xray-16
xray-16 copied to clipboard
OpenXRay
global-buffer-overflow on address
Hi, i tested last commit in repo: 756cbb947a7f1279e6117a92e33c497dd485b89f
==69658==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00080640a8a7 at pc 0x0008065cb974 bp 0x7fffffff9e20 sp 0x7fffffff9e18
READ of size 4 at 0x00080640a8a7 thread T0
#0 0x0008065cb973 (/usr/local/lib/xrLuaJIT.so+0x18a973)
#1 0x0008064a9fc7 in lua_pushstring (/usr/local/lib/xrLuaJIT.so+0x68fc7)
#2 0x000806425586 (/usr/local/lib/xrLuabind.so+0x2a586)
#3 0x000806425277 in luabind::detail::class_registry::class_registry(lua_State*) (/usr/local/lib/xrLuabind.so+0x2a277)
#4 0x0008064375de in luabind::open(lua_State*) (/usr/local/lib/xrLuabind.so+0x3c5de)
#5 0x0008063b55cc in CScriptEngine::init(void (*)(lua_State*), bool) (/usr/local/lib/xrScriptEngine.so+0xa05cc)
#6 0x000800b5820d in xray::render::render_gl::CResourceManager::LS_Load() (/usr/local/lib/xrRender_GL.so+0x75820d)
#7 0x000800982d32 in xray::render::render_gl::CResourceManager::OnDeviceCreate(IReader*) (/usr/local/lib/xrRender_GL.so+0x582d32)
#8 0x000800983574 in xray::render::render_gl::CResourceManager::OnDeviceCreate(char const*) (/usr/local/lib/xrRender_GL.so+0x583574)
#9 0x00080080d0f9 in xray::render::render_gl::D3DXRenderBase::OnDeviceCreate(char const*) (/usr/local/lib/xrRender_GL.so+0x40d0f9)
#10 0x0008059892c1 in CRenderDevice::Create() (/usr/local/lib/xrEngine.so+0x22e2c1)
#11 0x0008059567d6 in CApplication::CApplication(char const*, GameModule*, std::__1::array<RendererModule*, 2ul> const&) (/usr/local/lib/xrEngine.so+0x1fb7d6)
#12 0x0000002f4b26 in main (/usr/local/bin/xr_3da+0x2f4b26)
#13 0x000805f2be33 in __libc_start1 /usr/src/lib/libc/csu/libc_start1.c:157:7
#14 0x00000024d313 in _start (/usr/local/bin/xr_3da+0x24d313)
0x00080640a8a7 is located 57 bytes before global variable '.str.6' defined in '/usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/Externals/luabind/src/class_registry.cpp' (0x00080640a8e0) of size 11
'.str.6' is ascii string '__newindex'
0x00080640a8a7 is located 25 bytes before global variable '.str.5' defined in '/usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/Externals/luabind/src/class_registry.cpp' (0x00080640a8c0) of size 8
'.str.5' is ascii string '__index'
0x00080640a8a7 is located 0 bytes after global variable '.str.4' defined in '/usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/Externals/luabind/src/class_registry.cpp' (0x00080640a8a0) of size 7
'.str.4' is ascii string '__call'
SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/local/lib/xrLuaJIT.so+0x18a973)
Shadow bytes around the buggy address:
0x00080640a600: 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 00 00 00 00
0x00080640a680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00080640a700: 00 00 00 00 00 00 00 00 02 f9 f9 f9 00 02 f9 f9
0x00080640a780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00080640a800: 00 00 02 f9 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9
=>0x00080640a880: 05 f9 f9 f9[07]f9 f9 f9 00 f9 f9 f9 00 03 f9 f9
0x00080640a900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00080640a980: 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 00 00 05 f9
0x00080640aa00: f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 06 f9 f9 f9
0x00080640aa80: 07 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 03 f9 f9
0x00080640ab00: 06 f9 f9 f9 06 f9 f9 f9 06 f9 f9 f9 06 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==69658==ABORTING
The stacktrace is incomplete: first three lines are just addresses, so we can't say which function produces that. But I know that LuaJIT contains intentional out-of-buffer string read. It's better to disable ASAN warning for this exact problem.
The stacktrace is incomplete: first three lines are just addresses, so we can't say which function produces that. But I know that LuaJIT contains intentional out-of-buffer string read. It's better to disable ASAN warning for this exact problem.
Is it normal to read out-of-buffer ? I'm not sure.
