atoi() is not solved #7

vanhauser-thc · 2021-04-06T06:57:42Z

Example:

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <strings.h>
#include <stdlib.h>
#include <stdint.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <ctype.h>

#define bail(msg, pos)                                         \
  while (1) {                                                  \
                                                               \
    fprintf(stderr, "%s at %u\n", (char *)msg, (uint32_t)pos); \
    return 0;                                                  \
                                                               \
  }

int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len) {

  uint8_t   buff[100];

  if (len < 8) bail("too short", 0);
  if (len > sizeof(buff)) bail("too long", sizeof(buff));

  memcpy(buff, buf, len);
  buff[sizeof(buff) - 1] = 0;

  // string to int
  if (atoi((char *)buff) != 66766) bail("wrong string", 0);

  abort();

  return 0;

}

int main(int argc, char **argv) {

  unsigned char buf[64];
  ssize_t       len;
  int           fd = 0;
  if (argc > 1) fd = open(argv[1], O_RDONLY);

  if ((len = read(fd, buf, sizeof(buf))) <= 0) exit(0);

  LLVMFuzzerTestOneInput(buf, len);
  exit(0);

}

# gcc -o test -g test.c
# echo AAAAAAAAAAAAAAAAAAAAA|symqemu-x86_64 ./test
[STAT] SMT: { "solving_time": 0, "total_time": 65148 }
[STAT] SMT: { "solving_time": 4651 }
[INFO] New testcase: /tmp/output/000000
[...]
[INFO] New testcase: /tmp/output/000028-optimistic
[STAT] SMT: { "solving_time": 120114, "total_time": 560178 }
[STAT] SMT: { "solving_time": 121562 }
[STAT] SMT: { "solving_time": 121562, "total_time": 562343 }
[STAT] SMT: { "solving_time": 255014 }

but none of the 29 generated inputs contain the correct value:

# for i in /tmp/output/*; do hexdump -C $i;done|grep 00000000
00000000  be 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |.AAAAAAAAAAAAAAA|
00000000  00 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |.AAAAAAAAAAAAAAA|
00000000  2d 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |-AAAAAAAAAAAAAAA|
00000000  2b 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |+AAAAAAAAAAAAAAA|
00000000  30 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |0AAAAAAAAAAAAAAA|
00000000  00 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |.AAAAAAAAAAAAAAA|
00000000  30 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |0AAAAAAAAAAAAAAA|
00000000  be 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |.AAAAAAAAAAAAAAA|
00000000  be 41 41 41 41 41 41 41  41 41 41 41 41 41 41 41  |.AAAAAAAAAAAAAAA|
00000000  41 41 41 41 41 41 41 41  80 4e 80 00 40 00 00 00  |AAAAAAAA.N..@...|
00000000  41 41 41 41 41 41 41 41  76 4e 80 00 40 00 00 00  |AAAAAAAAvN..@...|
00000000  41 41 41 41 41 41 41 41  2e 20 00 00 40 00 00 00  |AAAAAAAA. ..@...|
00000000  41 41 41 41 41 41 41 41  01 c8 a4 9d 18 00 00 00  |AAAAAAAA........|
00000000  41 41 41 41 41 41 41 41  7f 2e 80 00 40 00 00 00  |AAAAAAAA....@...|
00000000  41 41 41 41 41 41 41 41  7f 2e 80 00 40 00 00 00  |AAAAAAAA....@...|
00000000  41 41 41 41 41 41 41 41  7f 2e 80 00 40 00 00 00  |AAAAAAAA....@...|
00000000  41 41 41 41 41 41 41 41  7f 2e 80 00 40 00 00 00  |AAAAAAAA....@...|
00000000  41 41 41 41 41 41 41 41  7f 2e 80 00 40 00 00 00  |AAAAAAAA....@...|
00000000  41 41 41 41 41 41 41 41  74 4e 80 00 40 00 00 00  |AAAAAAAAtN..@...|
00000000  41 41 41 41 41 41 41 41  74 4e 80 00 40 00 00 00  |AAAAAAAAtN..@...|
00000000  41 41 41 41 41 41 41 41  f9 1f 00 00 40 00 00 00  |AAAAAAAA....@...|
00000000  41 41 41 41 41 41 41 41  7f 2e 80 00 40 00 00 00  |AAAAAAAA....@...|
00000000  41 41 41 41 41 41 41 41  7f 2e 80 00 40 00 00 00  |AAAAAAAA....@...|
00000000  41 41 41 41 41 41 41 41  7f 2e 80 00 40 00 00 00  |AAAAAAAA....@...|
00000000  41 41 41 41 41 41 41 41  6f 4e 80 00 40 00 00 00  |AAAAAAAAoN..@...|
00000000  00 00 00 00 41 41 41 41  ee ff ff ff 41 41 41 41  |....AAAA....AAAA|
00000000  00 00 00 00 41 41 41 41  ee ff ff ff 41 41 41 41  |....AAAA....AAAA|
00000000  41 00 00 00 41 41 41 41  80 2e 80 00 40 00 00 00  |A...AAAA....@...|
00000000  00 00 00 00 41 41 41 41  ee ff ff ff 41 41 41 41  |....AAAA....AAAA|

why is this the case?

