Name	Name	Last commit message	Last commit date
parent directory ..
.gitignore	.gitignore
2016-1973.cpp	2016-1973.cpp
README.md	README.md
build.sh	build.sh
cleanDIR.sh	cleanDIR.sh

Test

Please try to perform following command:

# setup the environment variables in the root directory of the tool
$ source tool/init_env.sh

# compile the program and get bit code
$ cd $ROOT_DIR/evaluation/ConVul-CVE-Benchmarks/CVE-2016-1973
$ ./cleanDIR.sh
$ clang++ -g -emit-llvm -c ./2016-1973.cpp -o 2016-1973.bc

# perform static analysis
$ $ROOT_DIR/tool/staticAnalysis/staticAnalysis.sh 2016-1973

# complie the instrumented program with ASAN
$ export Con_PATH=$ROOT_DIR/evaluation/ConVul-CVE-Benchmarks/CVE-2016-1973/ConConfig.2016-1973
$ $ROOT_DIR/tool/staticAnalysis/DBDS-INSTRU/dbds-clang-fast++ -g -fsanitize=address ./2016-1973.cpp -o 2016-1973 -lpthread -ldl

# perform DBDS
$ $ROOT_DIR/tool/DBDS/run_PDS.py -d 3 ./2016-1973

Then you will get the results.

Start Testing!
test 0001
test 0002
...

The ASAN output:

=================================================================
==21047==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000002038 at pc 0x0000004c6e67 bp 0x7f3b14ffee30 sp 0x7f3b14ffee28
READ of size 8 at 0x604000002038 thread T1
    #0 0x4c6e66 in std::_Rb_tree<unsigned int, std::pair<unsigned int const, unsigned int>, std::_Select1st<std::pair<unsigned int const, unsigned int> >, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, unsigned int> > >::size() const /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_tree.h:906:24
    #1 0x4c5cc4 in std::map<unsigned int, unsigned int, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, unsigned int> > >::size() const /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_map.h:453:21
    #2 0x4c58c4 in accessMap(webrtc::SSRCDatabase*) /ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2016-1973/./2016-1973-sleep.cpp:152:26
    #3 0x4c5984 in thread_two(void*) /ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2016-1973/./2016-1973-sleep.cpp:175:2
    #4 0x7f3b1910c6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #5 0x7f3b188204dc in clone /build/glibc-e6zv40/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x604000002038 is located 40 bytes inside of 48-byte region [0x604000002010,0x604000002040)
freed by thread T2 here:
    #0 0x4c32cd in operator delete(void*) /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:160:3
    #1 0x4c57f6 in webrtc::SSRCDatabase* webrtc::GetStaticInstance<webrtc::SSRCDatabase>(webrtc::CountOperation, int) /ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2016-1973/./2016-1973-sleep.cpp:113:9
    #2 0x4c53c8 in webrtc::SSRCDatabase::StaticInstance(webrtc::CountOperation, int) /ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2016-1973/./2016-1973-sleep.cpp:136:24
    #3 0x4c5886 in webrtc::SSRCDatabase::ReturnSSRCDatabase(int) /ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2016-1973/./2016-1973-sleep.cpp:145:5
    #4 0x4c5924 in thread_one(void*) /ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2016-1973/./2016-1973-sleep.cpp:162:2
    #5 0x7f3b1910c6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

previously allocated by thread T2 here:
    #0 0x4c2a6d in operator new(unsigned long) /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:99:3
    #1 0x4c6151 in webrtc::SSRCDatabase::CreateInstance() /ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2016-1973/./2016-1973-sleep.cpp:129:49
    #2 0x4c5644 in webrtc::SSRCDatabase* webrtc::GetStaticInstance<webrtc::SSRCDatabase>(webrtc::CountOperation, int) /ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2016-1973/./2016-1973-sleep.cpp:87:24
    #3 0x4c53c8 in webrtc::SSRCDatabase::StaticInstance(webrtc::CountOperation, int) /ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2016-1973/./2016-1973-sleep.cpp:136:24
    #4 0x4c5867 in webrtc::SSRCDatabase::GetSSRCDatabase(int) /ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2016-1973/./2016-1973-sleep.cpp:141:12
    #5 0x4c58e5 in thread_one(void*) /ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2016-1973/./2016-1973-sleep.cpp:156:33
    #6 0x7f3b1910c6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T1 created by T0 here:
    #0 0x47da9a in pthread_create /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x4c5ac8 in main /ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2016-1973/./2016-1973-sleep.cpp:191:2
    #2 0x7f3b1873983f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291

Thread T2 created by T0 here:
    #0 0x47da9a in pthread_create /local/mnt/workspace/bcain_clang_bcain-ubuntu_23113/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x4c5ae7 in main /ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2016-1973/./2016-1973-sleep.cpp:192:2
    #2 0x7f3b1873983f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free /usr/lib/gcc/x86_64-linux-gnu/5.4.0/../../../../include/c++/5.4.0/bits/stl_tree.h:906:24 in std::_Rb_tree<unsigned int, std::pair<unsigned int const, unsigned int>, std::_Select1st<std::pair<unsigned int const, unsigned int> >, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, unsigned int> > >::size() const
Shadow bytes around the buggy address:
  0x0c087fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff8400: fa fa fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa
  0x0c087fff8410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==21047==ABORTING

Use addr2line -e ./2016-1973 0x4c9053 to see the debug info

/ConcurrencyFuzzer/evaluation/ConVul-CVE-Benchmarks/CVE-2016-1973/./2016-1973-sleep.cpp:152:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2016-1973

CVE-2016-1973

README.md

Test

Files

CVE-2016-1973

Directory actions

More options

Directory actions

More options

Latest commit

History

CVE-2016-1973

Folders and files

parent directory

README.md

Test