Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Buffer overflow when creating CSGPolygon from editor #51351

Closed
qarmin opened this issue Aug 7, 2021 · 6 comments
Closed

Buffer overflow when creating CSGPolygon from editor #51351

qarmin opened this issue Aug 7, 2021 · 6 comments
Labels
bug crash regression topic:rendering
Milestone
3.4

Comments

@qarmin
Copy link
Contributor

qarmin commented Aug 7, 2021
edited
Loading

Godot version

v3.4.beta.custom_build. 7c1ee04
Doesn't happens with 4.0

System information

Ubuntu 21.04 - Nvidia GTX 970, Gnome shell 3.38 X11

Issue description

Address Sanitizer shows this buffer overflow after creating CSGPolygon

drivers/gles3/rasterizer_scene_gles3.cpp:2112:34: runtime error: downcast of address 0x60c000297350 which does not point to an object of type 'Surface'
0x60c000297350: note: object is of type 'RasterizerStorageGLES3::Immediate'
 be be be be  50 c0 31 1b 00 00 00 00  52 2a 00 00 be be be be  50 76 a8 00 60 61 00 00  50 76 a8 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'RasterizerStorageGLES3::Immediate'
drivers/gles3/rasterizer_scene_gles3.cpp:2112:83: runtime error: member access within address 0x60c000297350 which does not point to an object of type 'Surface'
0x60c000297350: note: object is of type 'RasterizerStorageGLES3::Immediate'
 be be be be  50 c0 31 1b 00 00 00 00  52 2a 00 00 be be be be  50 76 a8 00 60 61 00 00  50 76 a8 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'RasterizerStorageGLES3::Immediate'
=================================================================
==11992==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000297490 at pc 0x000007bc6007 bp 0x7fffc4dfe8f0 sp 0x7fffc4dfe8e0
READ of size 4 at 0x60c000297490 thread T0
    #0 0x7bc6006 in RasterizerSceneGLES3::_render_list(RasterizerSceneGLES3::RenderList::Element**, int, Transform const&, CameraMatrix const&, RasterizerStorageGLES3::Sky*, bool, bool, bool, bool, bool) drivers/gles3/rasterizer_scene_gles3.cpp:2112
    #1 0x7c5942a in RasterizerSceneGLES3::render_scene(Transform const&, CameraMatrix const&, int, bool, RasterizerScene::InstanceBase**, int, RID*, int, RID*, int, RID, RID, RID, RID, int) drivers/gles3/rasterizer_scene_gles3.cpp:4397
    #2 0x109bff41 in VisualServerScene::_render_scene(Transform, CameraMatrix const&, int, bool, RID, RID, RID, RID, int) servers/visual/visual_server_scene.cpp:2732
    #3 0x109acdcb in VisualServerScene::render_camera(RID, RID, Vector2, RID) servers/visual/visual_server_scene.cpp:2311
    #4 0x10af97ea in VisualServerViewport::_draw_3d(VisualServerViewport::Viewport*, ARVRInterface::Eyes) servers/visual/visual_server_viewport.cpp:76
    #5 0x10afba45 in VisualServerViewport::_draw_viewport(VisualServerViewport::Viewport*, ARVRInterface::Eyes) servers/visual/visual_server_viewport.cpp:106
    #6 0x10b07be7 in VisualServerViewport::draw_viewports() servers/visual/visual_server_viewport.cpp:336
    #7 0x1092268b in VisualServerRaster::draw(bool, double) servers/visual/visual_server_raster.cpp:107
    #8 0x10b39cd2 in VisualServerWrapMT::draw(bool, double) servers/visual/visual_server_wrap_mt.cpp:90
    #9 0x1967634 in Main::iteration() main/main.cpp:2151
    #10 0x1840a64 in OS_X11::run() platform/x11/os_x11.cpp:3638
    #11 0x17abd8b in main platform/x11/godot_x11.cpp:55
    #12 0x7fe9a8d5d564 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
    #13 0x17ab9ad in _start (/usr/bin/godots+0x17ab9ad)

