From 70cbc6dbef7048d3b1aa89a676d96c6ba075b41b Mon Sep 17 00:00:00 2001 From: Sebastian Poeplau Date: Fri, 7 May 2021 08:00:33 -0700 Subject: [PATCH] [libFuzzer] Fix stack overflow detection Address sanitizer can detect stack exhaustion via its SEGV handler, which is executed on a separate stack using the sigaltstack mechanism. When libFuzzer is used with address sanitizer, it installs its own signal handlers which defer to those put in place by the sanitizer before performing additional actions. In the particular case of a stack overflow, the current setup fails because libFuzzer doesn't preserve the flag for executing the signal handler on a separate stack: when we run out of stack space, the operating system can't run the SEGV handler, so address sanitizer never reports the issue. See the included test for an example. This commit fixes the issue by making libFuzzer preserve the SA_ONSTACK flag when installing its signal handlers; the dedicated signal-handler stack set up by the sanitizer runtime appears to be large enough to support the additional frames from the fuzzer. Reviewed By: morehouse Differential Revision: https://reviews.llvm.org/D101824 --- compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp | 11 +++++---- compiler-rt/test/fuzzer/StackOverflowTest.cpp | 26 ++++++++++++++++++++++ .../test/fuzzer/stack-overflow-with-asan.test | 3 +++ 3 files changed, 36 insertions(+), 4 deletions(-) create mode 100644 compiler-rt/test/fuzzer/StackOverflowTest.cpp create mode 100644 compiler-rt/test/fuzzer/stack-overflow-with-asan.test diff --git a/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp b/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp index afb7334..0446d73 100644 --- a/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp +++ b/compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp @@ -77,10 +77,13 @@ static void SetSigaction(int signum, return; } - sigact = {}; - sigact.sa_flags = SA_SIGINFO; - sigact.sa_sigaction = callback; - if (sigaction(signum, &sigact, 0)) { + struct sigaction new_sigact = {}; + // Address sanitizer needs SA_ONSTACK (causing the signal handler to run on a + // dedicated stack) in order to be able to detect stack overflows; keep the + // flag if it's set. + new_sigact.sa_flags = SA_SIGINFO | (sigact.sa_flags & SA_ONSTACK); + new_sigact.sa_sigaction = callback; + if (sigaction(signum, &new_sigact, nullptr)) { Printf("libFuzzer: sigaction failed with %d\n", errno); exit(1); } diff --git a/compiler-rt/test/fuzzer/StackOverflowTest.cpp b/compiler-rt/test/fuzzer/StackOverflowTest.cpp new file mode 100644 index 0000000..c8d8984 --- /dev/null +++ b/compiler-rt/test/fuzzer/StackOverflowTest.cpp @@ -0,0 +1,26 @@ +// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. +// See https://llvm.org/LICENSE.txt for license information. +// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception + +// Stack overflow test for a fuzzer. The fuzzer must find the string "Hi" and +// cause a stack overflow. +#include +#include + +volatile int x; +volatile int y = 1; + +int infinite_recursion(char *p) { + char *buf = nullptr; + + if (y) + infinite_recursion(buf); + + x = 1; +} + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + if (Size >= 2 && Data[0] == 'H' && Data[1] == 'i') + infinite_recursion(nullptr); + return 0; +} diff --git a/compiler-rt/test/fuzzer/stack-overflow-with-asan.test b/compiler-rt/test/fuzzer/stack-overflow-with-asan.test new file mode 100644 index 0000000..76be70b --- /dev/null +++ b/compiler-rt/test/fuzzer/stack-overflow-with-asan.test @@ -0,0 +1,3 @@ +CHECK: SUMMARY: AddressSanitizer: stack-overflow +RUN: %cpp_compiler %S/StackOverflowTest.cpp -o %t-StackOverflowTest +RUN: not %run %t-StackOverflowTest 2>&1 | FileCheck %s -- 2.7.4