[zeromq-dev] address sanitizer detected heap use-after-free in zmq zmq::signaler_t::send signaler.cpp

Vladimir Simonov Vladimir.Simonov at acronis.com
Fri May 29 10:27:52 CEST 2015 

Hi all,

We have the following report from address sanitizer.
==797==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a0001f29e8 at pc 0x00013ab80c82 bp 0x00014f043850 sp 0x00014f043848
READ of size 4 at 0x61a0001f29e8 thread T65
    #0 0x13ab80c81 in zmq::signaler_t::send signaler.cpp:192
    #1 0x13ab60908 in zmq::object_t::send_term_ack object.cpp:417
    #2 0x13ab6553e in zmq::own_t::check_term_acks own.cpp:194
    #3 0x13ab6aa67 in zmq::pipe_t::process_pipe_term_ack pipe.cpp:305
    #4 0x13ab4a964 in zmq::io_thread_t::in_event io_thread.cpp:73
    #5 0x13ab50c23 in zmq::kqueue_t::loop kqueue.cpp:198
...


We use Zeromq-4.0.5 on MacOSX. Please see full report in asan_report.txt.

Problem code
void zmq::signaler_t::send ()
{
...
    unsigned char dummy = 0;
    while (true) {
        ssize_t nbytes = ::send (w, &dummy, sizeof (dummy), 0);
        if (unlikely (nbytes == -1 && errno == EINTR))
            continue;
#if HAVE_FORK
        if (unlikely(pid != getpid())) { // !!!!!!!!!!!! "pid" is in freed memory
            //printf("Child process %d signaler_t::send returning without sending #2\n", getpid());
            errno = EINTR;
            break;
        }
#endif

I have a couple questions.
1. If I understand correct HAVE_FORK is used to disable zmq objects work in "forked" child.
We always use "exec" right after "fork". Probably it is better to unset HAVE_FORK in our project.
Is it save to disable HAVE_FORK on Linux/MacOSX in our project?

2. I do not work with zmq closely, my goal is just go forward with the program tests with asan.
After brief zmq sources browsing I have expression that "this" may be in "deleted" state when 
we return from ::send (in void zmq::signaler_t::send ()). And it was done intentionally to not 
introduce unneeded locking. If above correct, is attached patch OK?

Thank you in advance
Vladimir


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: asan_report.txt
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20150529/5ff97ca7/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signaler.patch
Type: application/octet-stream
Size: 964 bytes
Desc: signaler.patch
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20150529/5ff97ca7/attachment.obj>

More information about the zeromq-dev mailing list