[sanitizer] Add cloak_sanitizer_signal_handlers runtime option

thurstond · thurstond · commit 5d7e930c9c52 · 2025-10-08T16:41:15.000Z
If set, signal/sigaction will pretend that the sanitizers did not
preinstall any signal handlers. If a user successfully installs a signal handler, it will not be cloaked.

The flag is currently off by default, which means this patch should not
affect the behavior of any sanitizers.

This can be useful in an ecosystem where:
1) there exists a library that will install a signal handler iff it does not detect a
preinstalled signal handler (a heuristic to prevent overriding user-installed exception handlers etc.)
2) the aforementioned library is linked in to some, but not all, apps
3) user-installed signal handlers have the highest priority, followed by
   the library-installed signal handler, and then the sanitizer's signal
    handler

This patch also adds an API function, __sanitizer_uncloak_preinstalled_signal_handlers(),
that can be used to effectively undo the runtime option. This makes it
possible to set the cloak_sanitizer_signal_handlers option broadly, and
selectively programmatically disable it for incompatible programs (e.g.,
allow_user_segv.cpp, which wants to manually call ASan's preinstalled handler).

The flag is in sanitizer_common, though it is currently only supported
in ASan, LSan and UBSan.
diff --git a/compiler-rt/include/sanitizer/common_interface_defs.h b/compiler-rt/include/sanitizer/common_interface_defs.h
@@ -485,6 +485,11 @@ void SANITIZER_CDECL __sanitizer_finish_switch_fiber(void *fake_stack_save,
 int SANITIZER_CDECL __sanitizer_get_module_and_offset_for_pc(
     void *pc, char *module_path, size_t module_path_len, void **pc_offset);
 
+// If cloak_sanitizer_signal_handlers() is set, signal/sigaction will pretend
+// that sanitizers did not preinstall any signal handlers. This function clears
+// the cloaking state.
+void SANITIZER_CDECL __sanitizer_uncloak_preinstalled_signal_handlers();
+
 #ifdef __cplusplus
 } // extern "C"
 #endif
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_common.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_common.cpp
@@ -24,6 +24,8 @@ namespace __sanitizer {
 
 const char *SanitizerToolName = "SanitizerTool";
 
+bool signal_handler_is_from_sanitizer[MaxSignals] = {0};
+
 atomic_uint32_t current_verbosity;
 uptr PageSizeCached;
 u32 NumberOfCPUsCached;
@@ -416,6 +418,12 @@ int __sanitizer_install_malloc_and_free_hooks(void (*malloc_hook)(const void *,
   return InstallMallocFreeHooks(malloc_hook, free_hook);
 }
 
+SANITIZER_INTERFACE_ATTRIBUTE
+void __sanitizer_uncloak_preinstalled_signal_handlers() {
+  internal_memset(signal_handler_is_from_sanitizer, 0,
+                  sizeof(signal_handler_is_from_sanitizer));
+}
+
 // Provide default (no-op) implementation of malloc hooks.
 SANITIZER_INTERFACE_WEAK_DEF(void, __sanitizer_malloc_hook, void *ptr,
                              uptr size) {
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_common.h b/compiler-rt/lib/sanitizer_common/sanitizer_common.h
@@ -52,6 +52,9 @@ const u64 kExternalPCBit = 1ULL << 60;
 
 extern const char *SanitizerToolName;  // Can be changed by the tool.
 
