search

zeromq / czmq

High-level C binding for ØMQ
czmq.zeromq.org
Mozilla Public License 2.0
1.18k stars 525 forks source link

macOS test error #2297

Closed calvin2021y closed 5 days ago

calvin2021y commented 1 month ago

test commit it: https://github.com/zeromq/czmq/commit/349564db20502ad787e66ff4db62be7c20e56360

test with zmq v4.3.5, and https://github.com/zeromq/libzmq/commit/b95d94935ed107679fd0ad9efd2f3d47309b6fd3

D: 24-08-08 21:09:28 zarmour:
D: 24-08-08 21:09:28     mode:        z85
D: 24-08-08 21:09:28     pad:         false
D: 24-08-08 21:09:28     pad_char:    '='
D: 24-08-08 21:09:28     line_breaks: false
D: 24-08-08 21:09:28     line_length: 64
D: 24-08-08 21:09:28     encoded '' into '' ('')
=================================================================
==97434==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000002a61 at pc 0x000100f90a76 bp 0x7ff7bfefd960 sp 0x7ff7bfefd0e8
READ of size 2 at 0x607000002a61 thread T0
    #0 0x100f90a75 in printf_common(void*, char const*, __va_list_tag*) sanitizer_common_interceptors_format.inc:563
    #1 0x100f913c6 in vsnprintf sanitizer_common_interceptors.inc:1652
    #2 0x100190e0c in s_zsys_vprintf_hint+0x16c (tests_net_zmq.exe:x86_64+0x100190e0c)
    #3 0x100190621 in zsys_vprintf+0x21 (tests_net_zmq.exe:x86_64+0x100190621)
    #4 0x100191e54 in zsys_debug+0x174 (tests_net_zmq.exe:x86_64+0x100191e54)
    #5 0x1000e9e91 in s_armour_decode+0x2a1 (tests_net_zmq.exe:x86_64+0x1000e9e91)
    #6 0x1000e9bc4 in s_armour_test+0x244 (tests_net_zmq.exe:x86_64+0x1000e9bc4)
    #7 0x1000e9623 in zarmour_test+0x1553 (tests_net_zmq.exe:x86_64+0x1000e9623)
    #8 0x10006f9b9 in main+0x29 (tests_net_zmq.exe:x86_64+0x10006f9b9)
    #9 0x7ff8117e141e in start+0x76e (dyld:x86_64+0xfffffffffff6e41e)

0x607000002a61 is located 0 bytes after 65-byte region [0x607000002a20,0x607000002a61)
allocated by thread T0 here:
    #0 0x10102f2f2 in malloc sanitizer_malloc_mac.inc:137
    #1 0x1000efb1f in zchunk_new+0x1f (tests_net_zmq.exe:x86_64+0x1000efb1f)
    #2 0x1000e4754 in zarmour_decode+0x3b4 (tests_net_zmq.exe:x86_64+0x1000e4754)
    #3 0x1000e9df7 in s_armour_decode+0x207 (tests_net_zmq.exe:x86_64+0x1000e9df7)
    #4 0x1000e9bc4 in s_armour_test+0x244 (tests_net_zmq.exe:x86_64+0x1000e9bc4)
    #5 0x1000e9623 in zarmour_test+0x1553 (tests_net_zmq.exe:x86_64+0x1000e9623)
    #6 0x10006f9b9 in main+0x29 (tests_net_zmq.exe:x86_64+0x10006f9b9)
    #7 0x7ff8117e141e in start+0x76e (dyld:x86_64+0xfffffffffff6e41e)

SUMMARY: AddressSanitizer: heap-buffer-overflow (tests_net_zmq.exe:x86_64+0x100190e0c) in s_zsys_vprintf_hint+0x16c
Shadow bytes around the buggy address:
  0x607000002780: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
  0x607000002800: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x607000002880: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
  0x607000002900: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x607000002980: fd fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
=>0x607000002a00: fa fa fa fa 00 00 00 00 00 00 00 00[01]fa fa fa
  0x607000002a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x607000002b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x607000002b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x607000002c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x607000002c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==97434==ABORTING
calvin2021y commented 1 month ago 
D: 24-08-08 15:56:39 zloop: call PAIR socket handler
OK
 * zmsg: OK
 * zpoller: OK
 * zsock: 
=================================================================
==48564==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ff7bfefe3f0 at pc 0x00010030f578 bp 0x7ff7bfefdb90 sp 0x7ff7bfefdb88
READ of size 4 at 0x7ff7bfefe3f0 thread T0
    #0 0x10030f577 in zmq::socket_base_t::check_tag() const+0x57 (tests_net_zmq.exe:x86_64+0x10030f577)
    #1 0x100350987 in as_socket_base_t(void*)+0x27 (tests_net_zmq.exe:x86_64+0x100350987)
    #2 0x100350aaf in zmq_getsockopt+0x1f (tests_net_zmq.exe:x86_64+0x100350aaf)
    #3 0x100145b9a in zsock_resolve+0x21a (tests_net_zmq.exe:x86_64+0x100145b9a)
    #4 0x10017b903 in zsock_test+0x1003 (tests_net_zmq.exe:x86_64+0x10017b903)
    #5 0x10006fa45 in main+0xb5 (tests_net_zmq.exe:x86_64+0x10006fa45)
    #6 0x7ff8117e141e in start+0x76e (dyld:x86_64+0xfffffffffff6e41e)

