Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Double free in do_attack #2183

Closed
lmoureaux opened this issue Jan 30, 2024 · 0 comments · Fixed by #2185
Closed

Double free in do_attack #2183

lmoureaux opened this issue Jan 30, 2024 · 0 comments · Fixed by #2185
Labels
bug Something isn't working server This issue requires changes to the server
Milestone
v3.1-stable

Comments

@lmoureaux
Copy link
Contributor

Describe the bug

panch93

==28239==ERROR: AddressSanitizer: heap-use-after-free on address 0x61300004d254 at pc 0x55c0b3439123 bp 0x7ffe44574770 sp 0x7ffe44574760                                                                                                                                      
READ of size 4 at 0x61300004d254 thread T0                                                                                                                                                                                                                                    
    #0 0x55c0b3439122 in do_attack /home/pranav/freeciv/freeciv21/server/unithand.cpp:4138                                                                                                                                                                                    
    #1 0x55c0b34325b2 in unit_perform_action(player*, int, int, int, char const*, int, action_requester) /home/pranav/freeciv/freeciv21/server/unithand.cpp:3122                                                                                                              
    #2 0x55c0b343a49a in unit_do_action(player*, int, int, int, char const*, int) (/home/pranav/freeciv/freeciv21/build/freeciv21-server+0x1e8549a)                                                                                                                           
    #3 0x55c0b37c7c12 in dai_unit_attack(ai_type*, unit*, tile*) /home/pranav/freeciv/freeciv21/ai/default/aitools.cpp:873                                                                                                                                                    
    #4 0x55c0b358405e in adv_unit_execute_path(unit*, PFPath const&) /home/pranav/freeciv/freeciv21/server/advisors/advgoto.cpp:102                                                                                                                                           
    #5 0x55c0b3802381 in dai_military_rampage(unit*, int, int) /home/pranav/freeciv/freeciv21/ai/default/aiunit.cpp:611                                                                                                                                                       
    #6 0x55c0b3830736 in dai_military_attack /home/pranav/freeciv/freeciv21/ai/default/aiunit.cpp:1763                                                                                                                                                                        
    #7 0x55c0b384010d in dai_manage_military(ai_type*, player*, unit*) /home/pranav/freeciv/freeciv21/ai/default/aiunit.cpp:2472                                                                                                                                              
    #8 0x55c0b3851675 in dai_manage_unit(ai_type*, player*, unit*) /home/pranav/freeciv/freeciv21/ai/default/aiunit.cpp:2633                                                                                                                                                  
    #9 0x55c0b3868cd9 in dai_manage_units(ai_type*, player*) /home/pranav/freeciv/freeciv21/ai/default/aiunit.cpp:2791                                                                                                                                                        
    #10 0x55c0b37500e2 in dai_do_first_activities(ai_type*, player*) /home/pranav/freeciv/freeciv21/ai/default/aihand.cpp:737                                                                                                                                                 
    #11 0x55c0b36aa667 in cai_do_first_activities /home/pranav/freeciv/freeciv21/ai/classic/classicai.cpp:432                                                                                                                                                                 
    #12 0x55c0b30b2559 in ai_start_phase /home/pranav/freeciv/freeciv21/server/srv_main.cpp:1041                                                                                                                                                                              
    #13 0x55c0b30b2559 in begin_phase(bool) /home/pranav/freeciv/freeciv21/server/srv_main.cpp:1332                                                                                                                                                                           
    #14 0x55c0b3074c76 in freeciv::server::begin_phase() /home/pranav/freeciv/freeciv21/server/server.cpp:748                                                                                                                                                                 
    #15 0x55c0b307752c in freeciv::server::update_game_state() /home/pranav/freeciv/freeciv21/server/server.cpp:954                                                                                                                                                           
    #16 0x55c0b307ca68 in freeciv::server::pulse() /home/pranav/freeciv/freeciv21/server/server.cpp:1092                                                                                                                                                                      
    #17 0x55c0b307e2d9 in QtPrivate::FunctorCall<QtPrivate::IndexesList<>, QtPrivate::List<>, void, void (freeciv::server::*)()>::call(void (freeciv::server::*)(), freeciv::server*, void**) /usr/include/qt/QtCore/qobjectdefs_impl.h:152                                   
    #18 0x55c0b307e2d9 in void QtPrivate::FunctionPointer<void (freeciv::server::*)()>::call<QtPrivate::List<>, void>(void (freeciv::server::*)(), freeciv::server*, void**) /usr/include/qt/QtCore/qobjectdefs_impl.h:185                                                    
    #19 0x55c0b307e2d9 in QtPrivate::QSlotObject<void (freeciv::server::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) /usr/include/qt/QtCore/qobjectdefs_impl.h:418                                                         
    #20 0x55c0b307e2d9 in QtPrivate::QSlotObject<void (freeciv::server::*)(), QtPrivate::List<>, void>::impl(int, QtPrivate::QSlotObjectBase*, QObject*, void**, bool*) /usr/include/qt/QtCore/qobjectdefs_impl.h:411                                                         
    #21 0x7f1fbccbea70  (/usr/lib/libQt5Core.so.5+0x2bea70)                                                                                                                                                                                                                   
    #22 0x7f1fbccc0fce in QTimer::timeout(QTimer::QPrivateSignal) (/usr/lib/libQt5Core.so.5+0x2c0fce)                                                                                                                                                                         
    #23 0x7f1fbccb1b55 in QObject::event(QEvent*) (/usr/lib/libQt5Core.so.5+0x2b1b55)                                                                                                                                                                                         
    #24 0x7f1fbcc8df2b in QCoreApplication::notifyInternal2(QObject*, QEvent*) (/usr/lib/libQt5Core.so.5+0x28df2b)                                                                                                                                                            
    #25 0x7f1fbccd84b2 in QTimerInfoList::activateTimers() (/usr/lib/libQt5Core.so.5+0x2d84b2)                                                                                                                                                                                
    #26 0x7f1fbccd8af1  (/usr/lib/libQt5Core.so.5+0x2d8af1)                                                                                                                                                                                                                   
    #27 0x7f1fbb10f53a in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x5a53a)                                                                                                                                                                                         
    #28 0x7f1fbb16c218  (/usr/lib/libglib-2.0.so.0+0xb7218)                                                                                                                                                                                                                   
    #29 0x7f1fbb10e1a1 in g_main_context_iteration (/usr/lib/libglib-2.0.so.0+0x591a1)                                                                                                                                                                                        
    #30 0x7f1fbccd8c6b in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt5Core.so.5+0x2d8c6b)                                                                                                                                      
    #31 0x7f1fbcc866eb in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (/usr/lib/libQt5Core.so.5+0x2866eb)                                                                                                                                                         
    #32 0x7f1fbcc91218 in QCoreApplication::exec() (/usr/lib/libQt5Core.so.5+0x291218) 