The text was updated successfully, but these errors were encountered:

sebastianpoeplau · 2021-06-13T14:33:57Z

Probably atoi decodes in a loop; concolic execution then can't reason about the loop as a whole (i.e., as an abstract construct with many possible paths through it), but instead sees only the check of the loop condition in each iteration. It will generate a deviating input, but after that the outcome of the check becomes part of the path constraints and isn't reasoned about any further.

…ng ARM_FEATURE_PMU It doesn't make sense to read the value of MDCR_EL2 on a non-A-profile CPU, and in fact if you try to do it we will assert: eurecom-s3#6 0x00007ffff4b95e96 in __GI___assert_fail (assertion=0x5555565a8c70 "!arm_feature(env, ARM_FEATURE_M)", file=0x5555565a6e5c "../../target/arm/helper.c", line=12600, function=0x5555565a9560 <__PRETTY_FUNCTION__.0> "arm_security_space_below_el3") at ./assert/assert.c:101 eurecom-s3#7 0x0000555555ebf412 in arm_security_space_below_el3 (env=0x555557bc8190) at ../../target/arm/helper.c:12600 eurecom-s3#8 0x0000555555ea6f89 in arm_is_el2_enabled (env=0x555557bc8190) at ../../target/arm/cpu.h:2595 eurecom-s3#9 0x0000555555ea942f in arm_mdcr_el2_eff (env=0x555557bc8190) at ../../target/arm/internals.h:1512 We might call pmu_counter_enabled() on an M-profile CPU (for example from the migration pre/post hooks in machine.c); this should always return false because these CPUs don't set ARM_FEATURE_PMU. Avoid the assertion by not calling arm_mdcr_el2_eff() before we have done the early return for "PMU not present". This fixes an assertion failure if you try to do a loadvm or savevm for an M-profile board. Cc: [email protected] Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2155 Signed-off-by: Peter Maydell <[email protected]> Reviewed-by: Philippe Mathieu-Daudé <[email protected]> Reviewed-by: Richard Henderson <[email protected]> Message-id: [email protected] (cherry picked from commit ac1d88e) Signed-off-by: Michael Tokarev <[email protected]>

…coroutine()' failed. bdrv_activate_all() should not be called from the coroutine context, move it to the QEMU thread colo_process_incoming_thread() with the bql_lock protected. The backtrace is as follows: eurecom-s3#4 0x0000561af7948362 in bdrv_graph_rdlock_main_loop () at ../block/graph-lock.c:260 eurecom-s3#5 0x0000561af7907a68 in graph_lockable_auto_lock_mainloop (x=0x7fd29810be7b) at /patch/to/qemu/include/block/graph-lock.h:259 eurecom-s3#6 0x0000561af79167d1 in bdrv_activate_all (errp=0x7fd29810bed0) at ../block.c:6906 eurecom-s3#7 0x0000561af762b4af in colo_incoming_co () at ../migration/colo.c:935 eurecom-s3#8 0x0000561af7607e57 in process_incoming_migration_co (opaque=0x0) at ../migration/migration.c:793 eurecom-s3#9 0x0000561af7adbeeb in coroutine_trampoline (i0=-106876144, i1=22042) at ../util/coroutine-ucontext.c:175 eurecom-s3#10 0x00007fd2a5cf21c0 in () at /lib64/libc.so.6 Cc: [email protected] Cc: Fabiano Rosas <[email protected]> Closes: https://gitlab.com/qemu-project/qemu/-/issues/2277 Fixes: 2b3912f ("block: Mark bdrv_first_blk() and bdrv_is_root_node() GRAPH_RDLOCK") Signed-off-by: Li Zhijian <[email protected]> Reviewed-by: Zhang Chen <[email protected]> Tested-by: Zhang Chen <[email protected]> Reviewed-by: Fabiano Rosas <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Peter Xu <[email protected]> (cherry picked from commit 2cc637f) Signed-off-by: Michael Tokarev <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

atoi() is not solved #7

atoi() is not solved #7

vanhauser-thc commented Apr 6, 2021

sebastianpoeplau commented Jun 13, 2021

atoi() is not solved #7

atoi() is not solved #7

Comments

vanhauser-thc commented Apr 6, 2021

sebastianpoeplau commented Jun 13, 2021