<html>
<head>
<base href="https://bugs.llvm.org/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - Incorrect sigaction() interceptor on output param"
href="https://bugs.llvm.org/show_bug.cgi?id=47118">47118</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>Incorrect sigaction() interceptor on output param
</td>
</tr>
<tr>
<th>Product</th>
<td>compiler-rt
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>PC
</td>
</tr>
<tr>
<th>OS</th>
<td>All
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P
</td>
</tr>
<tr>
<th>Component</th>
<td>fuzzer
</td>
</tr>
<tr>
<th>Assignee</th>
<td>unassignedbugs@nondot.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>puddles@google.com
</td>
</tr>
<tr>
<th>CC</th>
<td>llvm-bugs@lists.llvm.org
</td>
</tr></table>
<p>
<div>
<pre>Under certain circumstances, the sigaction() interceptor will return success
without taking any action:
compiler-rt/lib/sanitizer_common/sanitizer_signal_interceptors.inc line 56
This is intentional, to prevent certain signals from being overwritten.
However, the third parameter to sigaction() is an output parameter, used for
reading the current signal state. If this 'early return zero' behavior
triggers, this structure will never be written to, leaving
possibly-uninitialized bytes behind. This can cause errors in a program being
fuzzed that only occur during fuzzing; and if compiled with MSan, can cause
incorrect crashes.
One reasonable behavior: rather than directly return zero, call the real
sigaction implementation with a null second parameter. This prevents it from
making any changes, but still allows reading.
This was discovered while doing MSan fuzzing of the Python runtime - it uses
sigaction() during initialization.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are on the CC list for the bug.</li>
</ul>
</body>
</html>