LLVM Bugzilla is read-only and represents the historical archive of all LLVM issues filled before November 26, 2021. Use github to submit LLVM bugs

Bug 47118 - Incorrect sigaction() interceptor on output param
Summary: Incorrect sigaction() interceptor on output param
Status: RESOLVED FIXED
Alias: None
Product: compiler-rt
Classification: Unclassified
Component: fuzzer (show other bugs)
Version: unspecified
Hardware: PC All
: P normal
Assignee: Unassigned LLVM Bugs
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-11 08:46 PDT by Ian Eldred Pudney
Modified: 2020-08-20 12:37 PDT (History)
2 users (show)

See Also:
Fixed By Commit(s):

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Eldred Pudney 2020-08-11 08:46:17 PDT 
Under certain circumstances, the sigaction() interceptor will return success without taking any action:
compiler-rt/lib/sanitizer_common/sanitizer_signal_interceptors.inc line 56

This is intentional, to prevent certain signals from being overwritten. However, the third parameter to sigaction() is an output parameter, used for reading the current signal state. If this 'early return zero' behavior triggers, this structure will never be written to, leaving possibly-uninitialized bytes behind. This can cause errors in a program being fuzzed that only occur during fuzzing; and if compiled with MSan, can cause incorrect crashes.

One reasonable behavior: rather than directly return zero, call the real sigaction implementation with a null second parameter. This prevents it from making any changes, but still allows reading.

This was discovered while doing MSan fuzzing of the Python runtime - it uses sigaction() during initialization.
Comment 1 Ian Eldred Pudney 2020-08-20 12:37:27 PDT 
Fixed in https://reviews.llvm.org/D85797.