Address 0x7ff7bfefe3f0 is located in stack of thread T0 at offset 1584 in frame
    #0 0x10017a90f in zsock_test+0xf (tests_net_zmq.exe:x86_64+0x10017a90f)

  This frame has 55 object(s):
    [32, 40) 'writer' (line 1898)
    [64, 104) 'endpoint' (line 1919)
    [144, 152) 'reader' (line 1924)
    [176, 184) 'msg' (line 1933)
    [208, 216) 'string' (line 1935)
    [240, 248) 'resolve' (line 1954)
    [272, 276) 'fd' (line 1960)
    [288, 296) 'dealer' (line 1983)
    [320, 321) 'number1' (line 2012)
    [336, 338) 'number2' (line 2013)
    [352, 356) 'number4' (line 2014)
    [368, 372) 'number4_MAX' (line 2016)
    [384, 392) 'number8' (line 2017)
    [416, 424) 'number8_MAX' (line 2020)
    [448, 456) 'chunk' (line 2022)
    [480, 488) 'frame' (line 2024)
    [512, 520) 'hash' (line 2026)
    [544, 552) 'uuid' (line 2032)
    [576, 580) 'integer' (line 2069)
    [592, 600) 'data' (line 2070)
    [624, 632) 'size' (line 2071)
    [656, 664) 'pointer' (line 2072)
    [688, 696) 'longstr' (line 2187)
    [720, 728) 'streamrecv' (line 2206)
    [752, 760) 'streamsender' (line 2211)
    [784, 792) 'connectmsg' (line 2216)
    [816, 824) 'id' (line 2217)
    [848, 856) 'empty' (line 2221)
    [880, 888) 'connectmsg2' (line 2228)
    [912, 920) 'id2' (line 2229)
    [944, 952) 'empty2' (line 2233)
    [976, 1232) 'rid' (line 2241)
    [1296, 1304) 'rid_size' (line 2242)
    [1328, 1336) 'request' (line 2245)
    [1360, 1368) 'recvreq' (line 2255)
    [1392, 1400) 'ridframe' (line 2257)
    [1424, 1432) 'httpreq' (line 2260)
    [1456, 1515) 'http_response' (line 2266)
    [1552, 1560) 'httpmsg' (line 2279)
    [1584, 1592) 'httpid' (line 2281) <== Memory access at offset 1584 is inside this variable
    [1616, 1624) 'httpresp' (line 2283)
    [1648, 1656) 'disconnectmsg' (line 2291)
    [1680, 1688) 'id3' (line 2292)
    [1712, 1720) 'empty3' (line 2295)
    [1744, 1752) 'server' (line 2310)
    [1776, 1784) 'client' (line 2314)
    [1808, 1816) 'gather' (line 2390)
    [1840, 1848) 'scatter' (line 2392)
    [1872, 1880) 'message' (line 2398)
    [1904, 1912) 'gossip' (line 2442)
    [1936, 1944) 'dgramr' (line 2452)
    [1968, 1976) 'dgrams' (line 2456)
    [2000, 2008) 'dmessage' (line 2467)
    [2032, 2040) 'addr' (line 2467)
    [2064, 2072) 'dmsg' (line 2469)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope (tests_net_zmq.exe:x86_64+0x10030f577) in zmq::socket_base_t::check_tag() const+0x57
Shadow bytes around the buggy address:
  0x7ff7bfefe100: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2
  0x7ff7bfefe180: f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x7ff7bfefe200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x7ff7bfefe280: f8 f8 f2 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f8 f2
  0x7ff7bfefe300: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f8
=>0x7ff7bfefe380: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f2 f2 f2[f8]f2
  0x7ff7bfefe400: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2
  0x7ff7bfefe480: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2
  0x7ff7bfefe500: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2
  0x7ff7bfefe580: f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3
  0x7ff7bfefe600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==48564==ABORTING
calvin2021y commented 4 weeks ago

this patch fix it:

diff --git a/src/zchunk.c b/src/zchunk.c
index e53fb258..7ac01310 100644
--- a/src/zchunk.c
+++ b/src/zchunk.c
@@ -62,6 +62,10 @@ zchunk_new (const void *data, size_t size)
         if (data) {
             self->size = size;
             memcpy (self->data, data, self->size);
+        } else {
+           if( size > 0 ) {
+               self->data[0] = 0;
+           }
         }
     }
     return self;
@@ -181,6 +185,9 @@ zchunk_data (zchunk_t *self)
 {
     assert (self);
     assert (zchunk_is (self));
+   if( self->size < 1 ) {
+       return NULL;
+   }
     return self->data;
 }
sphaero commented 1 week ago

Can you create a PR?

calvin2021y commented 1 week ago

https://github.com/zeromq/czmq/pull/2302