Google Git
Sign in
llvm / libfuzzer / 5dff0eea00bade7d1326942df7b9e1e05505a3fd
commit5dff0eea00bade7d1326942df7b9e1e05505a3fd[log] [tgz]
authorSebastian Poeplau <poeplau@code-intelligence.com>Fri May 07 08:00:33 2021 -0700
committerCopybara-Service <copybara-worker@google.com>Sun May 09 19:11:13 2021 -0700
tree30675f9c3872133a1148fff88c01284becbb9318
parentf7bd9700c034d80c43a040318c84d1d7682be5ac [diff]
[libFuzzer] Fix stack overflow detection

Address sanitizer can detect stack exhaustion via its SEGV handler, which is
executed on a separate stack using the sigaltstack mechanism. When libFuzzer is
used with address sanitizer, it installs its own signal handlers which defer to
those put in place by the sanitizer before performing additional actions. In the
particular case of a stack overflow, the current setup fails because libFuzzer
doesn't preserve the flag for executing the signal handler on a separate stack:
when we run out of stack space, the operating system can't run the SEGV handler,
so address sanitizer never reports the issue. See the included test for an
example.

This commit fixes the issue by making libFuzzer preserve the SA_ONSTACK flag
when installing its signal handlers; the dedicated signal-handler stack set up
by the sanitizer runtime appears to be large enough to support the additional
frames from the fuzzer.

Reviewed By: morehouse

Differential Revision: https://reviews.llvm.org/D101824

GitOrigin-RevId: 70cbc6dbef7048d3b1aa89a676d96c6ba075b41b
1 file changed
tree: 30675f9c3872133a1148fff88c01284becbb9318
  1. afl/
  2. dataflow/
  3. scripts/
  4. standalone/
  5. tests/
  6. build.sh
  7. FuzzedDataProvider.h
  8. FuzzerBuiltins.h
  9. FuzzerBuiltinsMsvc.h
  10. FuzzerCommand.h
  11. FuzzerCorpus.h
  12. FuzzerCrossOver.cpp
  13. FuzzerDataFlowTrace.cpp
  14. FuzzerDataFlowTrace.h
  15. FuzzerDefs.h
  16. FuzzerDictionary.h
  17. FuzzerDriver.cpp
  18. FuzzerExtFunctions.def
  19. FuzzerExtFunctions.h
  20. FuzzerExtFunctionsDlsym.cpp
  21. FuzzerExtFunctionsWeak.cpp
  22. FuzzerExtFunctionsWindows.cpp
  23. FuzzerExtraCounters.cpp
  24. FuzzerFlags.def
  25. FuzzerFork.cpp
  26. FuzzerFork.h
  27. FuzzerInterceptors.cpp
  28. FuzzerInterface.h
  29. FuzzerInternal.h
  30. FuzzerIO.cpp
  31. FuzzerIO.h
  32. FuzzerIOPosix.cpp
  33. FuzzerIOWindows.cpp
  34. FuzzerLoop.cpp
  35. FuzzerMain.cpp
  36. FuzzerMerge.cpp
  37. FuzzerMerge.h
  38. FuzzerMutate.cpp
  39. FuzzerMutate.h
  40. FuzzerOptions.h
  41. FuzzerPlatform.h
  42. FuzzerRandom.h
  43. FuzzerSHA1.cpp
  44. FuzzerSHA1.h
  45. FuzzerTracePC.cpp
  46. FuzzerTracePC.h
  47. FuzzerUtil.cpp
  48. FuzzerUtil.h
  49. FuzzerUtilDarwin.cpp
  50. FuzzerUtilFuchsia.cpp
  51. FuzzerUtilLinux.cpp
  52. FuzzerUtilPosix.cpp
  53. FuzzerUtilWindows.cpp
  54. FuzzerValueBitMap.h
  55. LICENSE.TXT
  56. README.txt