I used lava for the bug injection test , The program I chose was toy.
When I look at the source code, I see that the program's output is inconsistent with the source code.
For example, in the line of code that triggered the vulnerability, the source code is as follows:
consume_record(data_flow, ent + (data_flow[0] * (0x70444c46 == data_flow[0])));
When I look at the Assembly code using GDB, I find that the operational logic is different from the source code.
The corresponding assembly code for the source code is as follows:
I used lava for the bug injection test , The program I chose was toy.
When I look at the source code, I see that the program's output is inconsistent with the source code.
For example, in the line of code that triggered the vulnerability, the source code is as follows: consume_record(data_flow, ent + (data_flow[0] * (0x70444c46 == data_flow[0])));
When I look at the Assembly code using GDB, I find that the operational logic is different from the source code. The corresponding assembly code for the source code is as follows:
`
0x56555899 <+156>: cmp eax,0x70444c46 0x5655589e <+161>: sete al 0x565558a1 <+164>: movzx eax,al 0x565558a4 <+167>: imul eax,edx 0x565558a7 <+170>: mov edx,eax 0x565558a9 <+172>: mov eax,edx 0x565558ab <+174>: add eax,eax 0x565558ad <+176>: add eax,edx 0x565558af <+178>: shl eax,0x3 0x565558b2 <+181>: mov edx,eax 0x565558b4 <+183>: mov eax,DWORD PTR [ebp-0x18] 0x565558b7 <+186>: add eax,edx
`
The logic of the source code is: when the condition is satisfied, The second argument of the consume_record function is ent+data_flow[0]*1
but the logic for assembly code is:when the condition is satisfied, The second argument of the consume_record function is ent+((data_flow[0]1)3)<<3
In addition, other programs that insert vulnerabilities also have this problem.
I don't know why the compiler compiles the source code like this. Am I missing something?
Can someone give me some help or advice ?