Skip to content

Fix UB in analysis/test #683

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Sep 28, 2022
Merged

Fix UB in analysis/test #683

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
b73f5f0
Fixed a use after free in `fn simple` by moving the `recur` call.
kkysen Sep 25, 2022
8950853
Fixed an uninitialized read in `fn simple` by zero-initializing the f…
kkysen Sep 25, 2022
f9a441e
Fixed a use after free and non-intentional memory leak in `fn simple1…
kkysen Sep 25, 2022
e5a5c9f
Fixed an uninitialized read in `fn test_load_addr` by zero-initializi…
kkysen Sep 25, 2022
fb492ce
Fixed a nullptr deref in `fn test_load_self_store_self` by replacing …
kkysen Sep 25, 2022
30c87f4
Fixed a nullptr deref in `fn test_load_self_store_self_inter` by repl…
kkysen Sep 25, 2022
88ed05e
Merge branch 'master' into kkysen/analysis-test-fix-ub
kkysen Sep 28, 2022
d6eb540
Replaced a manual zero-initialization after `malloc(...)` with `callo…
kkysen Sep 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 11 additions & 5 deletions analysis/test/src/pointers.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,9 +77,15 @@ pub unsafe extern "C" fn simple() {
let k = (*x).field;
let z = std::ptr::addr_of!((*x).field2);
(*x).field3 = std::ptr::addr_of!(*x) as *const S;
recur(3, x);
(*y).field4 = T {
field: 0i32,
field2: 0u64,
field3: 0 as *const S,
field4: 0i32,
};
let s = *y;
*x = s;
recur(3, x);
free(x2 as *mut libc::c_void);
}
#[no_mangle]
Expand All @@ -94,7 +100,7 @@ pub unsafe extern "C" fn simple1() {
let addr_of_copy = std::ptr::addr_of!(x_copy_copy);
let i_cast = x as usize;
let x_from_int = i_cast as *const libc::c_void;
free(x as *mut libc::c_void);
free(z as *mut libc::c_void);
}

#[derive(Copy, Clone)]
Expand Down Expand Up @@ -411,7 +417,7 @@ pub unsafe extern "C" fn test_realloc_fresh() {
}
#[no_mangle]
pub unsafe extern "C" fn test_load_addr() {
let s = malloc(::std::mem::size_of::<S>() as libc::c_ulong) as *mut S;
let s = calloc(1, ::std::mem::size_of::<S>() as libc::c_ulong) as *mut S;
let x = (*s);
free(s as *mut libc::c_void);
}
Expand Down Expand Up @@ -442,7 +448,7 @@ pub unsafe extern "C" fn test_load_other_store_self() {
#[no_mangle]
pub unsafe extern "C" fn test_load_self_store_self() {
let s = calloc(
0i32 as libc::c_ulong,
1i32 as libc::c_ulong,
::std::mem::size_of::<S>() as libc::c_ulong,
) as *mut S;
(*s).field4.field4 = (*s).field4.field4;
Expand All @@ -451,7 +457,7 @@ pub unsafe extern "C" fn test_load_self_store_self() {
#[no_mangle]
pub unsafe extern "C" fn test_load_self_store_self_inter() {
let s = calloc(
0i32 as libc::c_ulong,
1i32 as libc::c_ulong,
::std::mem::size_of::<S>() as libc::c_ulong,
) as *mut S;
let y = (*s).field;
Expand Down
85 changes: 44 additions & 41 deletions pdg/src/snapshots/c2rust_pdg__tests__analysis_test_pdg_snapshot_debug.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,13 @@ g {
nodes_that_need_write = []

