SVF False positive of indirenct call in openssl

trafficstars

Target: OPENSSL False positive site: function ptr e->destroy should not point to ossl_statem_accept BC available for further analyse.

Here's my propogation result:

.....

>>>>>>>>>>>>>  print_route_find_alloca_gep >>>>>>>>>>>>>>>>
LoC:{ 0th arg engine_free_util "ln": 72, "file": "crypto/engine/eng_lib.c" }
FormalParmVFGNode ID: 790462 Fun[engine_free_util]ValVar ID: 457405
 ptr %0 { 0th arg engine_free_util "ln": 72, "file": "crypto/engine/eng_lib.c" }
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
72           int engine_free_util(ENGINE *e, int not_locked)




>>>>>>>>>>>>>  print_route_find_alloca_gep >>>>>>>>>>>>>>>>
LoC:
StoreVFGNode ID: 534907 StoreStmt: [Var457409 <-- Var457405]	
   store ptr %0, ptr %4, align 8 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


>>>>>>>>>>>>>  print_route_find_alloca_gep >>>>>>>>>>>>>>>>
LoC:{ "ln": 94, "cl": 20, "fl": "crypto/engine/eng_lib.c" }
LoadVFGNode ID: 323526 LoadStmt: [Var457481 <-- Var457409]	
   %48 = load ptr, ptr %4, align 8, !dbg !134987 { "ln": 94, "cl": 20, "fl": "crypto/engine/eng_lib.c" }
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>



>>>>>>>>>>>>>  print_route_find_alloca_gep >>>>>>>>>>>>>>>>
LoC:{ "ln": 94, "cl": 20, "fl": "crypto/engine/eng_lib.c" }
ActualParmVFGNode ID: 729521 CS[{ "ln": 94, "cl": 9, "fl": "crypto/engine/eng_lib.c" }]ValVar ID: 457481
   %48 = load ptr, ptr %4, align 8, !dbg !134987 { "ln": 94, "cl": 20, "fl": "crypto/engine/eng_lib.c" }
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
93        if (e->destroy)
94             e->destroy(e);


( source code of setting destroy(), there is no call site referring to ossl_statem_accept())
int ENGINE_set_destroy_function(ENGINE *e, ENGINE_GEN_INT_FUNC_PTR destroy_f)
{
    e->destroy = destroy_f;
    return 1;
}


[False positive site]>>>>>>>>>>>>>  print_route_find_alloca_gep >>>>>>>>>>>>>>>>
LoC:{ 0th arg ossl_statem_accept "ln": 254, "file": "ssl/statem/statem.c" }
FormalParmVFGNode ID: 791842 Fun[ossl_statem_accept]ValVar ID: 242087
 ptr %0 { 0th arg ossl_statem_accept "ln": 254, "file": "ssl/statem/statem.c" }
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
254        int ossl_statem_accept(SSL *s)


>>>>>>>>>>>>>  print_route_find_alloca_gep >>>>>>>>>>>>>>>>
LoC:
StoreVFGNode ID: 510355 StoreStmt: [Var242088 <-- Var242087]	
   store ptr %0, ptr %2, align 8 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
....

Nov 04 '24 02:11 Br1m4zz

ptr analyse I use is Andersen* pta = AndersenSFR::createAndersenSFR(pag);

Nov 04 '24 03:11 Br1m4zz

Could you please show the complete reproduction details? @Br1m4zz

Nov 04 '24 06:11 grandnew

openssl Compile (by setting CC=wllvm):

Bc is generated by WLLVM with llvm-16 BC url: https://pan.baidu.com/s/1MSkIf1CY6WqTidyuJvP5Iw?pwd=9hhs code: 9hhs

analyse code

source SVFG node:

================================== Function struct Allocation: ==========================================
AddrVFGNode ID: 36428 AddrStmt: [Var70684 <-- Var70685]	
   %8 = alloca %struct.function_st, align 8 { "ln": 471, "fl": "apps/openssl.c" }
=========================================================================================================

dst SVFG node:

>>>>>>>>>>>>>  print_route_find_alloca_gep >>>>>>>>>>>>>>>>
LoC:{ "ln": 2767, "cl": 20, "fl": "ssl/t1_lib.c" }
GepVFGNode ID: 155306 GepStmt: [Var202166 <-- Var202165]	
   %12 = getelementptr inbounds %struct.sigalg_lookup_st, ptr %11, i32 0, i32 5, !dbg !134870 { "ln": 2767, "cl": 20, "fl": "ssl/t1_lib.c" }
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Here's code snipet:

API usage:

...
    /// Build SVFIR
    SVFIRBuilder builder(svfModule);
    pag = builder.build();
    Andersen* pta = AndersenSFR::createAndersenSFR(pag);
    SVFGBuilder svfBuilder(true);
    svfg = svfBuilder.buildFullSVFG(pta);
    source_node_analyze();
    analyze_all_struct(); // this is where we use struct_spread_rules_find_gep
...

propogation rules:

bool struct_spread_rules_find_gep(const VFGNode* vNode)
{
    if(SVFUtil::isa<BinaryOPVFGNode>(vNode) 
    || SVFUtil::isa<UnaryOPVFGNode>(vNode) 
    || SVFUtil::isa<CmpVFGNode>(vNode)
    || SVFUtil::isa<MSSAPHISVFGNode>(vNode)
    || SVFUtil::isa<IntraMSSAPHISVFGNode>(vNode)
    || SVFUtil::isa<BranchVFGNode>(vNode)
    || SVFUtil::isa<ActualOUTSVFGNode>(vNode)
    || SVFUtil::isa<FormalOUTSVFGNode>(vNode)
    || SVFUtil::isa<ActualINSVFGNode>(vNode)
    || SVFUtil::isa<FormalINSVFGNode>(vNode)
    || SVFUtil::isa<IntraPHIVFGNode>(vNode)
    || SVFUtil::isa<IntraPHISVFGNode>(vNode)
    //
    )
    {
        // if(debug)SVFUtil::errs()<<">>>>>>>>node is abondon\n";
        return false;
    }
    if(const FormalParmVFGNode *fp_vfgnode = SVFUtil::dyn_cast<FormalParmVFGNode>(vNode))
    {
        if(is_in_glibc_function_list(fp_vfgnode->getFun()->getName()))
        {
            return false;
        }
    }
    return true;
}

I don't know whether it have something to do with the following warnings:

Nov 04 '24 06:11 Br1m4zz

SVF SVF copied to clipboard

False positive of indirenct call in openssl

openssl Compile (by setting CC=wllvm):

analyse code

SVF
SVF copied to clipboard