Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ill-sorted injection casues unpredicatable behavior #1171

Open
tothtamas28 opened this issue Nov 29, 2024 · 0 comments
Open

Ill-sorted injection casues unpredicatable behavior #1171

tothtamas28 opened this issue Nov 29, 2024 · 0 comments

Comments

@tothtamas28
Copy link
Contributor

Consider

// test.k
module TEST
endmoule

and

// input.kore
Lbl'-LT-'generatedTop'-GT-'{}(
    Lbl'-LT-'k'-GT-'{}(
        kseq{}(
            inj{SortBool{}, SortKItem{}}(\dv{SortBool{}}("false")),
            dotk{}()
        )
    ),
    Lbl'-LT-'generatedCounter'-GT-'{}(
        \dv{SortInt{}}("0")
    )
)

When running this program:

$ test-kompiled/interpreter input.kore 0 /dev/stdout

the result is as expected:

Lbl'-LT-'generatedTop'-GT-'{}(Lbl'-LT-'k'-GT-'{}(kseq{}(inj{SortBool{}, SortKItem{}}(\dv{SortBool{}}("false")),dotk{}())),Lbl'-LT-'generatedCounter'-GT-'{}(\dv{SortInt{}}("0")))

However, changing the From-sort of the injection to SortInt{} sometimes causes a segfault:

[1]    15017 segmentation fault (core dumped)  test-kompiled/interpreter input.kore 0 /dev/stdout

and sometimes results in successful termination with a well-sorted configuration containing a huge integer:

Lbl'-LT-'generatedTop'-GT-'{}(Lbl'-LT-'k'-GT-'{}(kseq{}(inj{SortInt{}, SortKItem{}}(\dv{SortInt{}}("<huge integer>")),dotk{}())),Lbl'-LT-'generatedCounter'-GT-'{}(\dv{SortInt{}}("0")))

When the From-sort is SortBytes{} (requires importing BYTES-SYNTAX in TEST):

Lbl'-LT-'generatedTop'-GT-'{}(Lbl'-LT-'k'-GT-'{}(kseq{}(inj{SortBytes{}, SortKItem{}}(\dv{SortBytes{}}("\xe0\x00 *\x14\x7f\x00<repeating \x00>\x00[1]    15733 segmentation fault (core dumped)  test-kompiled/interpreter input.kore 0 /dev/stdout

This behavior is not robust and is potentially insecure. Ideally, the interpreter should exit with an error message.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant