[klee-dev] One question about external dispatcher
Dan Liew
dan at su-root.co.uk
Sat Jan 28 10:12:24 GMT 2017
On 27 January 2017 at 04:18, Qiuping Yi <yiqiuping at gmail.com> wrote:
> Dear all,
>
> I encountered a strange problem when testing the next code snippet:
>
> 1 if (pw = getpwuid(getuid()) == NULL)
> 2 return ;
>
> 3 .. = pw->pw_dir;
Please use the correct mailing list (klee-dev at imperial.ac.uk) instead
of the old klee-dev at keeda.stanford.edu mailing list.
It would be better if you provided a small complete example. Like this.
```
#include <assert.h>
#include <pwd.h>
#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
int main(int arc, char** argv) {
struct passwd* pw;
uid_t uid = getuid();
printf("uid is %d\n", uid);
if (pw = getpwuid(getuid()) == NULL) {
printf("Failed\n");
return 1;
}
assert(pw && "pw cannot be NULL");
char* pw_dir = pw->pw_dir;
printf("pw_dir: %s\n", pw_dir);
return 0;
}
```
Your code is wrong.
if (pw = getpwuid(getuid()) == NULL)
is doing this
if ( pw = ( getpwuid(getuid()) == NULL )
so a pointer is returned by `getpwuid()` and then we compare with NULL
which is false so then `pw` gets assigned the value zero.
However once I fix your code to
if ((pw = getpwuid(getuid())) == NULL) {
then I can reproduce the problem if I just run `klee program.bc`
I suspect it's to do with the fact `getpwuid()` returns a pointer to
"real memory" which does not point to anything in KLEE's own model of
the memory (i.e. the address space of the program under).
To fix this you need not call `getpwuid()` as an external function but
instead call it from klee-uclibc so that it can be symbolically
executed.
If you run
```
klee -libc=uclibc program.bc
```
no out of bounds access is reported.
HTH,
Dan.
More information about the klee-dev
mailing list