Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap use after free triggered by ResourceLoader.load_threaded_request #83778

Closed
Rubonnek opened this issue Oct 22, 2023 · 0 comments · Fixed by #83782
Closed

Heap use after free triggered by ResourceLoader.load_threaded_request #83778

Rubonnek opened this issue Oct 22, 2023 · 0 comments · Fixed by #83782
Labels
bug topic:core
Milestone
4.2

Comments

@Rubonnek
Copy link
Member

Godot version

master branch at commit 8c25a98

System information

Arch Linux

Issue description

A single ResourceLoader.load_threaded_request call will trigger a heap use after free detected by AddressSanitizer:

==11770==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400065b5e0 at pc 0x55730c51b384 bp 0x7ffd0dca83c0 sp 0x7ffd0dca83b0
READ of size 8 at 0x60400065b5e0 thread T0
    #0 0x55730c51b383 in HashMap<String, ResourceLoader::LoadToken*, HashMapHasherDefault, HashMapComparatorDefault<String>, DefaultTypedAllocator<HashMapElement<String, ResourceLoader::LoadToken*> > >::Iterator::operator++() core/templates/hash_map.h:456
    #1 0x55730c51b383 in ResourceLoader::clear_thread_load_tasks() core/io/resource_loader.cpp:1056
    #2 0x5572fee1504d in Main::cleanup(bool) main/main.cpp:3732
    #3 0x5572fec9b233 in main platform/linuxbsd/godot_linuxbsd.cpp:76
    #4 0x7effb2558ccf  (/usr/lib/libc.so.6+0x27ccf) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    #5 0x7effb2558d89 in __libc_start_main (/usr/lib/libc.so.6+0x27d89) (BuildId: 8bfe03f6bf9b6a6e2591babd0bbc266837d8f658)
    #6 0x5572fececef4 in _start (/opt/godot-master/bin/godot.linuxbsd.editor.x86_64.san+0x13c2ef4) (BuildId: a67cc55f3629e2a5c74de2eadcca1ef4ed44048a)

0x60400065b5e0 is located 16 bytes inside of 48-byte region [0x60400065b5d0,0x60400065b600)
freed by thread T0 here:
    #0 0x7effb28dfdb2 in __interceptor_free /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x55730c519e37 in void memdelete<HashMapElement<String, ResourceLoader::LoadToken*> >(HashMapElement<String, ResourceLoader::LoadToken*>*) core/os/memory.h:112
    #2 0x55730c519e37 in DefaultTypedAllocator<HashMapElement<String, ResourceLoader::LoadToken*> >::delete_allocation(HashMapElement<String, ResourceLoader::LoadToken*>*) core/os/memory.h:206
    #3 0x55730c519e37 in HashMap<String, ResourceLoader::LoadToken*, HashMapHasherDefault, HashMapComparatorDefault<String>, DefaultTypedAllocator<HashMapElement<String, ResourceLoader::LoadToken*> > >::erase(String const&) core/templates/hash_map.h:349
    #4 0x55730c519e37 in ResourceLoader::LoadToken::clear() core/io/resource_loader.cpp:225

previously allocated by thread T0 here:
    #0 0x7effb28e1359 in __interceptor_malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x55730bfd206f in Memory::alloc_static(unsigned long, bool) core/os/memory.cpp:75

SUMMARY: AddressSanitizer: heap-use-after-free core/templates/hash_map.h:456 in HashMap<String, ResourceLoader::LoadToken*, HashMapHasherDefault, HashMapComparatorDefault<String>, DefaultTypedAllocator<HashMapElement<String, ResourceLoader::LoadToken*> > >::Iterator::operator++()
Shadow bytes around the buggy address:
  0x60400065b300: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x60400065b380: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x60400065b400: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x60400065b480: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x60400065b500: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
=>0x60400065b580: fa fa fd fd fd fd fd fd fa fa fd fd[fd]fd fd fd
  0x60400065b600: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x60400065b680: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x60400065b700: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x60400065b780: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x60400065b800: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11770==ABORTING

Steps to reproduce

  1. Run the attached MRP with a build where AddressSanitizer is enabled.
  2. Exit the project.

Minimal reproduction project

HeapUseAfterFree.zip
@Rubonnek Rubonnek changed the title Heap use after free triggered by unused Resource loaded with ResourceLoader.load_threaded_request Heap use after free triggered by ResourceLoader.load_threaded_request Oct 22, 2023
@timothyqiu timothyqiu mentioned this issue Oct 22, 2023
Merged
@Rubonnek Rubonnek added this to the 4.2 milestone Oct 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug topic:core
Projects
None yet
Milestone
4.2
1 participant
@Rubonnek