search

SVF-tools / Teaching-Software-Analysis

Teaching and Learning Software Analysis via SVF
GNU General Public License v3.0
194 stars 116 forks source link

Strange error occurred after I updated the lasted SVF #34

Closed jmp0x7c00 closed 2 years ago

jmp0x7c00 commented 2 years ago

image

After I updated to the lasted version of SVF,the assignment that was written before does not work properly...

jmp0x7c00 commented 2 years ago

I found that assignment 2, 3, and 4 all fail when running test2, but if test1 is commented out, test2 will pass, so I guess the resources of test1 are not released correctly.

jmp0x7c00 commented 2 years ago

when I run test1() and test2() , test2() failed image

but when I commented test1(),test2() passed.. image

I have tried to replace PAG::releasePAG(); with SVFIR::releasePAG(); , but no effect

jmp0x7c00 commented 2 years ago

when

test1();
test2();

break at test1() -> assert 372aac29ed5ff5fe747c0fa91ab8544

when

test2();
test1(); // assert will fail

f0d6ef962ecd53ec45992162b26edfe

symTable->getTotalSymNum() is not correct

jmp0x7c00 commented 2 years ago

I read the relevant source code and found that there may be bugs here.

 assert(pag->getTotalNodeNum() >= symTable->getTotalSymNum()
           && "not all node been inititalize!!!");

symTable->getTotalSymNum() invoked follow code:

image

and allocator returned its numNodes field .

image

so, the result of symTable->getTotalSymNum() is numNodesfield of the allocator obj.

however, SVFModule *svfModule = LLVMModuleSet::getLLVModuleSet()->buildSVFModule(moduleNameVec);The svfModule is not released, so NodeIDAllocator::unset(); is not called either, the singleton object NodeIDAllocator has not been released. After my experiments, even if the delete svfModule is called additionally, since the unset function does not set allocator to nullptr after the delete, the old allocator will be retrieved by NodeIDAllocator::get(void), which should be regarded as a UAF vulnerability

//NodeIDAllocator.cpp
       NodeIDAllocator *NodeIDAllocator::get(void)
    {
        if (allocator == nullptr)
        {
            allocator = new NodeIDAllocator();
        }

        return allocator;
    }

    void NodeIDAllocator::unset(void)
    {
        if (allocator != nullptr)
        {
            delete allocator;
        }
    }

since the allocator is not released, the fieldnumNodes will always be accumulated forever.

jmp0x7c00 commented 2 years ago

35 and #601 in SVF are my pull requests to fix it.

yuleisui commented 2 years ago

#601 in SVF has been merged.

https://github.com/SVF-tools/SVF/commit/e9da085c236cbca3aab0e2ed61ca56be5cc33b1a and https://github.com/SVF-tools/SVF-Teaching/commit/17f6e102ab68c84c25f86564c1ea1c5e6f273f4b should fix your problem.

Please update SVF and SVF-Teaching, and let me know if your problem still exists

yuleisui commented 2 years ago

https://github.com/SVF-tools/SVF/commit/786e2501d87173762d969fcaaaf0d9de36c9a1ca should solve the destructor issue in AndersenBase.

jmp0x7c00 commented 2 years ago

Everything is OK,thank you sir!