Home Explore Help
Register Sign In
devn00b
/
EQ2EMu
8
2
Fork 0
Files Issues 77 Pull Requests 0 Wiki
Labels Milestones
New Issue

#410 lua light user data is invalidly re-used

Closed
opened 2 years ago by image · 1 comments
image commented 2 years ago

we seem to have issues this was in south qeynos (qey_south) which it tries adding to a conversation after its already been deleted


  32: 00 00 00 00 00 00 00 00 - 08 00 16 00 48 61 69 6C  | ............Hail
  48: 2C 20 46 65 6F 64 72 61 - 20 49 63 65 73 6C 61 79  | , Feodra Iceslay
  64: 65 72 00 00 00 01 00 00                            | er......
=================================================================
==25792==ERROR: AddressSanitizer: heap-use-after-free on address 0x60301b991638 at pc 0x555555ec5231 bp 0x7fffd95131e0 sp 0x7fffd95131d8
READ of size 8 at 0x60301b991638 thread T133
    #0 0x555555ec5230 in std::vector<ConversationOption, std::allocator<ConversationOption> >::push_back(ConversationOption const&) /usr/include/c++/8/bits/stl_vector.h:1076
    #1 0x555555ec5230 in EQ2Emu_lua_AddConversationOption(lua_State*) ../WorldServer/LuaFunctions.cpp:968
    #2 0x5555567b2f3d in luaD_precall (/home/eq2emu_server/server/eq2world+0x125ef3d)
    #3 0x5555567bfebd in luaV_execute (/home/eq2emu_server/server/eq2world+0x126bebd)
    #4 0x5555567b32cc in luaD_call (/home/eq2emu_server/server/eq2world+0x125f2cc)
    #5 0x5555567b332a in luaD_callnoyield (/home/eq2emu_server/server/eq2world+0x125f32a)
    #6 0x5555567c462c in f_call (/home/eq2emu_server/server/eq2world+0x127062c)
    #7 0x5555567b2315 in luaD_rawrunprotected (/home/eq2emu_server/server/eq2world+0x125e315)
    #8 0x5555567b3ae5 in luaD_pcall (/home/eq2emu_server/server/eq2world+0x125fae5)
    #9 0x5555567c46fa in lua_pcallk (/home/eq2emu_server/server/eq2world+0x12706fa)
    #10 0x555555c28fe1 in LuaInterface::CallScriptSInt32(lua_State*, unsigned char, int*) ../WorldServer/LuaInterface.cpp:735
    #11 0x555555c3ab2f in LuaInterface::RunSpawnScript(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char const*, Spawn*, Spawn*, char const*, bool, int, int*) ../WorldServer/LuaInterface.cpp:2285
    #12 0x55555593ac57 in ZoneServer::CallSpawnScript(Spawn*, unsigned char, Spawn*, char const*, bool, int, int*) ../WorldServer/zoneserver.cpp:2812
    #13 0x5555563ccea5 in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:2409
    #14 0x555555fb2b2b in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1776
    #15 0x555555fc9fd4 in Client::Process(bool) ../WorldServer/client.cpp:3058
    #16 0x555555a07f30 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3240
    #17 0x555555a1477d in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1440
    #18 0x555555a2016d in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6921
    #19 0x7ffff6fbbfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
    #20 0x7ffff68264ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)

