Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive of indirenct call in openssl #1587

Open
Br1m4zz opened this issue Nov 4, 2024 · 3 comments
Open

False positive of indirenct call in openssl #1587

Br1m4zz opened this issue Nov 4, 2024 · 3 comments

Comments

@Br1m4zz
Copy link

Br1m4zz commented Nov 4, 2024
edited
Loading

Target: OPENSSL
False positive site: function ptr e->destroy should not point to ossl_statem_accept
BC available for further analyse.

Here's my propogation result:

.....

>>>>>>>>>>>>>  print_route_find_alloca_gep >>>>>>>>>>>>>>>>
LoC:{ 0th arg engine_free_util "ln": 72, "file": "crypto/engine/eng_lib.c" }
FormalParmVFGNode ID: 790462 Fun[engine_free_util]ValVar ID: 457405
 ptr %0 { 0th arg engine_free_util "ln": 72, "file": "crypto/engine/eng_lib.c" }
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
72           int engine_free_util(ENGINE *e, int not_locked)




>>>>>>>>>>>>>  print_route_find_alloca_gep >>>>>>>>>>>>>>>>
LoC:
StoreVFGNode ID: 534907 StoreStmt: [Var457409 <-- Var457405]	
   store ptr %0, ptr %4, align 8 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


>>>>>>>>>>>>>  print_route_find_alloca_gep >>>>>>>>>>>>>>>>
LoC:{ "ln": 94, "cl": 20, "fl": "crypto/engine/eng_lib.c" }
LoadVFGNode ID: 323526 LoadStmt: [Var457481 <-- Var457409]	
   %48 = load ptr, ptr %4, align 8, !dbg !134987 { "ln": 94, "cl": 20, "fl": "crypto/engine/eng_lib.c" }
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>



>>>>>>>>>>>>>  print_route_find_alloca_gep >>>>>>>>>>>>>>>>
LoC:{ "ln": 94, "cl": 20, "fl": "crypto/engine/eng_lib.c" }
ActualParmVFGNode ID: 729521 CS[{ "ln": 94, "cl": 9, "fl": "crypto/engine/eng_lib.c" }]ValVar ID: 457481
   %48 = load ptr, ptr %4, align 8, !dbg !134987 { "ln": 94, "cl": 20, "fl": "crypto/engine/eng_lib.c" }
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
93        if (e->destroy)
94             e->destroy(e);


( source code of setting destroy(), there is no call site referring to ossl_statem_accept())
int ENGINE_set_destroy_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR destroy_f)
{
    e->destroy = destroy_f;
    return 1;
}


[False positive site]>>>>>>>>>>>>>  print_route_find_alloca_gep >>>>>>>>>>>>>>>>
LoC:{ 0th arg ossl_statem_accept "ln": 254, "file": "ssl/statem/statem.c" }
FormalParmVFGNode ID: 791842 Fun[ossl_statem_accept]ValVar ID: 242087
 ptr %0 { 0th arg ossl_statem_accept "ln": 254, "file": "ssl/statem/statem.c" }
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
254        int ossl_statem_accept(SSL *s)


>>>>>>>>>>>>>  print_route_find_alloca_gep >>>>>>>>>>>>>>>>
LoC:
StoreVFGNode ID: 510355 StoreStmt: [Var242088 <-- Var242087]	
   store ptr %0, ptr %2, align 8 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
....
@Br1m4zz
Copy link
Author

Br1m4zz commented Nov 4, 2024

ptr analyse I use is Andersen* pta = AndersenSFR::createAndersenSFR(pag);

@grandnew
Copy link

grandnew commented Nov 4, 2024
edited
Loading

Could you please show the complete reproduction details? @Br1m4zz

@Br1m4zz
Copy link
Author

Br1m4zz commented Nov 4, 2024
edited
Loading

openssl Compile (by setting CC=wllvm):

Bc is generated by WLLVM with llvm-16
BC url: https://pan.baidu.com/s/1MSkIf1CY6WqTidyuJvP5Iw?pwd=9hhs code: 9hhs
image

analyse code

source SVFG node:

================================== Function struct Allocation: ==========================================
AddrVFGNode ID: 36428 AddrStmt: [Var70684 <-- Var70685]	
   %8 = alloca %struct.function_st, align 8 { "ln": 471, "fl": "apps/openssl.c" }
=========================================================================================================

dst SVFG node:

>>>>>>>>>>>>>  print_route_find_alloca_gep >>>>>>>>>>>>>>>>
LoC:{ "ln": 2767, "cl": 20, "fl": "ssl/t1_lib.c" }
GepVFGNode ID: 155306 GepStmt: [Var202166 <-- Var202165]	
   %12 = getelementptr inbounds %struct.sigalg_lookup_st, ptr %11, i32 0, i32 5, !dbg !134870 { "ln": 2767, "cl": 20, "fl": "ssl/t1_lib.c" }
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Here's code snipet:

API usage:

...
    /// Build SVFIR
    SVFIRBuilder builder(svfModule);
    pag = builder.build();
    Andersen* pta = AndersenSFR::createAndersenSFR(pag);
    SVFGBuilder svfBuilder(true);
    svfg = svfBuilder.buildFullSVFG(pta);
    source_node_analyze();
    analyze_all_struct(); // this is where we use struct_spread_rules_find_gep
...

propogation rules:

bool struct_spread_rules_find_gep(const VFGNode* vNode)
{
    if(SVFUtil::isa<BinaryOPVFGNode>(vNode) 
    || SVFUtil::isa<UnaryOPVFGNode>(vNode) 
    || SVFUtil::isa<CmpVFGNode>(vNode)
    || SVFUtil::isa<MSSAPHISVFGNode>(vNode)
    || SVFUtil::isa<IntraMSSAPHISVFGNode>(vNode)
    || SVFUtil::isa<BranchVFGNode>(vNode)
    || SVFUtil::isa<ActualOUTSVFGNode>(vNode)
    || SVFUtil::isa<FormalOUTSVFGNode>(vNode)
    || SVFUtil::isa<ActualINSVFGNode>(vNode)
    || SVFUtil::isa<FormalINSVFGNode>(vNode)
    || SVFUtil::isa<IntraPHIVFGNode>(vNode)
    || SVFUtil::isa<IntraPHISVFGNode>(vNode)
    //
    )
    {
        // if(debug)SVFUtil::errs()<<">>>>>>>>node is abondon\n";
        return false;
    }
    if(const FormalParmVFGNode *fp_vfgnode = SVFUtil::dyn_cast<FormalParmVFGNode>(vNode))
    {
        if(is_in_glibc_function_list(fp_vfgnode->getFun()->getName()))
        {
            return false;
        }
    }
    return true;
}

I don't know whether it have something to do with the following warnings:
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@grandnew @Br1m4zz