[llvm-bugs] [Bug 44369] New: Signal-unsafe calls (mallocs) in signal handlers causes deadlocks or heap corruption

via llvm-bugs llvm-bugs at lists.llvm.org
Mon Dec 23 12:28:38 PST 2019


            Bug ID: 44369
           Summary: Signal-unsafe calls (mallocs) in signal handlers
                    causes deadlocks or heap corruption
           Product: compiler-rt
           Version: unspecified
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: fuzzer
          Assignee: unassignedbugs at nondot.org
          Reporter: ahmad.hazimeh at epfl.ch
                CC: llvm-bugs at lists.llvm.org

libFuzzer registers signal handlers to intercept signals and report. In almost
all the handlers, malloc() is being implicitly called (by constructing strings,
vectors, or other objects). malloc is not a signal-safe function and should not
be called within signal handlers.

For most signals, this issue is of little concern, since it is probably
unlikely that malloc itself will crash that often. However, for the timeout
signal (SIGALRM), it is possible that the signal is received inside a malloc
call. For a multithreaded application, glibc malloc obtains the lock over the
arena during its operation. If the libFuzzer timeout occurs while the
application is inside the malloc call and the arena is locked, the signal
handler would attempt to lock it again and would deadlock.

In my tests, the deadlock occured in DumpCurrentUnit when it constructs the
uint8_t vector (Unit) from CurrentUnitData and UnitSize.

You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20191223/fbb4952a/attachment.html>

More information about the llvm-bugs mailing list