0x60301b991638 is located 8 bytes inside of 24-byte region [0x60301b991630,0x60301b991648)
freed by thread T133 here:
    #0 0x7ffff72df128 in operator delete(void*, unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xec128)
    #1 0x555555e5cc2b in EQ2Emu_lua_StartConversation(lua_State*) ../WorldServer/LuaFunctions.cpp:1090
    #2 0x5555567b2f3d in luaD_precall (/home/eq2emu_server/server/eq2world+0x125ef3d)
    #3 0x5555567bfebd in luaV_execute (/home/eq2emu_server/server/eq2world+0x126bebd)
    #4 0x5555567b32cc in luaD_call (/home/eq2emu_server/server/eq2world+0x125f2cc)
    #5 0x5555567b332a in luaD_callnoyield (/home/eq2emu_server/server/eq2world+0x125f32a)
    #6 0x5555567c462c in f_call (/home/eq2emu_server/server/eq2world+0x127062c)
    #7 0x5555567b2315 in luaD_rawrunprotected (/home/eq2emu_server/server/eq2world+0x125e315)
    #8 0x5555567b3ae5 in luaD_pcall (/home/eq2emu_server/server/eq2world+0x125fae5)
    #9 0x5555567c46fa in lua_pcallk (/home/eq2emu_server/server/eq2world+0x12706fa)
    #10 0x555555c28fe1 in LuaInterface::CallScriptSInt32(lua_State*, unsigned char, int*) ../WorldServer/LuaInterface.cpp:735
    #11 0x555555c3ab2f in LuaInterface::RunSpawnScript(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char const*, Spawn*, Spawn*, char const*, bool, int, int*) ../WorldServer/LuaInterface.cpp:2285
    #12 0x55555593ac57 in ZoneServer::CallSpawnScript(Spawn*, unsigned char, Spawn*, char const*, bool, int, int*) ../WorldServer/zoneserver.cpp:2812
    #13 0x5555563ccea5 in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:2409
    #14 0x555555fb2b2b in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1776
    #15 0x555555fc9fd4 in Client::Process(bool) ../WorldServer/client.cpp:3058
    #16 0x555555a07f30 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3240
    #17 0x555555a1477d in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1440
    #18 0x555555a2016d in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6921
    #19 0x7ffff6fbbfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486

previously allocated by thread T133 here:
    #0 0x7ffff72ddd30 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xead30)
    #1 0x555555e5ba50 in EQ2Emu_lua_CreateConversation(lua_State*) ../WorldServer/LuaFunctions.cpp:954
    #2 0x5555567b2f3d in luaD_precall (/home/eq2emu_server/server/eq2world+0x125ef3d)
    #3 0x5555567bfebd in luaV_execute (/home/eq2emu_server/server/eq2world+0x126bebd)
    #4 0x5555567b32cc in luaD_call (/home/eq2emu_server/server/eq2world+0x125f2cc)
    #5 0x5555567b332a in luaD_callnoyield (/home/eq2emu_server/server/eq2world+0x125f32a)
    #6 0x5555567c462c in f_call (/home/eq2emu_server/server/eq2world+0x127062c)
    #7 0x5555567b2315 in luaD_rawrunprotected (/home/eq2emu_server/server/eq2world+0x125e315)
    #8 0x5555567b3ae5 in luaD_pcall (/home/eq2emu_server/server/eq2world+0x125fae5)
    #9 0x5555567c46fa in lua_pcallk (/home/eq2emu_server/server/eq2world+0x12706fa)
    #10 0x555555c28fe1 in LuaInterface::CallScriptSInt32(lua_State*, unsigned char, int*) ../WorldServer/LuaInterface.cpp:735
    #11 0x555555c3ab2f in LuaInterface::RunSpawnScript(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char const*, Spawn*, Spawn*, char const*, bool, int, int*) ../WorldServer/LuaInterface.cpp:2285
    #12 0x55555593ac57 in ZoneServer::CallSpawnScript(Spawn*, unsigned char, Spawn*, char const*, bool, int, int*) ../WorldServer/zoneserver.cpp:2812
    #13 0x5555563ccea5 in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:2409
    #14 0x555555fb2b2b in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1776
    #15 0x555555fc9fd4 in Client::Process(bool) ../WorldServer/client.cpp:3058
    #16 0x555555a07f30 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3240
    #17 0x555555a1477d in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1440
    #18 0x555555a2016d in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6921
    #19 0x7ffff6fbbfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486

