LibAFL icon indicating copy to clipboard operation
LibAFL copied to clipboard

Published 20 hours ago verified publisher icon AFLplusplus

overflowed sigaltstack

Open maxammann opened this issue 3 years ago • 9 comments

Describe the bug I observed in the kernel log:

[66134.526836] signal: tlspuffin[34092] overflowed sigaltstack
[66134.526838] signal: tlspuffin[34092] overflowed sigaltstack

I'm quite sure this is not related to the programm which I'm fuzzing because its not using signal handlers. I have not been able to reproduce this sofar. Not sure if its serious or just "informational".

To Reproduce Unclear.

Expected behavior No such messages.

Screen output/Screenshots

Additional context

maxammann avatar Jun 27 '22 08:06 maxammann

Do you have timeouts/crashes that get handled by restarting the target? These would be handled by signal handlers in the InProcessExecutor. As the state gets dumped to shared map or disk on crash, there is potentially some stack usage here. Maybe try increasing this value and see if the issue goes away?: https://github.com/AFLplusplus/LibAFL/blob/2e746bf439629e4fe8fa47cf9f39acd1395c828f/libafl/src/bolts/os/unix_signals.rs#L402

domenukk avatar Jun 29 '22 14:06 domenukk

Not really, there were no events which could have caused that.

Im also unsure whether this is a problem or not. The warning/message has been added recently to kernels (2021).

I'll just close this as its non-reproducible. Weird though.

maxammann avatar Jun 30 '22 22:06 maxammann

Ill reopen if i discover it again.

maxammann avatar Jun 30 '22 22:06 maxammann

I've seen this dmesg when I was trying libxml2 harness.

tokatoka avatar Jul 18 '22 21:07 tokatoka

Hm reopen? That the kernel can log these messages is quite new. So I haven't found a hint whether this is informational or actually bad.

maxammann avatar Jul 19 '22 07:07 maxammann

I assume, increasing the SIGNAL_STACK_SIZE should help

domenukk avatar Jul 19 '22 09:07 domenukk

The current signal stack size is 8mb: https://github.com/AFLplusplus/LibAFL/blob/2e746bf439629e4fe8fa47cf9f39acd1395c828f/libafl/src/bolts/os/unix_signals.rs#L354 If it uses the stack to store the complete state, this would of course not be enough after running for a longer time?

I found this in a linux list:

The kernel pushes context on to the userspace stack to prepare for the user's signal handler. When the user has supplied an alternate signal stack, via sigaltstack(2), it is easy for the kernel to verify that the stack size is sufficient for the current hardware context.

Check if writing the hardware context to the alternate stack will exceed it's size. If yes, then instead of corrupting user-data and proceeding with the original signal handler, an immediate SIGSEGV signal is delivered.

domenukk avatar Aug 10 '22 21:08 domenukk

In that case we should probably heap allocate the state. Can you think of an example which allows reproduction? Maybe we can will the state artificially.

maxammann avatar Aug 11 '22 07:08 maxammann

I could trigger it once with libxml2 but not anymore..sorry. and I lost that fuzzer setup

tokatoka avatar Aug 12 '22 20:08 tokatoka

Please reopen if the issue reoccurs. Closing for now since we have no leads

domenukk avatar Jan 26 '23 00:01 domenukk