This is an archive of the discontinued LLVM Phabricator instance.

Differential D106468

Fix TSAN signal interceptor out-of-bound access
ClosedPublic

Authored by scw on Jul 21 2021, 11:05 AM.

Details

Reviewers
vitalybuka
Commits
rG4fa989c7b23c: Fix TSAN signal interceptor out-of-bound access
Summary

signal(2) and sigaction(2) have defined behaviors for invalid signal number
(EINVAL) and some programs rely on it.

The added test case also reveals that MSAN is too strict in this regard.

Test case passed on x86_64 Linux and AArch64 Linux.

Diff Detail

Event Timeline

scw requested review of this revision.Jul 21 2021, 11:05 AM
scw created this revision.
Herald added a subscriber: Restricted Project. · View Herald TranscriptJul 21 2021, 11:05 AM
vitalybuka added a comment.Jul 21 2021, 11:18 AM

Can you please add some basic test, ideally under compiler-rt/test/sanitizer_common/TestCases/Posix/ so we "ninja check-sanitizer" tests asan and msan as well

Harbormaster completed remote builds in B115368: Diff 360529.Jul 21 2021, 12:45 PM
scw updated this revision to Diff 360892.Jul 22 2021, 11:08 AM
scw edited the summary of this revision. (Show Details)

Added test case, needed to update MSAN for it as well. Tested on x86_86 Linux and AArch64 Linux.

Herald added subscribers: pengfei, kristof.beyls. · View Herald TranscriptJul 22 2021, 11:08 AM
scw updated this revision to Diff 360895.Jul 22 2021, 11:10 AM

Oops, that was the old file. This is the actual update.

vitalybuka added inline comments.Jul 22 2021, 11:29 AM
compiler-rt/lib/msan/msan_interceptors.cpp
1377

If so, why not on compiler-rt/lib/sanitizer_common/sanitizer_signal_interceptors.inc:54 before GetHandleSignalMode check?

compiler-rt/test/sanitizer_common/TestCases/Posix/signal.cpp
219

Thanks if it works or all platforms.
I expected something basic which just triggers both branches of "if (signo <= 0 || signo >= kMaxSignals)"

scw added inline comments.Jul 22 2021, 11:58 AM
compiler-rt/lib/msan/msan_interceptors.cpp
1377

sanitizer_signal_interceptors.inc is also included by asan_interceptors.cpp which does not intercept signals and does not define kMaxSignals.

compiler-rt/test/sanitizer_common/TestCases/Posix/signal.cpp
219

Actually missed a change on relaxing checking the results of SIGCHLD. I'll try this and simplify it if build bots for different platforms complain.

scw updated this revision to Diff 360915.Jul 22 2021, 11:59 AM

Relaxed SIGCHLD handling.

vitalybuka accepted this revision.Jul 22 2021, 12:05 PM
This revision is now accepted and ready to land.Jul 22 2021, 12:05 PM
vitalybuka added a comment.Jul 22 2021, 12:06 PM

Thank you.
LGTM

This revision was landed with ongoing or failed builds.Jul 22 2021, 12:38 PM
Closed by commit rG4fa989c7b23c: Fix TSAN signal interceptor out-of-bound access (authored by scw). · Explain Why
This revision was automatically updated to reflect the committed changes.
scw added a commit: rG4fa989c7b23c: Fix TSAN signal interceptor out-of-bound access.
Harbormaster completed remote builds in B115652: Diff 360915.Jul 22 2021, 2:17 PM

Revision Contents

PathSize
compiler-rt/
lib/
msan/
11 lines
tsan/
rtl/
4 lines
test/
sanitizer_common/
TestCases/
Posix/
233 lines

