[llvm-bugs] [Bug 47118] New: Incorrect sigaction() interceptor on output param

[via llvm-bugs]

https://bugs.llvm.org/show_bug.cgi?id=47118

            Bug ID: 47118
           Summary: Incorrect sigaction() interceptor on output param
           Product: compiler-rt
           Version: unspecified
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P
         Component: fuzzer
          Assignee: unassignedbugs at nondot.org
          Reporter: puddles at google.com
                CC: llvm-bugs at lists.llvm.org

Under certain circumstances, the sigaction() interceptor will return success
without taking any action:
compiler-rt/lib/sanitizer_common/sanitizer_signal_interceptors.inc line 56

This is intentional, to prevent certain signals from being overwritten.
However, the third parameter to sigaction() is an output parameter, used for
reading the current signal state. If this 'early return zero' behavior
triggers, this structure will never be written to, leaving
possibly-uninitialized bytes behind. This can cause errors in a program being
fuzzed that only occur during fuzzing; and if compiled with MSan, can cause
incorrect crashes.

One reasonable behavior: rather than directly return zero, call the real
sigaction implementation with a null second parameter. This prevents it from
making any changes, but still allows reading.

This was discovered while doing MSan fuzzing of the Python runtime - it uses
sigaction() during initialization.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20200811/51dcc19c/attachment-0001.html>