test4.c (1,281 bytes)
2020-02-24 12:17
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <string.h>
#include <sys/mman.h>
//
// FRAMA-C bug: when assign something to this function, we get a WP user error at munmap
//
/*@ ensures \result >= 0;
@ assigns __fc_errno;
*/
int bug()
{
int fd;
unsigned int i;
int status = 0;
struct stat statbuf = { 0 };
char *p;
char *entry;
size_t memsize;
/* open file */
if ((fd = open("/etc/passwd", O_RDONLY)) < 1) { // errno
printf("open()\n");
return 1;
}
if (fstat(fd, &statbuf)) { // errno
return 2;
}
memsize = (size_t)statbuf.st_size + 1000;
/* maps the file*/
if (!(p = (char *)mmap(NULL, memsize, PROT_READ|PROT_WRITE, MAP_PRIVATE, fd, 0))) {
close(fd);
return 4;
}
/* null bytes at the end */
memset((unsigned char *)&p[statbuf.st_size], 0, 1000);
/* wipe data containing sensitive info */
memset(p, 0, memsize);
munmap(p, memsize); // ************************************************ HERE
close(fd);
return status;
}
int main()
{
bug();
}