+const int MaxSignals = 64;
+extern bool signal_handler_is_from_sanitizer[MaxSignals];
+
 extern atomic_uint32_t current_verbosity;
 inline void SetVerbosity(int verbosity) {
   atomic_store(&current_verbosity, verbosity, memory_order_relaxed);
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_common_interface.inc b/compiler-rt/lib/sanitizer_common/sanitizer_common_interface.inc
@@ -24,6 +24,7 @@ INTERFACE_WEAK_FUNCTION(__sanitizer_on_print)
 INTERFACE_WEAK_FUNCTION(__sanitizer_report_error_summary)
 INTERFACE_WEAK_FUNCTION(__sanitizer_sandbox_on_notify)
 INTERFACE_WEAK_FUNCTION(__sanitizer_get_dtls_size)
+INTERFACE_FUNCTION(__sanitizer_uncloak_preinstalled_signal_handlers)
 // Sanitizer weak hooks
 INTERFACE_WEAK_FUNCTION(__sanitizer_weak_hook_memcmp)
 INTERFACE_WEAK_FUNCTION(__sanitizer_weak_hook_strcmp)
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_flags.inc b/compiler-rt/lib/sanitizer_common/sanitizer_flags.inc
@@ -113,6 +113,11 @@ COMMON_FLAG(HandleSignalMode, handle_sigfpe, kHandleSignalYes,
 COMMON_FLAG(bool, allow_user_segv_handler, true,
             "Deprecated. True has no effect, use handle_sigbus=1. If false, "
             "handle_*=1 will be upgraded to handle_*=2.")
+COMMON_FLAG(bool, cloak_sanitizer_signal_handlers, false,
+            "If set, signal/sigaction will pretend that sanitizers did not "
+            "preinstall any signal handlers. If the user subsequently installs "
+            "a signal handler, this will disable cloaking for the respective "
+            "signal.")
 COMMON_FLAG(bool, use_sigaltstack, true,
             "If set, uses alternate stack for signal handling.")
 COMMON_FLAG(bool, detect_deadlocks, true,
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cpp
@@ -223,19 +223,19 @@ static void MaybeInstallSigaction(int signum,
   if (common_flags()->use_sigaltstack) sigact.sa_flags |= SA_ONSTACK;
   CHECK_EQ(0, internal_sigaction(signum, &sigact, nullptr));
   VReport(1, "Installed the sigaction for signal %d\n", signum);
+
+  if (common_flags()->cloak_sanitizer_signal_handlers)
+    signal_handler_is_from_sanitizer[signum] = true;
 }
 
 void InstallDeadlySignalHandlers(SignalHandlerType handler) {
   // Set the alternate signal stack for the main thread.
   // This will cause SetAlternateSignalStack to be called twice, but the stack
   // will be actually set only once.
   if (common_flags()->use_sigaltstack) SetAlternateSignalStack();
-  MaybeInstallSigaction(SIGSEGV, handler);
-  MaybeInstallSigaction(SIGBUS, handler);
-  MaybeInstallSigaction(SIGABRT, handler);
-  MaybeInstallSigaction(SIGFPE, handler);
-  MaybeInstallSigaction(SIGILL, handler);
-  MaybeInstallSigaction(SIGTRAP, handler);
+
+  int signals[] = {SIGSEGV, SIGBUS, SIGABRT, SIGFPE, SIGILL, SIGTRAP};
+  for (int signum : signals) MaybeInstallSigaction(signum, handler);
 }
 
 bool SignalContext::IsStackOverflow() const {
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_signal_interceptors.inc b/compiler-rt/lib/sanitizer_common/sanitizer_signal_interceptors.inc
@@ -24,8 +24,10 @@ using namespace __sanitizer;
 #endif
 
 #ifndef SIGNAL_INTERCEPTOR_SIGNAL_IMPL
-#define SIGNAL_INTERCEPTOR_SIGNAL_IMPL(func, signum, handler) \
-  { return REAL(func)(signum, handler); }
+#  define SIGNAL_INTERCEPTOR_SIGNAL_IMPL(func, signum, handler) \
+    {                                                           \
+      ret = REAL(func)(signum, handler);                        \
+    }
 #endif
 
 #ifndef SIGNAL_INTERCEPTOR_SIGACTION_IMPL
@@ -35,17 +37,21 @@ using namespace __sanitizer;
         Printf(                                                               \
             "Warning: REAL(sigaction_symname) == nullptr. This may happen "   \
             "if you link with ubsan statically. Sigaction will not work.\n"); \
-        return -1;                                                            \
+        ret = -1;                                                             \
+      } else {                                                                \
+        ret = REAL(sigaction_symname)(signum, act, oldact);                   \
       }                                                                       \
-      return REAL(sigaction_symname)(signum, act, oldact);                    \
     }
 #endif
 