g {
n[0]: copy _ => _14 @ bb6[4]: fn main; _14 = null_mut();
n[1]: copy n[0] => _1 @ bb0[0]: fn once; _13 = once(move _14);
n[2]: value.store _ => _20.* @ bb4[7]: fn invalid; (*_20) = const 0_usize as *mut pointers::S (PointerFromExposedAddress);
n[3]: value.store _ => _17.* @ bb8[4]: fn fdevent_unregister; (*_17) = const 0_usize as *mut pointers::fdnode_st (PointerFromExposedAddress);
n[4]: int_to_ptr _ => _2 @ bb0[2]: fn test_ref_field; _2 = const 0_usize as *const pointers::S (PointerFromExposedAddress);
n[5]: int_to_ptr _ => _5 @ bb0[8]: fn test_ref_field; _5 = const 0_usize as *const pointers::S (PointerFromExposedAddress);
n[0]: copy _ => _14 @ bb6[4]: fn main; _14 = null_mut();
n[1]: copy n[0] => _1 @ bb0[0]: fn once; _13 = once(move _14);
n[2]: int_to_ptr _ => _17 @ bb4[29]: fn simple; _17 = const 0_usize as *const pointers::S (PointerFromExposedAddress);
n[3]: value.store _ => _20.* @ bb4[7]: fn invalid; (*_20) = const 0_usize as *mut pointers::S (PointerFromExposedAddress);
n[4]: value.store _ => _17.* @ bb8[4]: fn fdevent_unregister; (*_17) = const 0_usize as *mut pointers::fdnode_st (PointerFromExposedAddress);
n[5]: int_to_ptr _ => _2 @ bb0[2]: fn test_ref_field; _2 = const 0_usize as *const pointers::S (PointerFromExposedAddress);
n[6]: int_to_ptr _ => _5 @ bb0[8]: fn test_ref_field; _5 = const 0_usize as *const pointers::S (PointerFromExposedAddress);
}
nodes_that_need_write = []

Expand All @@ -43,13 +44,13 @@ g {
nodes_that_need_write = []

g {
n[0]: alloc _ => _2 @ bb1[2]: fn simple; _2 = malloc(move _3);
n[1]: copy n[0] => _1 @ bb2[1]: fn simple; _1 = move _2 as *mut pointers::S (Misc);
n[2]: copy n[1] => _5 @ bb2[5]: fn simple; _5 = _1;
n[3]: field.0 n[1] => _10 @ bb4[5]: fn simple; _10 = &raw const ((*_1).0: i32);
n[4]: copy n[2] => _22 @ bb5[12]: fn simple; _22 = _5;
n[5]: copy n[4] => _21 @ bb5[13]: fn simple; _21 = move _22 as *mut libc::c_void (Misc);
n[6]: free n[5] => _20 @ bb5[15]: fn simple; _20 = free(move _21);
n[0]: alloc _ => _2 @ bb1[2]: fn simple; _2 = malloc(move _3);
n[1]: copy n[0] => _1 @ bb2[1]: fn simple; _1 = move _2 as *mut pointers::S (Misc);
n[2]: copy n[1] => _5 @ bb2[5]: fn simple; _5 = _1;
n[3]: field.0 n[1] => _10 @ bb4[5]: fn simple; _10 = &raw const ((*_1).0: i32);
n[4]: copy n[2] => _24 @ bb5[5]: fn simple; _24 = _5;
n[5]: copy n[4] => _23 @ bb5[6]: fn simple; _23 = move _24 as *mut libc::c_void (Misc);
n[6]: free n[5] => _22 @ bb5[8]: fn simple; _22 = free(move _23);
}
nodes_that_need_write = []

