search

PLSysSec / sys

Sys: A Static/Symbolic Tool for Finding Good Bugs in Good (Browser) Code
https://cseweb.ucsd.edu/~dstefan/pubs/brown:2020:sys.pdf
GNU General Public License v2.0
215 stars 41 forks source link

concroob - More explanations about the check and on a real case #24

Open marcinguy opened 3 years ago

marcinguy commented 3 years ago

What does the "Right" and value mean?

If path is possible does it mean the OOB is possible? Or it has to state "attack is possible"?

Tried to pinpoint the code, but wasn't able to... seems like this is a linked function. Don't know how to find it.

Can somebody explain the output of this check and help to diagnose the finding?

Or the bug is not "real", "effective"?

Potential OOB index of
Right 4294967295
4294967295
Name "_ZNSt3__113__vector_baseIdNS_9allocatorIdEEED2Ev_56"
is
path possible
in file
/local/frameworks/base/media/native/midi/libmidi/android_arm_armv7-a-neon_krait_core_shared/obj/frameworks/base/media/native/midi/.midi.o.ll
in function
Name "_ZNSt3__113__vector_baseIdNS_9allocatorIdEEED2Ev"
on path
[UnName 1,UnName 37,UnName 44,UnName 48]

Potential OOB index of
Right 4294967295
4294967295
Name "_ZNSt3__113__vector_baseIxNS_9allocatorIxEEED2Ev_56"
is
path possible
in file
/local/frameworks/base/media/native/midi/libmidi/android_arm_armv7-a-neon_krait_core_shared/obj/frameworks/base/media/native/midi/.midi.o.ll
in function
Name "_ZNSt3__113__vector_baseIxNS_9allocatorIxEEED2Ev"
on path
[UnName 1,UnName 37,UnName 44,UnName 48]

Potential OOB index of
Right 4294967295
4294967295
Name "_ZNSt3__113__vector_baseIiNS_9allocatorIiEEED2Ev_56"
is
path possible
in file
/local/frameworks/base/media/native/midi/libmidi/android_arm_armv7-a-neon_krait_core_shared/obj/frameworks/base/media/native/midi/.midi.o.ll
in function
Name "_ZNSt3__113__vector_baseIiNS_9allocatorIiEEED2Ev"
on path
[UnName 1,UnName 37,UnName 44,UnName 48]

C source - https://github.com/marcinguy/public/blob/master/midi.cpp LL - https://github.com/marcinguy/public/blob/master/midi.o.ll (with debugs)

Help is appreciated.

Thanks,

marcinguy commented 3 years ago

OK, @deian replied to other similar issue (https://github.com/PLSysSec/sys/issues/17)

"The path is feasible but unless the tool spits out that the attack is possible it means you can reach that block but likely can't trigger the bug."

So it seems I cannot trigger the bug.

What does the "Right" and value mean? Maximum value for a 32-bit unsigned integer in computing