Diff 360895

compiler-rt/lib/msan/msan_interceptors.cpp

Show All 11 Lines
// //
// FIXME: move as many interceptors as possible into // FIXME: move as many interceptors as possible into
// sanitizer_common/sanitizer_common_interceptors.h // sanitizer_common/sanitizer_common_interceptors.h
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "interception/interception.h" #include "interception/interception.h"
#include "msan.h" #include "msan.h"
#include "msan_chained_origin_depot.h" #include "msan_chained_origin_depot.h"
#include "msan_origin.h" #include "msan_origin.h"
Lint: Pre-merge checks
Inline Actions

clang-format: please reformat the code

+#include "msan_poisoning.h"
Lint: Pre-merge checks: clang-format: please reformat the code ``` +#include "msan_poisoning.h" ```
#include "msan_report.h" #include "msan_report.h"
#include "msan_thread.h" #include "msan_thread.h"
#include "msan_poisoning.h" #include "msan_poisoning.h"
Lint: Pre-merge checks
Inline Actions

clang-format: please reformat the code

-#include "msan_poisoning.h"
-#include "sanitizer_common/sanitizer_errno_codes.h"
-#include "sanitizer_common/sanitizer_platform_limits_posix.h"
-#include "sanitizer_common/sanitizer_platform_limits_netbsd.h"
Lint: Pre-merge checks: clang-format: please reformat the code ``` -#include "msan_poisoning.h" -#include…
#include "sanitizer_common/sanitizer_errno_codes.h"
#include "sanitizer_common/sanitizer_platform_limits_posix.h" #include "sanitizer_common/sanitizer_platform_limits_posix.h"
#include "sanitizer_common/sanitizer_platform_limits_netbsd.h" #include "sanitizer_common/sanitizer_platform_limits_netbsd.h"
#include "sanitizer_common/sanitizer_allocator.h" #include "sanitizer_common/sanitizer_allocator.h"
#include "sanitizer_common/sanitizer_allocator_interface.h" #include "sanitizer_common/sanitizer_allocator_interface.h"
#include "sanitizer_common/sanitizer_allocator_internal.h" #include "sanitizer_common/sanitizer_allocator_internal.h"
#include "sanitizer_common/sanitizer_atomic.h" #include "sanitizer_common/sanitizer_atomic.h"
#include "sanitizer_common/sanitizer_common.h" #include "sanitizer_common/sanitizer_common.h"
#include "sanitizer_common/sanitizer_errno.h" #include "sanitizer_common/sanitizer_errno.h"
#include "sanitizer_common/sanitizer_stackdepot.h" #include "sanitizer_common/sanitizer_stackdepot.h"
Lint: Pre-merge checks
Inline Actions

clang-format: please reformat the code

-#include "sanitizer_common/sanitizer_stackdepot.h"
+#include "sanitizer_common/sanitizer_errno_codes.h"
Lint: Pre-merge checks: clang-format: please reformat the code ``` -#include "sanitizer_common/sanitizer_stackdepot.h"…
#include "sanitizer_common/sanitizer_libc.h" #include "sanitizer_common/sanitizer_libc.h"
#include "sanitizer_common/sanitizer_linux.h" #include "sanitizer_common/sanitizer_linux.h"
Lint: Pre-merge checks
Inline Actions

clang-format: please reformat the code

+#include "sanitizer_common/sanitizer_platform_limits_netbsd.h"
+#include "sanitizer_common/sanitizer_platform_limits_posix.h"
+#include "sanitizer_common/sanitizer_stackdepot.h"
Lint: Pre-merge checks: clang-format: please reformat the code ``` +#include…
#include "sanitizer_common/sanitizer_tls_get_addr.h" #include "sanitizer_common/sanitizer_tls_get_addr.h"
#include "sanitizer_common/sanitizer_vector.h" #include "sanitizer_common/sanitizer_vector.h"
#if SANITIZER_NETBSD #if SANITIZER_NETBSD
#define fstat __fstat50 #define fstat __fstat50
#define gettimeofday __gettimeofday50 #define gettimeofday __gettimeofday50
#define getrusage __getrusage50 #define getrusage __getrusage50
#define tzset __tzset50 #define tzset __tzset50
▲ Show 20 LinesShow All 1,325 Lines▼ Show 20 Lines#define SIGNAL_INTERCEPTOR_SIGNAL_IMPL(func, signo, handler) \
return REAL(func)(signo, handler); \ return REAL(func)(signo, handler); \
} }
#include "sanitizer_common/sanitizer_signal_interceptors.inc" #include "sanitizer_common/sanitizer_signal_interceptors.inc"
static int sigaction_impl(int signo, const __sanitizer_sigaction *act, static int sigaction_impl(int signo, const __sanitizer_sigaction *act,
__sanitizer_sigaction *oldact) { __sanitizer_sigaction *oldact) {
ENSURE_MSAN_INITED(); ENSURE_MSAN_INITED();
if (signo <= 0 || signo >= kMaxSignals) {
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