Expand All @@ -73,24 +74,26 @@ g {
n[16]: field.2 n[3] => _ @ bb4[25]: fn simple; ((*_1).2: *const pointers::S) = move _15;
n[17]: addr.store n[16] => _ @ bb4[25]: fn simple; ((*_1).2: *const pointers::S) = move _15;
n[18]: value.store n[15] => _1.*.2 @ bb4[25]: fn simple; ((*_1).2: *const pointers::S) = move _15;
n[19]: copy n[3] => _17 @ bb4[29]: fn simple; _17 = _1;
n[20]: copy n[19] => _2 @ bb0[0]: fn recur; _16 = recur(const 3_i32, move _17);
n[21]: copy n[20] => _13 @ bb8[3]: fn recur; _13 = _2;
n[22]: copy n[21] => _2 @ bb0[0]: fn recur; _9 = recur(move _10, move _13);
n[23]: copy n[22] => _13 @ bb8[3]: fn recur; _13 = _2;
n[24]: copy n[23] => _2 @ bb0[0]: fn recur; _9 = recur(move _10, move _13);
n[19]: field.3 n[1] => _ @ bb4[32]: fn simple; ((*_6).3: pointers::T) = move _16;
n[20]: addr.store n[19] => _ @ bb4[32]: fn simple; ((*_6).3: pointers::T) = move _16;
n[21]: addr.load n[1] => _ @ bb4[35]: fn simple; _18 = (*_6);
n[22]: addr.store n[3] => _ @ bb4[39]: fn simple; (*_1) = move _19;
n[23]: copy n[3] => _21 @ bb4[43]: fn simple; _21 = _1;
n[24]: copy n[23] => _2 @ bb0[0]: fn recur; _20 = recur(const 3_i32, move _21);
n[25]: copy n[24] => _13 @ bb8[3]: fn recur; _13 = _2;
n[26]: copy n[25] => _2 @ bb0[0]: fn recur; _9 = recur(move _10, move _13);
n[27]: copy n[26] => _8 @ bb1[2]: fn recur; _8 = _2;
n[28]: copy n[27] => _7 @ bb1[3]: fn recur; _7 = move _8 as *mut libc::c_void (Misc);
n[29]: free n[28] => _0 @ bb1[5]: fn recur; _0 = free(move _7);
n[30]: copy n[26] => _14 @ bb9[4]: fn recur; _14 = _2;
n[31]: copy n[26] => _14 @ bb9[4]: fn recur; _14 = _2;
n[32]: copy n[26] => _14 @ bb9[4]: fn recur; _14 = _2;
n[33]: addr.load n[1] => _ @ bb5[3]: fn simple; _18 = (*_6);
n[34]: addr.store n[3] => _ @ bb5[7]: fn simple; (*_1) = move _19;
n[27]: copy n[26] => _13 @ bb8[3]: fn recur; _13 = _2;
n[28]: copy n[27] => _2 @ bb0[0]: fn recur; _9 = recur(move _10, move _13);
n[29]: copy n[28] => _13 @ bb8[3]: fn recur; _13 = _2;
n[30]: copy n[29] => _2 @ bb0[0]: fn recur; _9 = recur(move _10, move _13);
n[31]: copy n[30] => _8 @ bb1[2]: fn recur; _8 = _2;
n[32]: copy n[31] => _7 @ bb1[3]: fn recur; _7 = move _8 as *mut libc::c_void (Misc);
n[33]: free n[32] => _0 @ bb1[5]: fn recur; _0 = free(move _7);
n[34]: copy n[30] => _14 @ bb9[4]: fn recur; _14 = _2;
n[35]: copy n[30] => _14 @ bb9[4]: fn recur; _14 = _2;
n[36]: copy n[30] => _14 @ bb9[4]: fn recur; _14 = _2;
}
nodes_that_need_write = [34, 17, 16, 11, 10, 9, 8, 5, 4, 3, 2, 1, 0]
nodes_that_need_write = [22, 20, 19, 17, 16, 11, 10, 9, 8, 5, 4, 3, 2, 1, 0]

