Page MenuHomePhabricator

[libFuzzer] Fix stack overflow detection
ClosedPublic

Authored by sebastianpoeplau on Tue, May 4, 2:19 AM.

Details

Summary

Address sanitizer can detect stack exhaustion via its SEGV handler, which is
executed on a separate stack using the sigaltstack mechanism. When libFuzzer is
used with address sanitizer, it installs its own signal handlers which defer to
those put in place by the sanitizer before performing additional actions. In the
particular case of a stack overflow, the current setup fails because libFuzzer
doesn't preserve the flag for executing the signal handler on a separate stack:
when we run out of stack space, the operating system can't run the SEGV handler,
so address sanitizer never reports the issue. See the included test for an
example.

This commit fixes the issue by making libFuzzer preserve the SA_ONSTACK flag
when installing its signal handlers; the dedicated signal-handler stack set up
by the sanitizer runtime appears to be large enough to support the additional
frames from the fuzzer.

Diff Detail

Event Timeline

sebastianpoeplau requested review of this revision.Tue, May 4, 2:19 AM
sebastianpoeplau created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptTue, May 4, 2:19 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript

Thanks for the fix. Could you add a test that fails before this fix and passes after it?

compiler-rt/lib/fuzzer/FuzzerUtilPosix.cpp
86

Nit: since we're touching this line, could you change 0 to nullptr?

Thanks for the fix. Could you add a test that fails before this fix and passes after it?

Sure. Is there a better place for tests that combine ASan and libFuzzer than compiler-rt/test/asan?

compiler-rt/test/fuzzer is better. Most tests there already build with ASan + libFuzzer.

sebastianpoeplau edited the summary of this revision. (Show Details)

Added a test and rephrased the commit message accordingly.

compiler-rt/test/fuzzer is better. Most tests there already build with ASan + libFuzzer.

Done. The test fails as expected if you comment out the new SA_ONSTACK logic.

This revision is now accepted and ready to land.Fri, May 7, 7:51 AM
This revision was automatically updated to reflect the committed changes.

Looks like I made a mistake in the test that causes the Windows build to fail (just received an email notification): infinite_recursion should be declared with return type void. Should I submit a new differential, or is there some way to fix this one?

Thanks for notifying. I've submitted https://reviews.llvm.org/rGf09414499c47 to address the Windows bot.