07544: to9: AddressSanitizer: heap-buffer-overflow

ID	Category [?]	Severity [?]	Reproducibility	Date Submitted	Last Update
07544	Misc.	Critical (emulator)	Always	Jan 8, 2020, 10:11	Dec 23, 2024, 13:40

Tester	Firewave	View Status	Public	Platform	MAME (Self-compiled)
Assigned To	galibert	Resolution	Open	OS	Windows 10 (64-bit)
Status [?]	Assigned			Driver	thomson/thomson.cpp
Version	0.217	Fixed in Version		Build	32-bit
		Fixed in Git Commit		Github Pull Request #

Summary	07544: to9: AddressSanitizer: heap-buffer-overflow
Description	================================================================= ==23816==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x22bb083e at pc 0x0684b096 bp 0x006fb99c sp 0x006fb990 READ of size 1 at 0x22bb083e thread T0 #0 0x684b095 in handler_entry_read_memory_bank<0,0,1>::read+0xd5 (s:\dev\mame0217\mame.exe+0x617b095) #1 0x6bdec8a in handler_entry_read_dispatch<16,0,1,1>::read+0x7a (s:\dev\mame0217\mame.exe+0x650ec8a) #2 0x66560f0 in address_space_specific<0,1,1>::read_native+0x70 (s:\dev\mame0217\mame.exe+0x5f860f0) #3 0x664fe85 in address_space_specific<0,0,1>::read_byte+0x45 (s:\dev\mame0217\mame.exe+0x5f7fe85) #4 0x7cefe4d in c39_device::mi_banked::read+0x6d (s:\dev\mame0217\mame.exe+0x761fe4d) #5 0x7e0c82d in m6809_base_device::read_memory+0x7d (s:\dev\mame0217\mame.exe+0x773c82d) #6 0x7e0a6a9 in m6809_base_device::execute_one+0x3ab9 (s:\dev\mame0217\mame.exe+0x773a6a9) #7 0x7e0bcd6 in m6809_base_device::execute_run+0x26 (s:\dev\mame0217\mame.exe+0x773bcd6) #8 0x669d553 in device_scheduler::timeslice+0x683 (s:\dev\mame0217\mame.exe+0x5fcd553) #9 0x66abc95 in running_machine::run+0x305 (s:\dev\mame0217\mame.exe+0x5fdbc95) #10 0x75392fc in mame_machine_manager::execute+0x52c (s:\dev\mame0217\mame.exe+0x6e692fc) #11 0x755b36a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\mame.exe+0x6e8b36a) #12 0x7553104 in cli_frontend::execute+0x174 (s:\dev\mame0217\mame.exe+0x6e83104) #13 0x753a259 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\mame.exe+0x6e6a259) #14 0xa7f25be in main+0x43e (s:\dev\mame0217\mame.exe+0xa1225be) #15 0xa598c9a in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #16 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358) #17 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73) #18 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43) 0x22bb083e is located 27 bytes to the right of 65571-byte region [0x22ba0800,0x22bb0823) allocated by thread T0 here: #0 0x1382e7d in operator new D:\agent\_work\s\src\vctools\crt\asan\llvm\compiler-rt\lib\asan\asan_new_delete.cc:99 #1 0x1388b51 in std::_Allocate<8,std::_Default_allocate_traits,0>+0x21 (s:\dev\mame0217\mame.exe+0xcb8b51) #2 0x65c19c4 in memory_region::memory_region+0xc4 (s:\dev\mame0217\mame.exe+0x5ef19c4) #3 0x666194b in memory_manager::region_alloc+0x25b (s:\dev\mame0217\mame.exe+0x5f9194b) #4 0x6747d03 in rom_load_manager::process_region_list+0x173 (s:\dev\mame0217\mame.exe+0x6077d03) #5 0x6741169 in rom_load_manager::rom_load_manager+0x819 (s:\dev\mame0217\mame.exe+0x6071169) #6 0x66acec7 in running_machine::start+0x447 (s:\dev\mame0217\mame.exe+0x5fdcec7) #7 0x66abb05 in running_machine::run+0x175 (s:\dev\mame0217\mame.exe+0x5fdbb05) #8 0x75392fc in mame_machine_manager::execute+0x52c (s:\dev\mame0217\mame.exe+0x6e692fc) #9 0x755b36a in cli_frontend::start_execution+0x56a (s:\dev\mame0217\mame.exe+0x6e8b36a) #10 0x7553104 in cli_frontend::execute+0x174 (s:\dev\mame0217\mame.exe+0x6e83104) #11 0x753a259 in emulator_info::start_frontend+0x59 (s:\dev\mame0217\mame.exe+0x6e6a259) #12 0xa7f25be in main+0x43e (s:\dev\mame0217\mame.exe+0xa1225be) #13 0xa598c9a in __scrt_common_main_seh d:\agent\_work\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #14 0x75d36358 in BaseThreadInitThunk+0x18 (C:\WINDOWS\System32\KERNEL32.DLL+0x6b816358) #15 0x779f7b73 in RtlGetAppContainerNamedObjectPath+0xe3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b73) #16 0x779f7b43 in RtlGetAppContainerNamedObjectPath+0xb3 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x4b2e7b43) SUMMARY: AddressSanitizer: heap-buffer-overflow (s:\dev\mame0217\mame.exe+0x617b095) in handler_entry_read_memory_bank<0,0,1>::read+0xd5 Shadow bytes around the buggy address: 0x345760b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x345760c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x345760d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x345760e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x345760f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x34576100: 00 00 00 00 03 fa fa[fa]fa fa fa fa fa fa fa fa 0x34576110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x34576120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x34576130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x34576140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x34576150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==23816==ABORTING
Steps To Reproduce
Additional Information
Github Commit