0x61300004cb54 is located 84 bytes inside of 352-byte region [0x61300004cb00,0x61300004cc60)
freed by thread T0 here:
    #0 0x7f136d2c178a in operator delete(void*, unsigned long) /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_new_delete.cpp:164
    #1 0x558dfc489eb4 in unit_virtual_destroy(unit*) /home/pranav/freeciv/freeciv21/common/unit.cpp:1633
    #2 0x558dfc2a18d5 in game_remove_unit(world*, unit*) /home/pranav/freeciv/freeciv21/common/game.cpp:160
previously allocated by thread T0 here:
    #0 0x7f136d2c0672 in operator new(unsigned long) /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_new_delete.cpp:95
    #1 0x558dfc47ea29 in unit_virtual_create(player*, city*, unit_type const*, int) /home/pranav/freeciv/freeciv21/common/unit.cpp:1507
    #2 0x558dfca23bdf  (/home/pranav/freeciv/freeciv21/build/freeciv21-server+0x2cb9bdf)

daavko
4138 is this line: if (pdefender->hp <= 0) {, so it seems the defender is accessed after it's removed. Now, looking a couple lines above, there's a call to kill_unit, which calls wipe_unit, which calls wipe_unit_full, which calls server_remove_unit_full, which calls game_remove_unit, which calls unit_virtual_destroy, which calls delete punit;, so I assume that's the issue?

Would LT76 crash on this as well, or is this a debug build kind of thing?

To Reproduce
Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Platform and version (please complete the following information):

  • OS: Linux
  • Freeciv21 version: 3.0.0
  • Ruleset/Longturn game (if applicable): [e.g. classic or LTEx24]

Additional context
Add any other context about the problem here.
@lmoureaux lmoureaux added bug Something isn't working server This issue requires changes to the server labels Jan 30, 2024
@lmoureaux lmoureaux added this to the v3.1-stable milestone Jan 30, 2024
lmoureaux added a commit to lmoureaux/freeciv21 that referenced this issue Jan 30, 2024
@lmoureaux
Fix use-after-free in do_attack
b63019e 
The patch cf7e1bd had been applied improperly.
Follow upstream code.

Closes longturn#2183.
@lmoureaux lmoureaux mentioned this issue Jan 30, 2024
Merged
lmoureaux added a commit that referenced this issue Feb 7, 2024
@lmoureaux
Fix use-after-free in do_attack
b00a371 
The patch cf7e1bd had been applied improperly.
Follow upstream code.

Closes #2183.
lmoureaux added a commit to lmoureaux/freeciv21 that referenced this issue Mar 17, 2024
@lmoureaux
Fix use-after-free in do_attack
3a32c4b 
The patch cf7e1bd had been applied improperly.
Follow upstream code.

Closes longturn#2183.
lmoureaux added a commit that referenced this issue Mar 30, 2024
@lmoureaux
Fix use-after-free in do_attack
9667e4a 
The patch cf7e1bd had been applied improperly.
Follow upstream code.

Closes #2183.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working server This issue requires changes to the server
Projects
None yet
Milestone
v3.1-stable
Development

Successfully merging a pull request may close this issue.

Fix use-after-free in do_attack lmoureaux/freeciv21
1 participant
@lmoureaux