New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regression: KLEE may miss use-after-free in call to libc function (detected correctly in 1.4) #1434
Comments
I can't reproduce it neither on my machine nor on Docker's klee/klee:latest. Could you please attach the |
Hmm, we tested it in klee/klee:latest as well as building the dockerfile for the head commit. Here's the The compile command for the test case was:
|
I couldn't observe it as I have an alias that uses the recommended compilation flags: |
I also tried this quickly with KLEE and it finds the bug, even w/o |
@ccadar Yes, same KLEE version as above¹ against LLVM 11.1.0. ¹ also ran some slightly older versions - same result |
Yep, can confirm that with -O1 KLEE detects the UAF correctly:
Edit: Although presumably -O1 is just hiding some underlying KLEE bug? Is there a fundamental reason why this can't be detected in unoptimized code? |
My quick guess after dumping the addresses:
The memory is freed but an |
@moyix Yes, this is a more fundamental issue, which is incidentally triggered here by the optimization level. Note that KLEE was not designed to reliably catch UAF bugs in its default configuration. If you want to reliably catch them, you should use |
@251 looks like our messages crossed, or at least I only noticed yours after submitting mine. |
Got it :) I guess another workaround might be to use some kind of dangling pointer sanitizer in conjunction with KLEE? (I don't know exactly how those would interact with KLEE though.) |
Indeed, one would have to be careful with the integration, as UAF detection techniques are likely to directly interfere with KLEE's memory model. |
Hi, Following the above comments, may I add one more case that makes KLEE miss the UAF detection? The problem is why KLEE treats differently on
I guess the only difference between them comes from the different definitions of
Please kindly note that when adding the option So, I am so confused about why KLEE can not detect the UAF in Thanks for your help! |
IIRC KLEE does not check the arguments to external calls ( Edit: check the last section in https://github.com/klee/klee-uclibc/ |
In the following program (reduced from Juliet test case CWE416_Use_After_Free/CWE416_Use_After_Free__return_freed_ptr_01.c) KLEE misses a use-after-free (UAF) when a pointer is passed to a library function like
puts
:Test case reduction notes:
s[0] = t[0]
, then KLEE will catch the bug.printf("%s\n", s)
instead ofputs(s)
will also cause KLEE to miss the bug, even if uclibc was built with-DKLEE_SYM_PRINTF
We went back to check KLEE 1.4, and it successfully detects the UAF.
Output from the most recent version of KLEE:
The version of KLEE that catches the UAF:
The text was updated successfully, but these errors were encountered: