<html>

    <head>

      <base href="https://bugs.llvm.org/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - libFuzzer SEGV handler prevents stack-overflow detection by address sanitizer"

   href="https://bugs.llvm.org/show_bug.cgi?id=48748">48748</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>libFuzzer SEGV handler prevents stack-overflow detection by address sanitizer

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>compiler-rt

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>11.0

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>fuzzer

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>unassignedbugs@nondot.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>poeplau@code-intelligence.com

          </td>

        </tr>

        <tr>

          <th>CC</th>

          <td>llvm-bugs@lists.llvm.org

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=24377" name="attach_24377" title="Make libFuzzer preserve SA_ONSTACK when installing signal handlers">attachment 24377</a> <a href="attachment.cgi?id=24377&action=edit" title="Make libFuzzer preserve SA_ONSTACK when installing signal handlers">[details]</a></span>

Make libFuzzer preserve SA_ONSTACK when installing signal handlers

Address sanitizer can detect stack exhaustion via its SEGV handler, which is

executed on a separate stack using the sigaltstack mechanism. When libFuzzer is

used with address sanitizer, it installs its own signal handlers which defer to

those put in place by the sanitizer before performing additional actions. In

the particular case of a stack overflow, the current setup fails because

libFuzzer doesn't preserve the flag for executing the signal handler on a

separate stack: when we run out of stack space, the operating system can't run

the SEGV handler, so address sanitizer never reports the issue.

Verified on Linux with LLVM versions 10.0.1 and 11.0.0, but the relevant code

is the same in master. To reproduce the problem, define a simple function that

exhausts the stack, for example:

int infinite_recursion(int x) {

    return infinite_recursion(x - 1) + 1;

}

Then use it with address sanitizer only (i.e., call it from main and compile

with -fsanitize=address) and observe that the stack overflow is reported

properly. Next, test the function with libFuzzer (i.e., call it from

LLVMTestOneInput and compile with -fsanitize=fuzzer,address) and note that the

process is just terminated by the operating system without any sanitizer

report. The expected behavior would be a proper report from address sanitizer,

followed by clean process termination via the fuzzer.

The attached patch fixes the issue by making libFuzzer preserve the SA_ONSTACK

flag when installing its signal handlers; the dedicated signal-handler stack

set up by the sanitizer runtime appears to be large enough to support the

additional frames from the fuzzer.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are on the CC list for the bug.</li>

      </ul>

    </body>

</html>