05868: mt_tgolf: AddressSanitizer: heap-use-after-free

ID	Category [?]	Severity [?]	Reproducibility	Date Submitted	Last Update
05868	Misc.	Critical (emulator)	Always	Mar 5, 2015, 17:49	Sep 24, 2019, 15:09

Tester	Firewave	View Status	Public	Platform	MAME (Self-compiled)
Assigned To		Resolution	Unable to reproduce	OS
Status [?]	Closed			Driver	sega/megatech.cpp
Version	0.159	Fixed in Version		Build	Debug
		Fixed in Git Commit		Github Pull Request #

Summary	05868: mt_tgolf: AddressSanitizer: heap-use-after-free
Description	==19196==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500006f71f at pc 0x0000080c3849 bp 0x7fff1a47f040 sp 0x7fff1a47f038 READ of size 1 at 0x62500006f71f thread T0 #0 0x80c3848 in address_space_specific<unsigned char, (endianness_t)0, false>::read_native(unsigned int) /home/notroot/trunk/src/emu/memory.c:1093:74 #1 0x80c1998 in address_space_specific<unsigned char, (endianness_t)0, false>::read_byte(unsigned int) /home/notroot/trunk/src/emu/memory.c:1412:64 #2 0x6fbaba1 in z80_device::rm(unsigned short) /home/notroot/trunk/src/emu/cpu/z80/z80.c:450:9 #3 0x6fbaba1 in z80_device::cb_d6() /home/notroot/trunk/src/emu/cpu/z80/z80.c:1617 #4 0x6fbaba1 in z80_device::op_cb() /home/notroot/trunk/src/emu/cpu/z80/z80.c:3074 #5 0x6f93d1c in z80_device::execute_run() /home/notroot/trunk/src/emu/cpu/z80/z80.c:3521:3 #6 0x6f9d28f in non-virtual thunk to z80_device::execute_run() /home/notroot/trunk/src/emu/cpu/z80/z80.c:3523:1 #7 0x813206a in device_execute_interface::run() /home/notroot/trunk/src/emu/diexec.h:191:15 #8 0x813206a in device_scheduler::timeslice() /home/notroot/trunk/src/emu/schedule.c:476 #9 0x804fe48 in running_machine::run(bool) /home/notroot/trunk/src/emu/machine.c:397:5 #10 0x8047ee6 in machine_manager::execute() /home/notroot/trunk/src/emu/mame.c:222:11 #11 0x7e79dbc in cli_frontend::execute(int, char**) /home/notroot/trunk/src/emu/clifront.c:220:15 #12 0x575d9bb in main /home/notroot/trunk/src/osd/sdl/sdlmain.c:322:9 #13 0x7fd2e4d10ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287 #14 0x116cdfc in _start (/home/notroot/trunk/mame64d+0x116cdfc) 0x62500006f71f is located 5663 bytes inside of 8192-byte region [0x62500006e100,0x625000070100) freed by thread T0 here: #0 0x114f50b in free /home/ben/development/llvm/3.5/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30:3 #1 0x846e5ae in XML_GetBuffer /home/notroot/trunk/3rdparty/expat/lib/xmlparse.c:1725:9 #2 0x7fd2e6849d57 in FcConfigParseAndLoad (/usr/lib/x86_64-linux-gnu/libfontconfig.so.1+0x20d57) previously allocated by thread T0 here: #0 0x114f78b in __interceptor_malloc /home/ben/development/llvm/3.5/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3 #1 0x846e4d7 in XML_GetBuffer /home/notroot/trunk/3rdparty/expat/lib/xmlparse.c:1713:24 #2 0x7fd2e6849d57 in FcConfigParseAndLoad (/usr/lib/x86_64-linux-gnu/libfontconfig.so.1+0x20d57) SUMMARY: AddressSanitizer: heap-use-after-free /home/notroot/trunk/src/emu/memory.c:1093 address_space_specific<unsigned char, (endianness_t)0, false>::read_native(unsigned int) Shadow bytes around the buggy address: 0x0c4a80005e90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a80005ea0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a80005eb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a80005ec0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a80005ed0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c4a80005ee0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a80005ef0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a80005f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a80005f10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a80005f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c4a80005f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc ASan internal: fe
Steps To Reproduce
Additional Information
Github Commit

