Appending _p<#> to concolic name may clobber valid data

[moralismercatus]

Here is the scenario:

I have a particular executable binary (may differ from typical data layout).

Two calls to crete_make_concolic are made (paraphrasing, not actual code):

crete_make_concolic( &buf1[0], sizeof( buf1 ), "name1" );
crete_make_concolic( &buf2[0], sizeof( buf2 ), "name2" );

Now, the way "name1" and "name2" are stored in memory is that they are adjacent with no padding between. E.g.,: "name1\0name2\0"

In the linked to code, https://github.com/SVL-PSU/crete-dev/blob/master/front-end/qemu-2.3/runtime-dump/custom-instructions.cpp#L124, crete_custom_instr_send_concolic_name appends a "_p<#>" to the end of each name. Assuming only one process is in play, it appends "_p1". After the first call to make_concolic, the data representing "name2" has been clobbered from "name2\0" to "p1\0e2\0".

Thus, the second call to make_concolic will claim the name given was "p1", rather than "name2", and the following assertion will be raised: https://github.com/SVL-PSU/crete-dev/blob/master/front-end/qemu-2.3/runtime-dump/custom-instructions.cpp#L119

[likebreath]

Hi @moralismercatus. Thanks for prompting this issue.

This should not be a problem by design, as 'crete_make_conoclic()' provides a buffer with sufficient space for name padding. Please check the implementation here. Please note macro "MAX_CONCOLIC_NAME_SIZE" and "MAX_NAME_SIZE" are expected to equal. Maybe I should refactor them to share the same definition.

If you encounter a real problem, please let me know.

[moralismercatus]

Ah, thanks @likebreath . I see now.

I was calling the custom instructions directly (the binary is written in assembly), and I wasn't familiar with the new conventions for naming.

I'll close this one now.

[likebreath]

Sure thing. I would suggest you to call the crete APIs whenever it is feasible. I believe you can call it with assembly in binary.