Thread T133 created by T125 here:
    #0 0x7ffff7243db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
    #1 0x5555559e09fd in ZoneServer::Init() ../WorldServer/zoneserver.cpp:331
    #2 0x555555de5184 in ZoneList::Get(char const*, bool, bool) ../WorldServer/World.cpp:571
    #3 0x555555f96ec8 in Client::Zone(char const*, bool, bool) ../WorldServer/client.cpp:4186
    #4 0x5555563d7858 in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:3448
    #5 0x555555fb432a in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1878
    #6 0x555555fc9fd4 in Client::Process(bool) ../WorldServer/client.cpp:3058
    #7 0x555555a07f30 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3240
    #8 0x555555a1477d in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1440
    #9 0x555555a2016d in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6921
    #10 0x7ffff6fbbfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486

Thread T125 created by T0 here:
    #0 0x7ffff7243db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
    #1 0x5555559e09fd in ZoneServer::Init() ../WorldServer/zoneserver.cpp:331
    #2 0x555555de58fc in ZoneList::Get(unsigned int, bool, bool) ../WorldServer/World.cpp:604
    #3 0x555555f14833 in Client::SetCurrentZone(unsigned int) ../WorldServer/client.cpp:3421
    #4 0x5555561f2e61 in WorldDatabase::loadCharacter(char const*, unsigned int, Client*) ../WorldServer/WorldDatabase.cpp:1788
    #5 0x555555fa4426 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9875
    #6 0x555555fa9142 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1077
    #7 0x555555fc9fd4 in Client::Process(bool) ../WorldServer/client.cpp:3058
    #8 0x555555fcce02 in ClientList::Process() ../WorldServer/client.cpp:3353
    #9 0x555555c67004 in main ../WorldServer/net.cpp:458
    #10 0x7ffff675109a in __libc_start_main ../csu/libc-start.c:308
we seem to have issues this was in south qeynos (qey_south) which it tries adding to a conversation after its already been deleted ``` 32: 00 00 00 00 00 00 00 00 - 08 00 16 00 48 61 69 6C | ............Hail 48: 2C 20 46 65 6F 64 72 61 - 20 49 63 65 73 6C 61 79 | , Feodra Iceslay 64: 65 72 00 00 00 01 00 00 | er...... ================================================================= ==25792==ERROR: AddressSanitizer: heap-use-after-free on address 0x60301b991638 at pc 0x555555ec5231 bp 0x7fffd95131e0 sp 0x7fffd95131d8 READ of size 8 at 0x60301b991638 thread T133 #0 0x555555ec5230 in std::vector<ConversationOption, std::allocator<ConversationOption> >::push_back(ConversationOption const&) /usr/include/c++/8/bits/stl_vector.h:1076 #1 0x555555ec5230 in EQ2Emu_lua_AddConversationOption(lua_State*) ../WorldServer/LuaFunctions.cpp:968 #2 0x5555567b2f3d in luaD_precall (/home/eq2emu_server/server/eq2world+0x125ef3d) #3 0x5555567bfebd in luaV_execute (/home/eq2emu_server/server/eq2world+0x126bebd) #4 0x5555567b32cc in luaD_call (/home/eq2emu_server/server/eq2world+0x125f2cc) #5 0x5555567b332a in luaD_callnoyield (/home/eq2emu_server/server/eq2world+0x125f32a) #6 0x5555567c462c in f_call (/home/eq2emu_server/server/eq2world+0x127062c) #7 0x5555567b2315 in luaD_rawrunprotected (/home/eq2emu_server/server/eq2world+0x125e315) #8 0x5555567b3ae5 in luaD_pcall (/home/eq2emu_server/server/eq2world+0x125fae5) #9 0x5555567c46fa in lua_pcallk (/home/eq2emu_server/server/eq2world+0x12706fa) #10 0x555555c28fe1 in LuaInterface::CallScriptSInt32(lua_State*, unsigned char, int*) ../WorldServer/LuaInterface.cpp:735 #11 0x555555c3ab2f in LuaInterface::RunSpawnScript(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char const*, Spawn*, Spawn*, char const*, bool, int, int*) ../WorldServer/LuaInterface.cpp:2285 #12 0x55555593ac57 in ZoneServer::CallSpawnScript(Spawn*, unsigned char, Spawn*, char const*, bool, int, int*) ../WorldServer/zoneserver.cpp:2812 #13 0x5555563ccea5 in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:2409 #14 0x555555fb2b2b in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1776 #15 0x555555fc9fd4 in Client::Process(bool) ../WorldServer/client.cpp:3058 #16 0x555555a07f30 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3240 #17 0x555555a1477d in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1440 #18 0x555555a2016d in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6921 #19 0x7ffff6fbbfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486 #20 0x7ffff68264ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce) 0x60301b991638 is located 8 bytes inside of 24-byte region [0x60301b991630,0x60301b991648) freed by thread T133 here: #0 0x7ffff72df128 in operator delete(void*, unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xec128) #1 0x555555e5cc2b in EQ2Emu_lua_StartConversation(lua_State*) ../WorldServer/LuaFunctions.cpp:1090 #2 0x5555567b2f3d in luaD_precall (/home/eq2emu_server/server/eq2world+0x125ef3d) #3 0x5555567bfebd in luaV_execute (/home/eq2emu_server/server/eq2world+0x126bebd) #4 0x5555567b32cc in luaD_call (/home/eq2emu_server/server/eq2world+0x125f2cc) #5 0x5555567b332a in luaD_callnoyield (/home/eq2emu_server/server/eq2world+0x125f32a) #6 0x5555567c462c in f_call (/home/eq2emu_server/server/eq2world+0x127062c) #7 0x5555567b2315 in luaD_rawrunprotected (/home/eq2emu_server/server/eq2world+0x125e315) #8 0x5555567b3ae5 in luaD_pcall (/home/eq2emu_server/server/eq2world+0x125fae5) #9 0x5555567c46fa in lua_pcallk (/home/eq2emu_server/server/eq2world+0x12706fa) #10 0x555555c28fe1 in LuaInterface::CallScriptSInt32(lua_State*, unsigned char, int*) ../WorldServer/LuaInterface.cpp:735 #11 0x555555c3ab2f in LuaInterface::RunSpawnScript(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char const*, Spawn*, Spawn*, char const*, bool, int, int*) ../WorldServer/LuaInterface.cpp:2285 #12 0x55555593ac57 in ZoneServer::CallSpawnScript(Spawn*, unsigned char, Spawn*, char const*, bool, int, int*) ../WorldServer/zoneserver.cpp:2812 #13 0x5555563ccea5 in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:2409 #14 0x555555fb2b2b in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1776 #15 0x555555fc9fd4 in Client::Process(bool) ../WorldServer/client.cpp:3058 #16 0x555555a07f30 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3240 #17 0x555555a1477d in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1440 #18 0x555555a2016d in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6921 #19 0x7ffff6fbbfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486 previously allocated by thread T133 here: #0 0x7ffff72ddd30 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0xead30) #1 0x555555e5ba50 in EQ2Emu_lua_CreateConversation(lua_State*) ../WorldServer/LuaFunctions.cpp:954 #2 0x5555567b2f3d in luaD_precall (/home/eq2emu_server/server/eq2world+0x125ef3d) #3 0x5555567bfebd in luaV_execute (/home/eq2emu_server/server/eq2world+0x126bebd) #4 0x5555567b32cc in luaD_call (/home/eq2emu_server/server/eq2world+0x125f2cc) #5 0x5555567b332a in luaD_callnoyield (/home/eq2emu_server/server/eq2world+0x125f32a) #6 0x5555567c462c in f_call (/home/eq2emu_server/server/eq2world+0x127062c) #7 0x5555567b2315 in luaD_rawrunprotected (/home/eq2emu_server/server/eq2world+0x125e315) #8 0x5555567b3ae5 in luaD_pcall (/home/eq2emu_server/server/eq2world+0x125fae5) #9 0x5555567c46fa in lua_pcallk (/home/eq2emu_server/server/eq2world+0x12706fa) #10 0x555555c28fe1 in LuaInterface::CallScriptSInt32(lua_State*, unsigned