Skip to content

CBMC seems to not detect buffer overflows from read funcs. #1771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
johnfxgalea opened this issue Jan 28, 2018 · 1 comment
Closed

CBMC seems to not detect buffer overflows from read funcs. #1771

johnfxgalea opened this issue Jan 28, 2018 · 1 comment
Labels
pending merge

Comments

@johnfxgalea
Copy link
Contributor

johnfxgalea commented Jan 28, 2018
edited
Loading

Commit ID: 8360233

CBMC does not detect buffer overflows stemming from read functions. I have provided a simple test case highlighting this issue.

#include <unistd.h>

int main()
{
    char data[20];

    if(read(0, data, 100) < 0)
        printf("An error has occurred");
    else
        printf("Read occurred");

    return 0;
}

Command: cbmc test.c --bounds-check --pointer-check --unwind 100

After inspecting the source file cbmc/src/ansi-c/library/unistd.c, there seems to be dead code at line 216 which aids overcoming the issue. This code is shown below.

#if 0
    size_t i;
    for(i=0; i<nbyte; i++)
    {
      char nondet_char;
      ((char *)buf)[i]=nondet_char;
    }
#else
    char nondet_bytes[nbyte];
    __CPROVER_array_replace((char*)buf, nondet_bytes);
#endif


    __CPROVER_bool error=__VERIFIER_nondet___CPROVER_bool();
    return error ? -1 : nread;
  }

If I set the value in the if statement to 1 and compile, CBMC detects the vulnerability.

Command: cbmc test.c --bounds-check --pointer-check --unwind 100

Not sure if I am missing something here which would otherwise solve the issue.
@tautschnig
Copy link
Collaborator

It seems I forgot about read (and possibly others?) in bb8cfaa. A similar fix is required.

@tautschnig tautschnig mentioned this issue Jan 29, 2018
Merged
tautschnig added a commit to tautschnig/cbmc that referenced this issue Feb 10, 2018
@tautschnig
Bounds checks in fgets, read
bc0ebd3 
Follow-up to bb8cfaa. Also fixes all types of read, _read, write, _write to
match those specified by Visual Studio's documentation.

Fixes: diffblue#1771
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pending merge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tautschnig @johnfxgalea