stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 12 Releases Wiki Activity

up
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Docs CI / lint-and-preview (push) Has been cancelled
Details
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-01 21:16:22 +02:00
parent c11d87d252
commit 909d9b6220
208 changed files with 860954 additions and 832 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
bench/reachability-benchmark/cases/c/memcpy-overflow/case.yaml Normal file
View File

@@ -0,0 +1,37 @@
id: "c-memcpy-overflow:001"
language: c
project: memcpy-overflow
version: "1.0.0"
description: "Potential overflow: user-controlled length passed to memcpy without bounds."
entrypoints:
- "process_buffer(len)"
sinks:
- id: "Overflow::process"
path: "src/main.c::process"
kind: "memory"
location:
file: src/main.c
line: 23
notes: "memcpy uses attacker-controlled length; reachable via process_buffer."
environment:
os_image: "gcc:13-bookworm"
runtime:
gcc: "13"
source_date_epoch: 1730000000
build:
command: "./build/build.sh"
source_date_epoch: 1730000000
outputs:
artifact_path: outputs/binary.tar.gz
coverage_path: outputs/coverage.json
traces_path: outputs/traces/traces.json
test:
command: "./tests/run-tests.sh"
expected_coverage:
- outputs/coverage.json
expected_traces:
- outputs/traces/traces.json
ground_truth:
summary: "Calling process_buffer with len>256 drives memcpy with attacker length (reachable)."
evidence_files:
- "../../../benchmark/truth/c-memcpy-overflow.json"

38
bench/reachability-benchmark/cases/c/memcpy-overflow/src/main.c Normal file
View File

@@ -0,0 +1,38 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
static int process(size_t len)
{
char src[512];
char dst[128];
memset(src, 'A', sizeof(src));
memset(dst, 0, sizeof(dst));
// Attacker-controlled length; no bounds check.
memcpy(dst, src, len);
// Return first byte to keep optimizer from removing the copy.
return dst[0];
}
int main(int argc, char **argv)
{
if (argc < 2)
{
fprintf(stderr, "usage: %s <len>\n", argv[0]);
return 1;
}
char *end = NULL;
long len = strtol(argv[1], &end, 10);
if (end == argv[1] || len < 0)
{
fprintf(stderr, "invalid length\n");
return 1;
}
int r = process((size_t)len);
printf("result=%d\n", r);
return 0;
}

25
bench/reachability-benchmark/cases/c/memcpy-overflow/tests/run-tests.sh Normal file
View File

@@ -0,0 +1,25 @@
#!/usr/bin/env bash
set -euo pipefail
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
OUT="${ROOT}/outputs"
APP="${OUT}/app"
if [[ ! -x "${APP}" ]]; then
echo "binary missing; run build first" >&2
exit 1
fi
tmp="$(mktemp -d)"
trap 'rm -rf "${tmp}"' EXIT
# Trigger overflow-prone copy with large length; expect exit code 0
RUN_OUT="${tmp}/run.out"
"${APP}" "300" > "${RUN_OUT}"
if ! grep -q "result=" "${RUN_OUT}"; then
echo "expected output missing" >&2
exit 1
fi
echo "tests passed"