Flags
Regression Version
Affected Sets / Systems	to9

Attached Files

No.20727 Firewave Senior Tester Nov 5, 2022, 08:53	0.249 on Linux reports a segmentation fault: ==23340==ERROR: AddressSanitizer: SEGV on unknown address 0x03e800005b2c (pc 0x7f0caff1957c bp 0x000000005b2c sp 0x7f0cac8977e0 T0) ==23340==The signal is caused by a READ memory access. #0 0x7f0caff1957c in __pthread_kill_implementation nptl/./nptl/pthread_kill.c:44:76 #1 0x7f0cafecda01 in gsignal signal/../sysdeps/posix/raise.c:26:13 #2 0x7f0cb1cbf3c5 (/usr/lib/x86_64-linux-gnu/libSDL2-2.0.so.0+0x13f3c5) (BuildId: 418f97e44d04d8ab9d3828e3cc45a8743439ecf7) #3 0x7f0cafecda9f (/lib/x86_64-linux-gnu/libc.so.6+0x3da9f) (BuildId: 71a7c7b97bc0b3e349a3d8640252655552082bf5) #4 0x7f0cf0b56f48 in handler_entry_read_memory_bank<0, 0>::read(unsigned int, unsigned char) const /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_hem.cpp:79:9 #5 0x7f0cd52dbd00 in emu::detail::memory_access_cache<0, 0, (util::endianness)1>::read_native(unsigned int, unsigned char) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:2735:20 #6 0x7f0ce36dbc30 in read_byte /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:1826:66 #7 0x7f0ce36dbc30 in m6809_base_device::mi_default::read_opcode(unsigned short) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m6809/m6809.cpp:586:19 #8 0x7f0ce36971f6 in m6809_base_device::read_opcode(unsigned short) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m6809/m6809.h:200:85 #9 0x7f0ce36904da in m6809_base_device::read_opcode() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m6809/m6809.h:208:66 #10 0x7f0ce36e6992 in m6809_base_device::execute_one() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../generated/emu/cpu/m6809/m6809.hxx:247:13 #11 0x7f0ce36dba5e in m6809_base_device::execute_run() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m6809/m6809.cpp:574:3 #12 0x7f0ce36dbb1f in non-virtual thunk to m6809_base_device::execute_run() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m6809/m6809.cpp #13 0x7f0cf17d5817 in run /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/diexec.h:190:15 #14 0x7f0cf17d5817 in device_scheduler::timeslice() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:456:14 #15 0x7f0cf166e4a7 in running_machine::run(bool) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:329:17 #16 0x7f0cf47d4f7f in mame_machine_manager::execute() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:290:19 #17 0x7f0cf49c98d6 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:275:22 #18 0x7f0cf49cd41f in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:291:3 #19 0x7f0cf47d9d5f in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:454:18 #20 0x7f0cf19b058b in main /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:191:9 #21 0x7f0cafeb9209 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #22 0x7f0cafeb92bb in __libc_start_main csu/../csu/libc-start.c:389:3 #23 0x7f0ccf13a260 in _start (/mnt/s/GitHub/mame/mame+0x1d397260) (BuildId: 603d3d1c300651feb2a8e3ac6e9cb58d3f85e77b) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV nptl/./nptl/pthread_kill.c:44:76 in __pthread_kill_implementation
No.22683 Firewave Senior Tester Dec 23, 2024, 13:40	I am not able to reproduce this with 0.272 on Linux.