READ of size 4 at 0x000807e36707 thread T0
#0 0x00080800745c in lj_getu32 /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/Externals/LuaJIT/src/lj_def.h:244:36
#1 0x00080800745c in str_fastcmp /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/Externals/LuaJIT/src/lj_str.c:48:18
#2 0x00080800745c in lj_str_new /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/Externals/LuaJIT/src/lj_str.c:156:29
#3 0x000807ed86c8 in lua_pushstring /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/Externals/LuaJIT/src/lj_api.c:712:9
#4 0x000807e52a66 in luabind::detail::(anonymous namespace)::create_cpp_class_metatable(lua_State*) /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/Externals/luabind/src/class_registry.cpp:62:5
#5 0x000807e52743 in luabind::detail::class_registry::class_registry(lua_State*) /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/Externals/luabind/src/class_registry.cpp:90:28
#6 0x000807e65bbe in void luabind::(anonymous namespace)::createGarbageCollectedRegistryUserdata<luabind::detail::class_registry, lua_State*>(lua_State*, char const*, lua_State*) /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/Externals/luabind/src/open.cpp:113:18
#7 0x000807e65bbe in luabind::open(lua_State*) /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/Externals/luabind/src/open.cpp:131:3
#8 0x000807dcd20a in CScriptEngine::init(void (*)(lua_State*), bool) /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/src/xrScriptEngine/script_engine.cpp:789:5
#9 0x000800e6d538 in xray::render::render_gl::CResourceManager::LS_Load() /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/src/Layers/xrRenderGL/glResourceManager_Scripting.cpp:415:18
#10 0x000800bd924e in xray::render::render_gl::CResourceManager::OnDeviceCreate(IReader*) /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/src/Layers/xrRender/ResourceManager_Loader.cpp:62:5
#11 0x000800bd9a86 in xray::render::render_gl::CResourceManager::OnDeviceCreate(char const*) /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/src/Layers/xrRender/ResourceManager_Loader.cpp:155:5
#12 0x0008009e3219 in xray::render::render_gl::D3DXRenderBase::OnDeviceCreate(char const*) /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/src/Layers/xrRender/D3DXRenderBase.cpp:152:16
#13 0x0008073a411d in CRenderDevice::Create() /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/src/xrEngine/Device_create.cpp:47:18
#14 0x000807364eae in CApplication::CApplication(char const*, GameModule*, std::__1::array<RendererModule*, 2ul> const&) /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/src/xrEngine/x_ray.cpp:296:12
#15 0x0000002f4e56 in entry_point(char const*) /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/src/xr_3da/entry_point.cpp:51:18
#16 0x0000002f4e56 in main /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/src/xr_3da/entry_point.cpp:109:22
#17 0x0008078a5e33 in __libc_start1 /usr/src/lib/libc/csu/libc_start1.c:157:7
#18 0x00000024d6a3 in _start /usr/src/lib/csu/amd64/crt1_s.S:80
0x000807e36707 is located 57 bytes before global variable '.str.8' defined in '/usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/Externals/luabind/src/class_registry.cpp:70' (0x000807e36740) of size 11
'.str.8' is ascii string '__newindex'
0x000807e36707 is located 25 bytes before global variable '.str.7' defined in '/usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/Externals/luabind/src/class_registry.cpp:66' (0x000807e36720) of size 8
'.str.7' is ascii string '__index'
0x000807e36707 is located 0 bytes after global variable '.str.6' defined in '/usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/Externals/luabind/src/class_registry.cpp:62' (0x000807e36700) of size 7
'.str.6' is ascii string '__call'
SUMMARY: AddressSanitizer: global-buffer-overflow /usr/ports/games/xray-16/work/xray-16-756cbb947a7f1279e6117a92e33c497dd485b89f/Externals/LuaJIT/src/lj_def.h:244:36 in lj_getu32
Shadow bytes around the buggy address:
0x000807e36480: 00 02 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x000807e36500: 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 00 02 f9 f9
0x000807e36580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9
0x000807e36600: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 f9
0x000807e36680: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 05 f9 f9 f9
=>0x000807e36700:[07]f9 f9 f9 00 f9 f9 f9 00 03 f9 f9 00 00 00 00
0x000807e36780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000807e36800: 00 07 f9 f9 f9 f9 f9 f9 00 04 f9 f9 00 00 00 00
0x000807e36880: 00 00 00 00 00 00 00 00 00 00 03 f9 f9 f9 f9 f9
0x000807e36900: 00 00 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
0x000807e36980: 00 00 05 f9 f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==76581==ABORTING