 #if SANITIZER_INTERCEPT_BSD_SIGNAL
 INTERCEPTOR(uptr, bsd_signal, int signum, uptr handler) {
   SIGNAL_INTERCEPTOR_ENTER();
   if (GetHandleSignalMode(signum) == kHandleSignalExclusive) return 0;
+
+  int ret;
   SIGNAL_INTERCEPTOR_SIGNAL_IMPL(bsd_signal, signum, handler);
+  return ret;
 }
 #define INIT_BSD_SIGNAL COMMON_INTERCEPT_FUNCTION(bsd_signal)
 #else  // SANITIZER_INTERCEPT_BSD_SIGNAL
@@ -56,19 +62,50 @@ INTERCEPTOR(uptr, bsd_signal, int signum, uptr handler) {
 INTERCEPTOR(uptr, signal, int signum, uptr handler) {
   SIGNAL_INTERCEPTOR_ENTER();
   if (GetHandleSignalMode(signum) == kHandleSignalExclusive)
+    // A side-effect is that a user can never uncloak the sanitizer's
+    // preinstalled signal handler.
     return (uptr) nullptr;
+  uptr ret;
   SIGNAL_INTERCEPTOR_SIGNAL_IMPL(signal, signum, handler);
+
+  if (signum >= 0 && signum < MaxSignals &&
+      signal_handler_is_from_sanitizer[signum] && ret != sig_err) {
+    // If the user sets a signal handler, it is never cloaked, even if they
+    // reuse a sanitizer's signal handler.
+    signal_handler_is_from_sanitizer[signum] = false;
+
+    ret = sig_dfl;
+  }
+
+  return ret;
 }
 #define INIT_SIGNAL COMMON_INTERCEPT_FUNCTION(signal)
 
 INTERCEPTOR(int, sigaction_symname, int signum,
             const __sanitizer_sigaction *act, __sanitizer_sigaction *oldact) {
   SIGNAL_INTERCEPTOR_ENTER();
+
   if (GetHandleSignalMode(signum) == kHandleSignalExclusive) {
     if (!oldact) return 0;
     act = nullptr;
+    // A side-effect is that a user can never uncloak the sanitizer's
+    // preinstalled signal handler.
   }
+  int ret;
   SIGNAL_INTERCEPTOR_SIGACTION_IMPL(signum, act, oldact);
+
+  if (signum >= 0 && signum < MaxSignals &&
+      signal_handler_is_from_sanitizer[signum] && ret == 0) {
+    if (act)
+      // If the user sets a signal handler, it is never cloaked, even if they
+      // reuse a sanitizer's signal handler.
+      signal_handler_is_from_sanitizer[signum] = false;
+
+    if (oldact)
+      oldact->handler = reinterpret_cast<__sanitizer_sighandler_ptr>(sig_dfl);
+  }
+
+  return ret;
 }
 #define INIT_SIGACTION COMMON_INTERCEPT_FUNCTION(sigaction_symname)
 
diff --git a/compiler-rt/test/sanitizer_common/TestCases/Linux/allow_user_segv.cpp b/compiler-rt/test/sanitizer_common/TestCases/Linux/allow_user_segv.cpp
@@ -23,6 +23,7 @@
 // Flaky errors in debuggerd with "waitpid returned unexpected pid (0)" in logcat.
 // UNSUPPORTED: android && i386-target-arch
 
+#include <sanitizer/common_interface_defs.h>
 #include <signal.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -68,6 +69,10 @@ bool InstallHandler(int signum, struct sigaction *original_sigaction) {
 }
 