No.20727

Firewave

Senior Tester

Nov 5, 2022, 08:53

0.249 on Linux reports a segmentation fault:

==23340==ERROR: AddressSanitizer: SEGV on unknown address 0x03e800005b2c (pc 0x7f0caff1957c bp 0x000000005b2c sp 0x7f0cac8977e0 T0)
==23340==The signal is caused by a READ memory access.
    #0 0x7f0caff1957c in __pthread_kill_implementation nptl/./nptl/pthread_kill.c:44:76
    #1 0x7f0cafecda01 in gsignal signal/../sysdeps/posix/raise.c:26:13
    #2 0x7f0cb1cbf3c5  (/usr/lib/x86_64-linux-gnu/libSDL2-2.0.so.0+0x13f3c5) (BuildId: 418f97e44d04d8ab9d3828e3cc45a8743439ecf7)
    #3 0x7f0cafecda9f  (/lib/x86_64-linux-gnu/libc.so.6+0x3da9f) (BuildId: 71a7c7b97bc0b3e349a3d8640252655552082bf5)
    #4 0x7f0cf0b56f48 in handler_entry_read_memory_bank<0, 0>::read(unsigned int, unsigned char) const /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem_hem.cpp:79:9
    #5 0x7f0cd52dbd00 in emu::detail::memory_access_cache<0, 0, (util::endianness)1>::read_native(unsigned int, unsigned char) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:2735:20
    #6 0x7f0ce36dbc30 in read_byte /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/emumem.h:1826:66
    #7 0x7f0ce36dbc30 in m6809_base_device::mi_default::read_opcode(unsigned short) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m6809/m6809.cpp:586:19
    #8 0x7f0ce36971f6 in m6809_base_device::read_opcode(unsigned short) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m6809/m6809.h:200:85
    #9 0x7f0ce36904da in m6809_base_device::read_opcode() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m6809/m6809.h:208:66
    #10 0x7f0ce36e6992 in m6809_base_device::execute_one() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../generated/emu/cpu/m6809/m6809.hxx:247:13
    #11 0x7f0ce36dba5e in m6809_base_device::execute_run() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m6809/m6809.cpp:574:3
    #12 0x7f0ce36dbb1f in non-virtual thunk to m6809_base_device::execute_run() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/devices/cpu/m6809/m6809.cpp
    #13 0x7f0cf17d5817 in run /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/diexec.h:190:15
    #14 0x7f0cf17d5817 in device_scheduler::timeslice() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/schedule.cpp:456:14
    #15 0x7f0cf166e4a7 in running_machine::run(bool) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/emu/machine.cpp:329:17
    #16 0x7f0cf47d4f7f in mame_machine_manager::execute() /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:290:19
    #17 0x7f0cf49c98d6 in cli_frontend::start_execution(mame_machine_manager*, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:275:22
    #18 0x7f0cf49cd41f in cli_frontend::execute(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/clifront.cpp:291:3
    #19 0x7f0cf47d9d5f in emulator_info::start_frontend(emu_options&, osd_interface&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >&) /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/frontend/mame/mame.cpp:454:18
    #20 0x7f0cf19b058b in main /mnt/s/GitHub/mame/build/projects/sdl/mame/gmake-linux-clang/../../../../../src/osd/sdl/sdlmain.cpp:191:9
    #21 0x7f0cafeb9209 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #22 0x7f0cafeb92bb in __libc_start_main csu/../csu/libc-start.c:389:3
    #23 0x7f0ccf13a260 in _start (/mnt/s/GitHub/mame/mame+0x1d397260) (BuildId: 603d3d1c300651feb2a8e3ac6e9cb58d3f85e77b)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV nptl/./nptl/pthread_kill.c:44:76 in __pthread_kill_implementation

No.22683

Firewave

Senior Tester

Dec 23, 2024, 13:40

I am not able to reproduce this with 0.272 on Linux.