Giters

PLSysSec / sys

Sys: A Static/Symbolic Tool for Finding Good Bugs in Good (Browser) Code

Home Page:https://cseweb.ucsd.edu/~dstefan/pubs/brown:2020:sys.pdf

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

concroob - More explanations about the check and on a real case

marcinguy opened this issue · comments

commented

What does the "Right" and value mean?

If path is possible does it mean the OOB is possible? Or it has to state "attack is possible"?

Tried to pinpoint the code, but wasn't able to... seems like this is a linked function. Don't know how to find it.

Can somebody explain the output of this check and help to diagnose the finding?

Or the bug is not "real", "effective"?

Potential OOB index of
Right 4294967295
4294967295
Name "_ZNSt3__113__vector_baseIdNS_9allocatorIdEEED2Ev_56"
is
path possible
in file
/local/frameworks/base/media/native/midi/libmidi/android_arm_armv7-a-neon_krait_core_shared/obj/frameworks/base/media/native/midi/.midi.o.ll
in function
Name "_ZNSt3__113__vector_baseIdNS_9allocatorIdEEED2Ev"
on path
[UnName 1,UnName 37,UnName 44,UnName 48]

Potential OOB index of
Right 4294967295
4294967295
Name "_ZNSt3__113__vector_baseIxNS_9allocatorIxEEED2Ev_56"
is
path possible
in file
/local/frameworks/base/media/native/midi/libmidi/android_arm_armv7-a-neon_krait_core_shared/obj/frameworks/base/media/native/midi/.midi.o.ll
in function
Name "_ZNSt3__113__vector_baseIxNS_9allocatorIxEEED2Ev"
on path
[UnName 1,UnName 37,UnName 44,UnName 48]

Potential OOB index of
Right 4294967295
4294967295
Name "_ZNSt3__113__vector_baseIiNS_9allocatorIiEEED2Ev_56"
is
path possible
in file
/local/frameworks/base/media/native/midi/libmidi/android_arm_armv7-a-neon_krait_core_shared/obj/frameworks/base/media/native/midi/.midi.o.ll
in function
Name "_ZNSt3__113__vector_baseIiNS_9allocatorIiEEED2Ev"
on path
[UnName 1,UnName 37,UnName 44,UnName 48]

C source - https://github.com/marcinguy/public/blob/master/midi.cpp
LL - https://github.com/marcinguy/public/blob/master/midi.o.ll (with debugs)

Help is appreciated.

Thanks,

commented

OK, @deian replied to other similar issue (#17)

"The path is feasible but unless the tool spits out that the attack is possible it means you can reach that block but likely can't trigger the bug."

So it seems I cannot trigger the bug.

What does the "Right" and value mean? Maximum value for a 32-bit unsigned integer in computing