f28a16c6a8f in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:454:18
#28 0x7f28a98a80fb in main /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:191:9
#29 0x7f285c5e9209 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#30 0x7f285c5e92bb in __libc_start_main csu/../csu/libc-start.c:389:3
#31 0x7f2883238120 in _start (/mnt/s/GitHub/mame/mame+0x24d60120) (BuildId: 7b7aeda5846ab501)
Address 0x6290007ae200 is a wild pointer inside of access range of size 0x000000000002.
SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/bus/megadrive/rom.cpp:1574:28 in md_rom_starodys_device::write(unsigned int, unsigned short, unsigned short)
Shadow bytes around the buggy address:
0x0c52800edbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800edc00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800edc10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800edc20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800edc30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c52800edc40:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800edc50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800edc60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800edc70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800edc80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c52800edc90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
|