Flags
Regression Version
Affected Sets / Systems	mt_tgolf

Attached Files

No.11507 B2K24 Senior Tester Mar 11, 2015, 18:00	----------------------------------------------------- Exception at EIP=0000000003BD0961 (address_space_specific<unsigned char, (endian ness_t)0, false>::read_native(unsigned int)+0x0081): ACCESS VIOLATION While attempting to read memory at 00000000510F5E1F ----------------------------------------------------- RAX=00000000510F5E1F RBX=0000000000000001 RCX=000000004E0FD0C8 RDX=00000000510F2 000 RSI=0000000000000001 RDI=00000000003B5BF0 RBP=0000000000228440 RSP=0000000000228 400 R8=0000000000000000 R9=0000000000000000 R10=0000000000000000 R11=0000000000000 000 R12=0000000000000018 R13=0000000000000012 R14=0000000000000000 R15=0000000000000 000 ----------------------------------------------------- Stack crawl: 0000000000228400: 0000000003BD0961 (address_space_specific<unsigned char, (end ianness_t)0, false>::read_native(unsigned int)+0x0081) 0000000000228470: 0000000003BD1BBD (address_space_specific<unsigned char, (end ianness_t)0, false>::read_byte(unsigned int)+0x001d) 00000000002284A0: 00000000032F0488 (z80_device::rm(unsigned short)+0x0038) 00000000002284D0: 00000000032F5F25 (z80_device::cb_d6()+0x0025) 0000000000228510: 00000000033046BE (z80_device::op_cb()+0x0c4e) 0000000000228550: 00000000021468EB (z80_device::execute_run()+0x0cc7) 0000000000228580: 0000000003BFF882 (device_execute_interface::run()+0x0022) 0000000000228640: 0000000002D29488 (device_scheduler::timeslice()+0x0316) 0000000000228710: 0000000002D9A444 (running_machine::run(bool)+0x02b0) 000000000022F4F0: 0000000002DA8E5A (machine_manager::execute()+0x01f8) 000000000022F750: 0000000002E2CD7F (cli_frontend::execute(int, char)+0x085f) 000000000022FDF0: 000000000209B0D9 (utf8_main(int, char)+0x020d) 000000000022FE50: 0000000003131169 (wmain+0x00b9) 000000000022FF20: 00000000004013CA (__tmainCRTStartup+0x024a) 000000000022FF50: 00000000004014F8 (mainCRTStartup+0x0018) 000000000022FF80: 0000000076A25A4D (BaseThreadInitThunk+0x000d) 000000000022FFD0: 0000000076EBBA01 (RtlUserThreadStart+0x0021)
No.16956 MetalGod Senior Tester Sep 24, 2019, 12:33	Tested in current mame 0.213 after leaving the game running in debug mode for more than 2 hours. This is no longer happening. Fixed

No.11507

B2K24

Senior Tester

Mar 11, 2015, 18:00

-----------------------------------------------------
Exception at EIP=0000000003BD0961 (address_space_specific<unsigned char, (endian
ness_t)0, false>::read_native(unsigned int)+0x0081): ACCESS VIOLATION
While attempting to read memory at 00000000510F5E1F
-----------------------------------------------------
RAX=00000000510F5E1F RBX=0000000000000001 RCX=000000004E0FD0C8 RDX=00000000510F2
000
RSI=0000000000000001 RDI=00000000003B5BF0 RBP=0000000000228440 RSP=0000000000228
400
 R8=0000000000000000  R9=0000000000000000 R10=0000000000000000 R11=0000000000000
000
R12=0000000000000018 R13=0000000000000012 R14=0000000000000000 R15=0000000000000
000
-----------------------------------------------------
Stack crawl:
  0000000000228400: 0000000003BD0961 (address_space_specific<unsigned char, (end
ianness_t)0, false>::read_native(unsigned int)+0x0081)
  0000000000228470: 0000000003BD1BBD (address_space_specific<unsigned char, (end
ianness_t)0, false>::read_byte(unsigned int)+0x001d)
  00000000002284A0: 00000000032F0488 (z80_device::rm(unsigned short)+0x0038)
  00000000002284D0: 00000000032F5F25 (z80_device::cb_d6()+0x0025)
  0000000000228510: 00000000033046BE (z80_device::op_cb()+0x0c4e)
  0000000000228550: 00000000021468EB (z80_device::execute_run()+0x0cc7)
  0000000000228580: 0000000003BFF882 (device_execute_interface::run()+0x0022)
  0000000000228640: 0000000002D29488 (device_scheduler::timeslice()+0x0316)
  0000000000228710: 0000000002D9A444 (running_machine::run(bool)+0x02b0)
  000000000022F4F0: 0000000002DA8E5A (machine_manager::execute()+0x01f8)
  000000000022F750: 0000000002E2CD7F (cli_frontend::execute(int, char**)+0x085f)

  000000000022FDF0: 000000000209B0D9 (utf8_main(int, char**)+0x020d)
  000000000022FE50: 0000000003131169 (wmain+0x00b9)
  000000000022FF20: 00000000004013CA (__tmainCRTStartup+0x024a)
  000000000022FF50: 00000000004014F8 (mainCRTStartup+0x0018)
  000000000022FF80: 0000000076A25A4D (BaseThreadInitThunk+0x000d)
  000000000022FFD0: 0000000076EBBA01 (RtlUserThreadStart+0x0021)

No.16956

MetalGod

Senior Tester

Sep 24, 2019, 12:33

Tested in current mame 0.213 after leaving the game running in debug mode for more than 2 hours.
This is no longer happening.
Fixed