char, int*) ../WorldServer/LuaInterface.cpp:735 #11 0x555555c3ab2f in LuaInterface::RunSpawnScript(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char const*, Spawn*, Spawn*, char const*, bool, int, int*) ../WorldServer/LuaInterface.cpp:2285 #12 0x55555593ac57 in ZoneServer::CallSpawnScript(Spawn*, unsigned char, Spawn*, char const*, bool, int, int*) ../WorldServer/zoneserver.cpp:2812 #13 0x5555563ccea5 in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:2409 #14 0x555555fb2b2b in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1776 #15 0x555555fc9fd4 in Client::Process(bool) ../WorldServer/client.cpp:3058 #16 0x555555a07f30 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3240 #17 0x555555a1477d in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1440 #18 0x555555a2016d in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6921 #19 0x7ffff6fbbfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486 Thread T133 created by T125 here: #0 0x7ffff7243db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0) #1 0x5555559e09fd in ZoneServer::Init() ../WorldServer/zoneserver.cpp:331 #2 0x555555de5184 in ZoneList::Get(char const*, bool, bool) ../WorldServer/World.cpp:571 #3 0x555555f96ec8 in Client::Zone(char const*, bool, bool) ../WorldServer/client.cpp:4186 #4 0x5555563d7858 in Commands::Process(unsigned int, EQ2_16BitString*, Client*, Spawn*) ../WorldServer/Commands/Commands.cpp:3448 #5 0x555555fb432a in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1878 #6 0x555555fc9fd4 in Client::Process(bool) ../WorldServer/client.cpp:3058 #7 0x555555a07f30 in ZoneServer::ClientProcess() ../WorldServer/zoneserver.cpp:3240 #8 0x555555a1477d in ZoneServer::Process() ../WorldServer/zoneserver.cpp:1440 #9 0x555555a2016d in ZoneLoop(void*) ../WorldServer/zoneserver.cpp:6921 #10 0x7ffff6fbbfa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486 Thread T125 created by T0 here: #0 0x7ffff7243db0 in __interceptor_pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x50db0) #1 0x5555559e09fd in ZoneServer::Init() ../WorldServer/zoneserver.cpp:331 #2 0x555555de58fc in ZoneList::Get(unsigned int, bool, bool) ../WorldServer/World.cpp:604 #3 0x555555f14833 in Client::SetCurrentZone(unsigned int) ../WorldServer/client.cpp:3421 #4 0x5555561f2e61 in WorldDatabase::loadCharacter(char const*, unsigned int, Client*) ../WorldServer/WorldDatabase.cpp:1788 #5 0x555555fa4426 in Client::HandleNewLogin(unsigned int, unsigned int) ../WorldServer/client.cpp:9875 #6 0x555555fa9142 in Client::HandlePacket(EQApplicationPacket*) ../WorldServer/client.cpp:1077 #7 0x555555fc9fd4 in Client::Process(bool) ../WorldServer/client.cpp:3058 #8 0x555555fcce02 in ClientList::Process() ../WorldServer/client.cpp:3353 #9 0x555555c67004 in main ../WorldServer/net.cpp:458 #10 0x7ffff675109a in __libc_start_main ../csu/libc-start.c:308 ```
image commented 1 year ago
Collaborator

This is fixed by f57a91d0cb

This is fixed by https://git.eq2emu.com/devn00b/EQ2EMu/commit/f57a91d0cb0833c47c097e3d368ac113f37518ed
image closed 1 year ago
Sign in to join this conversation.
Labels
Clear labels
Content LoginServer ModelViewer Needs Assignment On Hold P1 P2 P3 Recast User Input WorldServer bug crash duplicate enhancement invalid limitation missing client feature question security tech debt
No Label
Content
LoginServer
ModelViewer
Needs Assignment
On Hold
P1
P2
P3
Recast
User Input
WorldServer
bug
crash
duplicate
enhancement
invalid
limitation
missing client feature
question
security
tech debt
Milestone
Clear milestone
No Milestone
EpsilonCMa
Assignee
Clear assignee
No assignee
1 Participants
Write Preview
Loading...
Cancel
Save
There is no content yet.