g {
n[0]: &_1 _ => _10 @ bb4[5]: fn simple; _10 = &raw const ((*_1).0: i32);
Expand Down Expand Up @@ -416,21 +419,21 @@ g {
n[4]: free n[3] => _6 @ bb3[2]: fn simple1; _6 = realloc(move _7, move _9);
n[5]: copy n[1] => _16 @ bb4[20]: fn simple1; _16 = _1;
n[6]: ptr_to_int n[5] => _ @ bb4[21]: fn simple1; _15 = move _16 as usize (PointerExposeAddress);
n[7]: copy n[1] => _21 @ bb4[33]: fn simple1; _21 = _1;
n[8]: copy n[7] => _20 @ bb4[34]: fn simple1; _20 = move _21 as *mut libc::c_void (Misc);
n[9]: free n[8] => _19 @ bb4[36]: fn simple1; _19 = free(move _20);
}
nodes_that_need_write = []

g {
n[0]: alloc _ => _6 @ bb3[2]: fn simple1; _6 = realloc(move _7, move _9);
n[1]: copy n[0] => _5 @ bb4[2]: fn simple1; _5 = move _6 as *mut pointers::S (Misc);
n[2]: copy n[1] => _11 @ bb4[6]: fn simple1; _11 = _5;
n[3]: field.0 n[2] => _ @ bb4[8]: fn simple1; ((*_11).0: i32) = const 10_i32;
n[4]: addr.store n[3] => _ @ bb4[8]: fn simple1; ((*_11).0: i32) = const 10_i32;
n[5]: copy n[1] => _12 @ bb4[10]: fn simple1; _12 = _5;
n[6]: copy n[2] => _13 @ bb4[13]: fn simple1; _13 = _11;
n[7]: int_to_ptr _ => _17 @ bb4[27]: fn simple1; _17 = move _18 as *const libc::c_void (PointerFromExposedAddress);
n[0]: alloc _ => _6 @ bb3[2]: fn simple1; _6 = realloc(move _7, move _9);
n[1]: copy n[0] => _5 @ bb4[2]: fn simple1; _5 = move _6 as *mut pointers::S (Misc);
n[2]: copy n[1] => _11 @ bb4[6]: fn simple1; _11 = _5;
n[3]: field.0 n[2] => _ @ bb4[8]: fn simple1; ((*_11).0: i32) = const 10_i32;
n[4]: addr.store n[3] => _ @ bb4[8]: fn simple1; ((*_11).0: i32) = const 10_i32;
n[5]: copy n[1] => _12 @ bb4[10]: fn simple1; _12 = _5;
n[6]: copy n[2] => _13 @ bb4[13]: fn simple1; _13 = _11;
n[7]: int_to_ptr _ => _17 @ bb4[27]: fn simple1; _17 = move _18 as *const libc::c_void (PointerFromExposedAddress);
n[8]: copy n[1] => _21 @ bb4[33]: fn simple1; _21 = _5;
n[9]: copy n[8] => _20 @ bb4[34]: fn simple1; _20 = move _21 as *mut libc::c_void (Misc);
n[10]: free n[9] => _19 @ bb4[36]: fn simple1; _19 = free(move _20);
}
nodes_that_need_write = [4, 3, 2, 1, 0]

Expand Down Expand Up @@ -685,7 +688,7 @@ g {
nodes_that_need_write = []

g {
n[0]: alloc _ => _2 @ bb1[2]: fn test_load_addr; _2 = malloc(move _3);
n[0]: alloc _ => _2 @ bb1[2]: fn test_load_addr; _2 = calloc(const 1_u64, move _3);
n[1]: copy n[0] => _1 @ bb2[1]: fn test_load_addr; _1 = move _2 as *mut pointers::S (Misc);
n[2]: addr.load n[1] => _ @ bb2[5]: fn test_load_addr; _5 = (*_1);
n[3]: copy n[1] => _8 @ bb2[10]: fn test_load_addr; _8 = _1;
Expand Down Expand Up @@ -950,5 +953,5 @@ g {
nodes_that_need_write = [6, 5, 4, 0]

num_graphs = 64
num_nodes = 691
num_nodes = 694