0x60c000297490 is located 24 bytes to the right of 120-byte region [0x60c000297400,0x60c000297478)
allocated by thread T0 here:
    #0 0x7fe9a9cdac47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x12110223 in Memory::alloc_static(unsigned long, bool) core/os/memory.cpp:75
    #2 0x12110134 in operator new(unsigned long, char const*) core/os/memory.cpp:40
    #3 0xa4b2451 in MethodBind* create_method_bind<ItemListEditor>(void (ItemListEditor::*)()) core/method_bind.gen.inc:85
    #4 0xa4b1731 in MethodBind* ClassDB::bind_method<char const*, void (ItemListEditor::*)()>(char const*, void (ItemListEditor::*)()) core/class_db.h:228
    #5 0xa491783 in ItemListEditor::_bind_methods() editor/plugins/item_list_editor_plugin.cpp:324
    #6 0xa4aa819 in ItemListEditor::initialize_class() editor/plugins/item_list_editor_plugin.h:197
    #7 0xa4aa83e in ItemListEditor::_initialize_classv() editor/plugins/item_list_editor_plugin.h:197
    #8 0x11ba6295 in Object::_postinitialize() core/object.cpp:396
    #9 0x11bdf3c4 in postinitialize_handler(Object*) core/object.cpp:2004
    #10 0xa497821 in ItemListEditor* _post_initialize<ItemListEditor>(ItemListEditor*) core/os/memory.h:89
    #11 0xa497821 in ItemListEditorPlugin::ItemListEditorPlugin(EditorNode*) editor/plugins/item_list_editor_plugin.cpp:390
    #12 0x8c50442 in EditorNode::EditorNode() editor/editor_node.cpp:6811
    #13 0x19582d0 in Main::start() main/main.cpp:1821
    #14 0x17abcbe in main platform/x11/godot_x11.cpp:54
    #15 0x7fe9a8d5d564 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28564)

SUMMARY: AddressSanitizer: heap-buffer-overflow drivers/gles3/rasterizer_scene_gles3.cpp:2112 in RasterizerSceneGLES3::_render_list(RasterizerSceneGLES3::RenderList::Element**, int, Transform const&, CameraMatrix const&, RasterizerStorageGLES3::Sky*, bool, bool, bool, bool, bool)

Steps to reproduce

Just created CSGPolygon from menu

jfile

Minimal reproduction project

No response
@timothyqiu
Copy link
Member

I think this is introduced by #46800.

godot/drivers/gles3/rasterizer_scene_gles3.cpp

Line 2112 in 41cf7f2

bool octahedral_compression = ((RasterizerStorageGLES3::Surface *)e->geometry)->format & VisualServer::ArrayFormat::ARRAY_FLAG_USE_OCTAHEDRAL_COMPRESSION;

e->geometry is not a Surface when e->instance->base_type is VS::INSTANCE_IMMEDIATE.

CC @The-O-King

@The-O-King
Copy link
Contributor

Commenting to let you know I'm looking into it!

@Calinou Calinou changed the title Buffer overlow when creating CSGPolygon from editor Buffer overflow when creating CSGPolygon from editor Oct 11, 2021
@akien-mga akien-mga added this to the 3.4 milestone Oct 12, 2021
@akien-mga
Copy link
Member

@The-O-King Any update? We're at 3.4 beta 6 and this would best be fixed before the next build which I'd like to be RC 1.

@The-O-King
Copy link
Contributor

Ah apologies, I have been on vacation and prior to that this got lost in a recent shuffle at work, I'll definitely try to get this fixed by Monday, I don't imagine that it will take too much time, just add a check, something along the lines of e->instance->base_type == VS::INSTANCE_IMMEDIATE in RasterizerSceneGLES*.cpp, so I will get to that when I get back on my computer

@The-O-King
Copy link
Contributor

Ok update - I have a windows machine and I haven't been able to reproduce the same crashing behavior as seen in the original report, but I still created #53966 which I think should take care of the issue, does anyone have a Linux machine that is able to test and make sure thing change resolves the issue?

Also I'm still not entirely sure whether or not there are other types of geometry that should be checked for before doing the cast (VS::INSTANCE_PARTICLES?)

@akien-mga akien-mga mentioned this issue Oct 18, 2021
Merged
@akien-mga
Copy link
Member

To reproduce you'd have to do a built with address sanitizer. I assume #53966 fixed it, please reopen/comment if that's not the case after testing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug crash regression topic:rendering
Projects
3.x release management
Archived in project
Milestone
3.4
Development

No branches or pull requests
4 participants
@timothyqiu @akien-mga @The-O-King @qarmin