If so, why not on compiler-rt/lib/sanitizer_common/sanitizer_signal_interceptors.inc:54 before GetHandleSignalMode check?

vitalybuka: If so, why not on compiler-rt/lib/sanitizer_common/sanitizer_signal_interceptors.inc:54 before…
scwAuthorUnsubmitted
Done
ReplyInline Actions

sanitizer_signal_interceptors.inc is also included by asan_interceptors.cpp which does not intercept signals and does not define kMaxSignals.

scw: sanitizer_signal_interceptors.inc is also included by asan_interceptors.cpp which does not…
errno = errno_EINVAL;
return -1;
}
if (act) read_sigaction(act); if (act) read_sigaction(act);
int res; int res;
if (flags()->wrap_signals) { if (flags()->wrap_signals) {
SpinMutexLock lock(&sigactions_mu); SpinMutexLock lock(&sigactions_mu);
CHECK_LT(signo, kMaxSignals);
uptr old_cb = atomic_load(&sigactions[signo], memory_order_relaxed); uptr old_cb = atomic_load(&sigactions[signo], memory_order_relaxed);
__sanitizer_sigaction new_act; __sanitizer_sigaction new_act;
__sanitizer_sigaction *pnew_act = act ? &new_act : nullptr; __sanitizer_sigaction *pnew_act = act ? &new_act : nullptr;
if (act) { if (act) {
REAL(memcpy)(pnew_act, act, sizeof(__sanitizer_sigaction)); REAL(memcpy)(pnew_act, act, sizeof(__sanitizer_sigaction));
uptr cb = (uptr)pnew_act->sigaction; uptr cb = (uptr)pnew_act->sigaction;
uptr new_cb = (pnew_act->sa_flags & __sanitizer::sa_siginfo) uptr new_cb = (pnew_act->sa_flags & __sanitizer::sa_siginfo)
? (uptr)SignalAction ? (uptr)SignalAction
Show All 17 Linesstatic int sigaction_impl(int signo, const __sanitizer_sigaction *act,
if (res == 0 && oldact) { if (res == 0 && oldact) {
__msan_unpoison(oldact, sizeof(__sanitizer_sigaction)); __msan_unpoison(oldact, sizeof(__sanitizer_sigaction));
} }
return res; return res;
} }
static uptr signal_impl(int signo, uptr cb) { static uptr signal_impl(int signo, uptr cb) {
ENSURE_MSAN_INITED(); ENSURE_MSAN_INITED();
if (signo <= 0 || signo >= kMaxSignals) {
errno = errno_EINVAL;
return -1;
}
if (flags()->wrap_signals) { if (flags()->wrap_signals) {
CHECK_LT(signo, kMaxSignals);
SpinMutexLock lock(&sigactions_mu); SpinMutexLock lock(&sigactions_mu);
if (cb != __sanitizer::sig_ign && cb != __sanitizer::sig_dfl) { if (cb != __sanitizer::sig_ign && cb != __sanitizer::sig_dfl) {
atomic_store(&sigactions[signo], cb, memory_order_relaxed); atomic_store(&sigactions[signo], cb, memory_order_relaxed);
cb = (uptr)&SignalHandler; cb = (uptr)&SignalHandler;
} }
} }
return cb; return cb;
} }
▲ Show 20 LinesShow All 300 LinesShow Last 20 Lines

compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp

Show First 20 LinesShow All 2,416 Lines▼ Show 20 Lines
#include "sanitizer_common/sanitizer_signal_interceptors.inc" #include "sanitizer_common/sanitizer_signal_interceptors.inc"
int sigaction_impl(int sig, const __sanitizer_sigaction *act, int sigaction_impl(int sig, const __sanitizer_sigaction *act,
__sanitizer_sigaction *old) { __sanitizer_sigaction *old) {
// Note: if we call REAL(sigaction) directly for any reason without proxying // Note: if we call REAL(sigaction) directly for any reason without proxying
// the signal handler through rtl_sigaction, very bad things will happen. // the signal handler through rtl_sigaction, very bad things will happen.
// The handler will run synchronously and corrupt tsan per-thread state. // The handler will run synchronously and corrupt tsan per-thread state.
SCOPED_INTERCEPTOR_RAW(sigaction, sig, act, old); SCOPED_INTERCEPTOR_RAW(sigaction, sig, act, old);
if (sig <= 0 || sig >= kSigCount) {
errno = errno_EINVAL;
return -1;
}
__sanitizer_sigaction *sigactions = interceptor_ctx()->sigactions; __sanitizer_sigaction *sigactions = interceptor_ctx()->sigactions;
__sanitizer_sigaction old_stored; __sanitizer_sigaction old_stored;
if (old) internal_memcpy(&old_stored, &sigactions[sig], sizeof(old_stored)); if (old) internal_memcpy(&old_stored, &sigactions[sig], sizeof(old_stored));
__sanitizer_sigaction newact; __sanitizer_sigaction newact;
if (act) { if (act) {
// Copy act into sigactions[sig]. // Copy act into sigactions[sig].
// Can't use struct copy, because compiler can emit call to memcpy. // Can't use struct copy, because compiler can emit call to memcpy.
// Can't use internal_memcpy, because it copies byte-by-byte, // Can't use internal_memcpy, because it copies byte-by-byte,
▲ Show 20 LinesShow All 507 LinesShow Last 20 Lines

compiler-rt/test/sanitizer_common/TestCases/Posix/signal.cpp

  • This file was added.
// RUN: %clangxx -O0 -g %s -o %t && %run %t 2>&1 | FileCheck %s
#include <assert.h>
#include <climits>
#include <errno.h>
#include <stdio.h>
#include <signal.h>
#include <initializer_list>
constexpr int std_signals[] = {
SIGHUP,
SIGINT,
SIGQUIT,
SIGILL,
SIGTRAP,
SIGABRT,
SIGIOT,
SIGBUS,
SIGFPE,
SIGUSR1,
SIGSEGV,
SIGUSR2,
SIGPIPE,
SIGALRM,
SIGTERM,
SIGCHLD,
SIGCONT,
SIGTSTP,
SIGTTIN,
SIGTTOU,
SIGURG,
SIGXCPU,
SIGXFSZ,
SIGVTALRM,
SIGPROF,
SIGWINCH,
SIGIO,
SIGSYS,
};
constexpr int no_change_act_signals[] = {
SIGKILL,
SIGSTOP,
};
void signal_handler(int) {}
void signal_action_handler(int, siginfo_t*, void*) {}
void test_signal_custom() {
for (int signum : std_signals) {
sighandler_t ret = signal(signum, &signal_handler);
assert(ret != SIG_ERR);
}
for (int signum = SIGRTMIN; signum <= SIGRTMAX; ++signum) {
sighandler_t ret = signal(signum, &signal_handler);
assert(ret != SIG_ERR);
}
for (int signum : no_change_act_signals) {
sighandler_t ret = signal(signum, &signal_handler);
int err = errno;
assert(ret == SIG_ERR);
assert(err == EINVAL);
}
for (int signum : { 0, SIGRTMAX + 1, INT_MAX}) {
sighandler_t ret = signal(signum, &signal_handler);
int err = errno;
assert(ret == SIG_ERR);
assert(err == EINVAL);
}
}
void test_signal_ignore() {
for (int signum : std_signals) {
sighandler_t ret = signal(signum, SIG_IGN);
assert(ret != SIG_ERR);
}
for (int signum = SIGRTMIN; signum <= SIGRTMAX; ++signum) {
sighandler_t ret = signal(signum, SIG_IGN);
assert(ret != SIG_ERR);
}
for (int signum : no_change_act_signals) {
sighandler_t ret = signal(signum, SIG_IGN);
int err = errno;
assert(ret == SIG_ERR);
assert(err == EINVAL);
}
for (int signum : { 0, SIGRTMAX + 1, INT_MAX}) {
sighandler_t ret = signal(signum, SIG_IGN);
int err = errno;
assert(ret == SIG_ERR);
assert(err == EINVAL);
}
}
void test_signal_default() {
for (int signum : std_signals) {
sighandler_t ret = signal(signum, SIG_DFL);
assert(ret != SIG_ERR);
}
for (int signum = SIGRTMIN; signum <= SIGRTMAX; ++signum) {
sighandler_t ret = signal(signum, SIG_DFL);
assert(ret != SIG_ERR);
}
for (int signum : { 0, SIGRTMAX + 1, INT_MAX}) {
sighandler_t ret = signal(signum, SIG_DFL);
int err = errno;
assert(ret == SIG_ERR);
assert(err == EINVAL);
}
}
void test_sigaction_custom() {
struct sigaction act = {}, oldact;
act.sa_handler = &signal_handler;
sigemptyset(&act.sa_mask);
act.sa_flags = 0;
for (int signum : std_signals) {
int ret = sigaction(signum, &act, &oldact);
assert(ret == 0);
}
for (int signum = SIGRTMIN; signum <= SIGRTMAX; ++signum) {
int ret = sigaction(signum, &act, &oldact);
assert(ret == 0);
}
for (int signum : no_change_act_signals) {
int ret = sigaction(signum, &act, &oldact);
int err = errno;
assert(ret == -1);
assert(err == EINVAL);
}
for (int signum : { 0, SIGRTMAX + 1, INT_MAX}) {
int ret = sigaction(signum, &act, &oldact);
int err = errno;
assert(ret == -1);
assert(err == EINVAL);
}
act.sa_handler = nullptr;
act.sa_sigaction = &signal_action_handler;
act.sa_flags = SA_SIGINFO;
for (int signum : std_signals) {
int ret = sigaction(signum, &act, &oldact);
assert(ret == 0);
}
for (int signum = SIGRTMIN; signum <= SIGRTMAX; ++signum) {
int ret = sigaction(signum, &act, &oldact);
assert(ret == 0);
}
for (int signum : no_change_act_signals) {
int ret = sigaction(signum, &act, &oldact);
int err = errno;
assert(ret == -1);
assert(err == EINVAL);
}
for (int signum : { 0, SIGRTMAX + 1, INT_MAX}) {
int ret = sigaction(signum, &act, &oldact);
int err = errno;
assert(ret == -1);
assert(err == EINVAL);
}
}
void test_sigaction_ignore() {
struct sigaction act = {}, oldact;
act.sa_handler = SIG_IGN;
sigemptyset(&act.sa_mask);
act.sa_flags = 0;
for (int signum : std_signals) {
int ret = sigaction(signum, &act, &oldact);
assert(ret == 0);
}
for (int signum = SIGRTMIN; signum <= SIGRTMAX; ++signum) {
int ret = sigaction(signum, &act, &oldact);
assert(ret == 0);
}
for (int signum : no_change_act_signals) {
int ret = sigaction(signum, &act, &oldact);
int err = errno;
assert(ret == -1);
assert(err == EINVAL);
}
for (int signum : { 0, SIGRTMAX + 1, INT_MAX}) {
int ret = sigaction(signum, &act, &oldact);
int err = errno;
assert(ret == -1);
assert(err == EINVAL);
}
}
void test_sigaction_default() {
struct sigaction act = {}, oldact;
act.sa_handler = SIG_DFL;
sigemptyset(&act.sa_mask);
act.sa_flags = 0;
for (int signum : std_signals) {
int ret = sigaction(signum, &act, &oldact);
assert(ret == 0);
}
for (int signum = SIGRTMIN; signum <= SIGRTMAX; ++signum) {
int ret = sigaction(signum, &act, &oldact);
assert(ret == 0);
}
for (int signum : { 0, SIGRTMAX + 1, INT_MAX}) {
int ret = sigaction(signum, &act, &oldact);
int err = errno;
assert(ret == -1);
assert(err == EINVAL);
}
}
int main(void) {
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Thanks if it works or all platforms.
I expected something basic which just triggers both branches of "if (signo <= 0 || signo >= kMaxSignals)"

vitalybuka: Thanks if it works or all platforms. I expected something basic which just triggers both…
scwAuthorUnsubmitted
Done
ReplyInline Actions

Actually missed a change on relaxing checking the results of SIGCHLD. I'll try this and simplify it if build bots for different platforms complain.

scw: Actually missed a change on relaxing checking the results of SIGCHLD. I'll try this and…
printf("sigaction\n");
test_signal_custom();
test_signal_ignore();
test_signal_default();
test_sigaction_custom();
test_sigaction_ignore();
test_sigaction_default();
// CHECK: sigaction
return 0;
}