# This file is part of the SV-Benchmarks collection of verification tasks: # https://gitlab.com/sosy-lab/benchmarking/sv-benchmarks # # SPDX-FileCopyrightText: 1995-1998 Eric Young # SPDX-FileCopyrightText: 1998-2001 The OpenSSL Project # SPDX-FileCopyrightText: 2002-2004 The Regents of the University of California # SPDX-FileCopyrightText: 2011-2021 The SV-Benchmarks community # # SPDX-License-Identifier: OpenSSL AND PostgreSQL AND Apache-2.0 error trace call graph: ======================= main ssl3_accept detailed trace: =============== main() { SSL *s; ... s = malloc(sizeof(SSL)); // s = 0x7fffff08 s->s3 = malloc(sizeof(struct ssl3_state_st)); // s->s3 = 0x7ffff780 (stored @ 0x7fffff5c) s->session = malloc(sizeof(SSL_SESSION)); s->state = 8464; tmp = ssl3_accept(s); // *** 1 *** ... } *** 1 **** ---------- int ssl3_accept(SSL *s ) { ... // We assume that the while loop starting at line 1131 is unrolled. // The error trace traverses the following states (s->state) until the // ERROR label is reached: // 8464, 8496, 8656, 8672, 8448, 8640, 8656, 8672 // Strange things happen in the 3rd and 4th state (8656 and 8672) of this trace: // Due to uninitialized heap memory, variables are modified in an unintended way. ... if (s->state == 8464) // true goto switch_1_8464; ... switch_1_8464: // ----- state 8646 ----- ... if (blastFlag == 0) { // true blastFlag = 1; } ... s->state = 8496; ... switch_1_8496: // ----- state 8496 ----- ... if (blastFlag == 1) { // true blastFlag = 2; } ... if (s->hit) { // true; s->hit is not initalized -> LLBMC chooses 0x2000 (stored @ 0x7fffff64) s->state = 8656; } else { ... } ... switch_1_8656: // ----- state 8656 ----- ... (s->session)->cipher = (s->s3)->tmp.new_cipher; ... // s->session not initialized! LLBMC assumes s->session = 0x7ffffeb0 if (blastFlag == 2) { // (s->session->cipher is then stored @ 0x7fffff5c) blastFlag = 3; // setting it to 0x7ffffc09 (chosen by LLBMC, as 'new_cipher' is not initialized) } // results in s->s3 (stored @0x7fffff5c) to be overwritten and modified from ... // 0x7ffff780 to 0x7ffffc09 s->state = 8672; ... switch_1_8672: // ----- state 8672 ----- ... if (blastFlag == 4) { ... } // false ... s->state = 8448; if(s->hit) { // true; LLBMC has chosen 0x2000 for s->hit (s->s3)->tmp.next_state = 8640; // s->s3 has been modified to 0x7ffffc09 (see state 8656 above) } // (s->s3)->tmp.next_state is thus stored @ 0x7fffff59 ... // writing 8640 to it overwrites the 4-byte pointer s->s3, which is stored ... // @ 0x7fffff5c (the write sets s->s3 to 0x7ffffc00) switch_1_8448: // ------ state 8448 ----- ... s->state = (s->s3)->tmp.next_state; // set s->state to 8656 ... // s->s3 got changed to 0x7ffffc00 in state 8672, s3->tmp.next_state is thus ... // @ 0x7fffff50. This address is uninitialized, LLBMC hat chosen 8656 switch_1_8656: // ----- state 8656 ----- ... if (blastFlag == 2) { // false ... } else { if (blastFlag == 3) { // true blastFlag = 4; } ... } ... s->state = 8672; ... switch_1_8672: // ----- state 8672 ----- ... if (blastFlag == 4) { // true goto ERROR; // ------> error state reached! } }