[llvm-bugs] [Bug 48748] New: libFuzzer SEGV handler prevents stack-overflow detection by address sanitizer

via llvm-bugs llvm-bugs at lists.llvm.org
Thu Jan 14 03:43:53 PST 2021 

https://bugs.llvm.org/show_bug.cgi?id=48748

            Bug ID: 48748
           Summary: libFuzzer SEGV handler prevents stack-overflow
                    detection by address sanitizer
           Product: compiler-rt
           Version: 11.0
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: fuzzer
          Assignee: unassignedbugs at nondot.org
          Reporter: poeplau at code-intelligence.com
                CC: llvm-bugs at lists.llvm.org

Created attachment 24377
  --> https://bugs.llvm.org/attachment.cgi?id=24377&action=edit
Make libFuzzer preserve SA_ONSTACK when installing signal handlers

Address sanitizer can detect stack exhaustion via its SEGV handler, which is
executed on a separate stack using the sigaltstack mechanism. When libFuzzer is
used with address sanitizer, it installs its own signal handlers which defer to
those put in place by the sanitizer before performing additional actions. In
the particular case of a stack overflow, the current setup fails because
libFuzzer doesn't preserve the flag for executing the signal handler on a
separate stack: when we run out of stack space, the operating system can't run
the SEGV handler, so address sanitizer never reports the issue.

Verified on Linux with LLVM versions 10.0.1 and 11.0.0, but the relevant code
is the same in master. To reproduce the problem, define a simple function that
exhausts the stack, for example:

int infinite_recursion(int x) {
    return infinite_recursion(x - 1) + 1;
}

Then use it with address sanitizer only (i.e., call it from main and compile
with -fsanitize=address) and observe that the stack overflow is reported
properly. Next, test the function with libFuzzer (i.e., call it from
LLVMTestOneInput and compile with -fsanitize=fuzzer,address) and note that the
process is just terminated by the operating system without any sanitizer
report. The expected behavior would be a proper report from address sanitizer,
followed by clean process termination via the fuzzer.

The attached patch fixes the issue by making libFuzzer preserve the SA_ONSTACK
flag when installing its signal handlers; the dedicated signal-handler stack
set up by the sanitizer runtime appears to be large enough to support the
additional frames from the fuzzer.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20210114/c1cc616e/attachment.html>

More information about the llvm-bugs mailing list