 int main() {
+  // This test case is unusual because it retrieves the original
+  // (ASan-installed) signal handler; thus, we don't want ASan to cloak them.
+  __sanitizer_uncloak_preinstalled_signal_handlers();
+
   // Let's install handlers for both SIGSEGV and SIGBUS, since pre-Yosemite
   // 32-bit Darwin triggers SIGBUS instead.
   if (InstallHandler(SIGSEGV, &original_sigaction_sigsegv) &&
diff --git a/compiler-rt/test/sanitizer_common/TestCases/Linux/cloak_sigaction.cpp b/compiler-rt/test/sanitizer_common/TestCases/Linux/cloak_sigaction.cpp
@@ -0,0 +1,49 @@
+// XFAIL: msan
+// XFAIL: tsan
+
+// UNSUPPORTED: android
+// UNSUPPORTED: hwasan
+
+// RUN: %clangxx -O0 %s -o %t
+
+// RUN: %env_tool_opts=handle_segv=1:cloak_sanitizer_signal_handlers=false not %run %t 2>&1 | FileCheck %s --check-prefix=UNCLOAKED
+// RUN: %env_tool_opts=handle_segv=1:cloak_sanitizer_signal_handlers=true not %run %t 2>&1 | FileCheck %s --check-prefix=CLOAKED
+
+// RUN: %clangxx -O0 %s -DUNCLOAK_RT -o %t
+// RUN: %env_tool_opts=handle_segv=1:cloak_sanitizer_signal_handlers=false not %run %t 2>&1 | FileCheck %s --check-prefix=UNCLOAKED
+// RUN: %env_tool_opts=handle_segv=1:cloak_sanitizer_signal_handlers=true not %run %t 2>&1 | FileCheck %s --check-prefix=UNCLOAKED
+
+#include <sanitizer/common_interface_defs.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+void handler(int signum, siginfo_t *info, void *context) {
+  printf("Custom signal handler\n");
+  exit(1);
+}
+
+int main(int argc, char *argv[]) {
+#ifdef UNCLOAK_RT
+  __sanitizer_uncloak_preinstalled_signal_handlers();
+#endif
+
+  struct sigaction sa = {0};
+  struct sigaction old = {0};
+  sa.sa_flags = SA_SIGINFO;
+  sa.sa_sigaction = &handler;
+  sigaction(SIGSEGV, &sa, &old);
+
+  if (reinterpret_cast<void *>(old.sa_sigaction) == SIG_DFL)
+    printf("Old handler: default\n");
+  // CLOAKED: Old handler: default
+  else
+    printf("Old handler: non-default\n");
+  // UNCLOAKED: Old handler: non-default
+
+  char *c = (char *)0x123;
+  printf("%d\n", *c);
+  // UNCLOAKED,CLOAKED:Custom signal handler
+
+  return 0;
+}
diff --git a/compiler-rt/test/sanitizer_common/TestCases/Linux/cloak_signal.cpp b/compiler-rt/test/sanitizer_common/TestCases/Linux/cloak_signal.cpp
@@ -0,0 +1,44 @@
+// XFAIL: msan
+// XFAIL: tsan
+
+// UNSUPPORTED: android
+// UNSUPPORTED: hwasan
+
+// RUN: %clangxx -O0 %s -o %t
+
+// RUN: %env_tool_opts=handle_segv=1:cloak_sanitizer_signal_handlers=false not %run %t 2>&1 | FileCheck %s --check-prefix=UNCLOAKED
+// RUN: %env_tool_opts=handle_segv=1:cloak_sanitizer_signal_handlers=true not %run %t 2>&1 | FileCheck %s --check-prefix=CLOAKED
+
+// RUN: %clangxx -O0 %s -DUNCLOAK_RT -o %t
+// RUN: %env_tool_opts=handle_segv=1:cloak_sanitizer_signal_handlers=false not %run %t 2>&1 | FileCheck %s --check-prefix=UNCLOAKED
+// RUN: %env_tool_opts=handle_segv=1:cloak_sanitizer_signal_handlers=true not %run %t 2>&1 | FileCheck %s --check-prefix=UNCLOAKED
+
+#include <sanitizer/common_interface_defs.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+void my_signal_sighandler(int signum) {
+  printf("Custom signal handler\n");
+  exit(1);
+}
+
+int main(int argc, char *argv[]) {
+#ifdef UNCLOAK_RT
+  __sanitizer_uncloak_preinstalled_signal_handlers();
+#endif
+
+  __sighandler_t old = signal(SIGSEGV, &my_signal_sighandler);
+  if (old == SIG_DFL)
+    printf("Old handler: default\n");
+  // CLOAKED: Old handler: default
+  else
+    printf("Old handler: non-default\n");
+  // UNCLOAKED: Old handler: non-default
+
+  char *c = (char *)0x123;
+  printf("%d\n", *c);
+  // UNCLOAKED,CLOAKED:Custom signal handler
+
+  return 0;
+}
