https://bugs.llvm.org/show_bug.cgi?id=47118
Bug ID: 47118
Summary: Incorrect sigaction() interceptor on output param
Product: compiler-rt
Version: unspecified
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P
Component: fuzzer
Assignee: unassignedb...@nondot.org
Reporter: pudd...@google.com
CC: llvm-bugs@lists.llvm.org
Under certain circumstances, the sigaction() interceptor will return success
without taking any action:
compiler-rt/lib/sanitizer_common/sanitizer_signal_interceptors.inc line 56
This is intentional, to prevent certain signals from being overwritten.
However, the third parameter to sigaction() is an output parameter, used for
reading the current signal state. If this 'early return zero' behavior
triggers, this structure will never be written to, leaving
possibly-uninitialized bytes behind. This can cause errors in a program being
fuzzed that only occur during fuzzing; and if compiled with MSan, can cause
incorrect crashes.
One reasonable behavior: rather than directly return zero, call the real
sigaction implementation with a null second parameter. This prevents it from
making any changes, but still allows reading.
This was discovered while doing MSan fuzzing of the Python runtime - it uses
sigaction() during initialization.
--
You are receiving this mail because:
You are on the CC list for the bug._______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs
