This is an archive of the discontinued LLVM Phabricator instance.

msan: check that ucontext_t is initialized on signal return
ClosedPublic

Authored by dvyukov on Dec 23 2021, 12:15 AM.

Download Raw Diff

Details

Reviewers

vitalybuka
eugenis

Commits

rG395f737c338c: msan: check that ucontext_t is initialized on signal return

Summary

A signal handler can alter ucontext_t to affect execution after
the signal returns. Check that the contents are initialized.
Restoring unitialized values in registers can't be good.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

dvyukov requested review of this revision.Dec 23 2021, 12:15 AM

dvyukov created this revision.

Herald added a project: Restricted Project. · View Herald TranscriptDec 23 2021, 12:15 AM

Herald added a subscriber: Restricted Project. · View Herald Transcript

Harbormaster completed remote builds in B140483: Diff 395990.Dec 23 2021, 12:21 AM

Do you expect some cleanup for this?

compiler-rt/lib/msan/msan_interceptors.cpp
999	what if signal handler is not instrumented?
compiler-rt/test/msan/Linux/signal_mcontext2.cpp
2	do we need -fsanitize-memory-track-origins=2 ? if not the rest of the test is not msan specific and can be moved under sanitizer_common?

vitalybuka added inline comments.Dec 23 2021, 12:10 PM

compiler-rt/lib/msan/msan_interceptors.cpp
999	Ah, uc then should stay OK after __msan_unpoison

vitalybuka added inline comments.Dec 23 2021, 12:12 PM

compiler-rt/lib/msan/msan_interceptors.cpp
999	I guess we will have a problem if uninstructed handler use memcpy interceptors

dvyukov added inline comments.Dec 31 2021, 1:01 AM

compiler-rt/lib/msan/msan_interceptors.cpp
999	Are there any known precedents for uninstrumented handlers that call instrumented functions? Otherwise it does not look different from not instrumenting random parts of the code with msan and getting false positives. Yes, that leads to false positives for any code. If the code will call memcpy+memcmp if will get false positives even w/o this change.
compiler-rt/test/msan/Linux/signal_mcontext2.cpp
2	It will fail only under msan, so the "not %run" part is msan-specific.

rebased

Harbormaster completed remote builds in B141092: Diff 396766.Dec 31 2021, 1:07 AM

vitalybuka accepted this revision.Jan 5 2022, 12:23 AM

This revision is now accepted and ready to land.Jan 5 2022, 12:23 AM

This revision was landed with ongoing or failed builds.Jan 5 2022, 4:20 AM

Closed by commit rG395f737c338c: msan: check that ucontext_t is initialized on signal return (authored by dvyukov). · Explain Why

This revision was automatically updated to reflect the committed changes.

dvyukov added a commit: rG395f737c338c: msan: check that ucontext_t is initialized on signal return.

Revision Contents

Path

Size

compiler-rt/

lib/

msan/

msan_interceptors.cpp

1 line

test/

msan/

Linux/

signal_mcontext2.cpp

27 lines

Diff 397521

compiler-rt/lib/msan/msan_interceptors.cpp

Show First 20 Lines • Show All 990 Lines • ▼ Show 20 Lines	static void SignalAction(int signo, void si, void uc) {
UnpoisonParam(3);		UnpoisonParam(3);
__msan_unpoison(si, sizeof(__sanitizer_sigaction));		__msan_unpoison(si, sizeof(__sanitizer_sigaction));
__msan_unpoison(uc, ucontext_t_sz(uc));		__msan_unpoison(uc, ucontext_t_sz(uc));

typedef void (sigaction_cb)(int, void , void *);		typedef void (sigaction_cb)(int, void , void *);
sigaction_cb cb =		sigaction_cb cb =
(sigaction_cb)atomic_load(&sigactions[signo], memory_order_relaxed);		(sigaction_cb)atomic_load(&sigactions[signo], memory_order_relaxed);
cb(signo, si, uc);		cb(signo, si, uc);
		CHECK_UNPOISONED(uc, ucontext_t_sz(uc));
		vitalybukaUnsubmitted Not Done Reply Inline Actions what if signal handler is not instrumented? vitalybuka: what if signal handler is not instrumented?
		vitalybukaUnsubmitted Not Done Reply Inline Actions Ah, uc then should stay OK after __msan_unpoison vitalybuka: Ah, uc then should stay OK after __msan_unpoison
		vitalybukaUnsubmitted Not Done Reply Inline Actions I guess we will have a problem if uninstructed handler use memcpy interceptors vitalybuka: I guess we will have a problem if uninstructed handler use memcpy interceptors
		dvyukovAuthorUnsubmitted Done Reply Inline Actions Are there any known precedents for uninstrumented handlers that call instrumented functions? Otherwise it does not look different from not instrumenting random parts of the code with msan and getting false positives. Yes, that leads to false positives for any code. If the code will call memcpy+memcmp if will get false positives even w/o this change. dvyukov: Are there any known precedents for uninstrumented handlers that call instrumented functions?
}		}

static void read_sigaction(const __sanitizer_sigaction *act) {		static void read_sigaction(const __sanitizer_sigaction *act) {
CHECK_UNPOISONED(&act->sa_flags, sizeof(act->sa_flags));		CHECK_UNPOISONED(&act->sa_flags, sizeof(act->sa_flags));
if (act->sa_flags & __sanitizer::sa_siginfo)		if (act->sa_flags & __sanitizer::sa_siginfo)
CHECK_UNPOISONED(&act->sigaction, sizeof(act->sigaction));		CHECK_UNPOISONED(&act->sigaction, sizeof(act->sigaction));
else		else
CHECK_UNPOISONED(&act->handler, sizeof(act->handler));		CHECK_UNPOISONED(&act->handler, sizeof(act->handler));
▲ Show 20 Lines • Show All 722 Lines • Show Last 20 Lines

compiler-rt/test/msan/Linux/signal_mcontext2.cpp

This file was added.

				// RUN: %clangxx_msan -fsanitize-memory-track-origins=2 -O1 %s -o %t && not %run %t 2>&1 \| FileCheck %s

				vitalybukaUnsubmitted Not Done Reply Inline Actions do we need -fsanitize-memory-track-origins=2 ? if not the rest of the test is not msan specific and can be moved under sanitizer_common? vitalybuka: do we need -fsanitize-memory-track-origins=2 ? if not the rest of the test is not msan specific…
				dvyukovAuthorUnsubmitted Done Reply Inline Actions It will fail only under msan, so the "not %run" part is msan-specific. dvyukov: It will fail only under msan, so the "not %run" part is msan-specific.
				#include <pthread.h>
				#include <signal.h>
				#include <ucontext.h>

				void handler(int sig, siginfo_t info, void uctx) {
				volatile int uninit;
				auto mctx = &static_cast<ucontext_t >(uctx)->uc_mcontext;
				auto *fpregs = mctx->fpregs;
				if (fpregs && fpregs->__glibc_reserved1[12] == FP_XSTATE_MAGIC1)
				reinterpret_cast<_xstate *>(mctx->fpregs)->ymmh.ymmh_space[0] = uninit;
				else
				mctx->gregs[REG_RAX] = uninit;
				}

				int main(int argc, char **argv) {
				struct sigaction act = {};
				act.sa_sigaction = handler;
				act.sa_flags = SA_SIGINFO;
				sigfillset(&act.sa_mask);
				sigaction(SIGPROF, &act, 0);
				pthread_kill(pthread_self(), SIGPROF);
				return 0;
				}

				// CHECK: WARNING: MemorySanitizer: