Skip to content

Commit

Permalink
update the demo case from suraj
Browse files Browse the repository at this point in the history
  • Loading branch information
@MarkLee131
MarkLee131 committed Sep 7, 2024
1 parent ff4f25e commit 6b77034
Show file tree
Hide file tree
Showing 3 changed files with 5,331 additions and 8 deletions.
79 changes: 71 additions & 8 deletions autopatch_results/vuln_fix_pairs.csv
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,72 @@
vuln_code,fix_code
"CWE-416 static void mark_context_stack ( mrb_state * mrb, struct mrb_context * c ) { size_t i ; <S2SV_StartBug> size_t e ; <S2SV_EndBug> if ( c -> stack == NULL ) return ; e = c -> stack - c -> stbase ; if ( c -> ci ) e += c -> ci -> nregs ; if ( c -> stbase + e > c -> stend ) e = c -> stend - c -> stbase ; for ( i = 0 ; i < e ; i ++ ) { mrb_value v = c -> stbase [ i ] ; if (! mrb_immediate_p ( v ) ) { <S2SV_StartBug> if ( mrb_basic_ptr ( v ) -> tt == MRB_TT_FREE ) { <S2SV_EndBug> c -> stbase [ i ] = mrb_nil_value ( ) ; } else { mrb_gc_mark ( mrb, mrb_basic_ptr ( v ) ) ; } } <S2SV_StartBug> } <S2SV_EndBug> }
",<S2SV_ModStart> ; size_t e ; mrb_value nil <S2SV_ModStart> ) ) { <S2SV_ModEnd> mrb_gc_mark ( mrb <S2SV_ModStart> } } } e = c -> stend - c -> stbase ; nil = mrb_nil_value ( ) ; for ( ; i < e ; i ++ ) { c -> stbase [ i ] = nil ;
CWE-416 static void snd_usb_mixer_free ( struct usb_mixer_interface * mixer ) <S2SV_StartBug> { <S2SV_EndBug> kfree ( mixer -> id_elems ) ; if ( mixer -> urb ) { kfree ( mixer -> urb -> transfer_buffer ) ; usb_free_urb ( mixer -> urb ) ; } usb_free_urb ( mixer -> rc_urb ) ; kfree ( mixer -> rc_setup_packet ) ; kfree ( mixer ) ; },<S2SV_ModStart> mixer ) { snd_usb_mixer_disconnect ( mixer ) ;
"CWE-190 mrb_value *regs_a = regs + a;\nstruct REnv *e = uvenv(mrb, c);\n <S2SV_StartBug> \nif (!e) {\n\n *regs_a = mrb_nil_value();\n }\nelse {\n *regs_a = e->stack[b]; <S2SV_EndBug> \n \n NEXT;\n }","<S2SV_ModStart> c);\n\nif (! e && b >= e -> stack_size ) { mrb_err ( mrb, ""invalid stack pointer at %s"", a ) ; return mrb_nil_value ( ) ; } <S2SV_ModEnd> if (! <S2SV_ModStart> *regs_a = e -> regs <S2SV_ModStart> b ] ; mrb_stack_push ( e -> stack, b ) ; <S2SV_ModEnd> } \nelse {\n <S2SV_ModStart> *regs_a = e -> <S2SV_ModEnd> stack [ b"
"CWE-119 bool initiate_stratum ( struct pool * pool ) { bool ret = false, recvd = false, noresume = false, sockd = false ; char s [ RBUFSIZE ], * sret = NULL, * nonce1, * sessionid ; json_t * val = NULL, * res_val, * err_val ; json_error_t err ; int n2size ; resend : if (! setup_stratum_socket ( pool ) ) { sockd = false ; goto out ; } sockd = true ; if ( recvd ) { clear_sock ( pool ) ; sprintf ( s, ""{\\""id\\"": <S2SV_blank> %d, <S2SV_blank> \\""method\\"": <S2SV_blank> \\""mining.subscribe\\"", <S2SV_blank> \\""params\\"": <S2SV_blank> []}"", swork_id ++ ) ; } else { if ( pool -> sessionid ) sprintf ( s, ""{\\""id\\"": <S2SV_blank> %d, <S2SV_blank> \\""method\\"": <S2SV_blank> \\""mining.subscribe\\"", <S2SV_blank> \\""params\\"": <S2SV_blank> [\\"""" PACKAGE ""/"" VERSION ""\\"", <S2SV_blank> \\""%s\\""]}"", swork_id ++, pool -> sessionid ) ; else sprintf ( s, ""{\\""id\\"": <S2SV_blank> %d, <S2SV_blank> \\""method\\"": <S2SV_blank> \\""mining.subscribe\\"", <S2SV_blank> \\""params\\"": <S2SV_blank> [\\"""" PACKAGE ""/"" VERSION ""\\""]}"", swork_id ++ ) ; } if ( __stratum_send ( pool, s, strlen ( s ) )!= SEND_OK ) { applog ( LOG_DEBUG, ""Failed <S2SV_blank> to <S2SV_blank> send <S2SV_blank> s <S2SV_blank> in <S2SV_blank> initiate_stratum"" ) ; goto out ; } if (! socket_full ( pool, DEFAULT_SOCKWAIT ) ) { applog ( LOG_DEBUG, ""Timed <S2SV_blank> out <S2SV_blank> waiting <S2SV_blank> for <S2SV_blank> response <S2SV_blank> in <S2SV_blank> initiate_stratum"" ) ; goto out ; } sret = recv_line ( pool ) ; if (! sret ) goto out ; recvd = true ; val = JSON_LOADS ( sret, & err ) ; free ( sret ) ; if (! val ) { applog ( LOG_INFO, ""JSON <S2SV_blank> decode <S2SV_blank> failed(%d): <S2SV_blank> %s"", err. line, err. text ) ; goto out ; } res_val = json_object_get ( val, ""result"" ) ; err_val = json_object_",<S2SV_ModStart> ; if ( n2size < 1 ) <S2SV_ModEnd> { applog (
"CWE-119 static struct se_portal_group * vhost_scsi_make_tpg ( struct se_wwn * wwn, struct config_group * group, const char * name ) { struct vhost_scsi_tport * tport = container_of ( wwn, struct vhost_scsi_tport, tport_wwn ) ; struct vhost_scsi_tpg * tpg ; <S2SV_StartBug> unsigned long tpgt ; <S2SV_EndBug> int ret ; if ( strstr ( name, ""tpgt_"" )!= name ) return ERR_PTR ( - EINVAL ) ; <S2SV_StartBug> if ( kstrtoul ( name + 5, 10, & tpgt ) || tpgt > UINT_MAX ) <S2SV_EndBug> return ERR_PTR ( - EINVAL ) ; tpg = kzalloc ( sizeof ( struct vhost_scsi_tpg ), GFP_KERNEL ) ; if (! tpg ) { pr_err ( ""Unable <S2SV_blank> to <S2SV_blank> allocate <S2SV_blank> struct <S2SV_blank> vhost_scsi_tpg"" ) ; return ERR_PTR ( - ENOMEM ) ; } mutex_init ( & tpg -> tv_tpg_mutex ) ; INIT_LIST_HEAD ( & tpg -> tv_tpg_list ) ; tpg -> tport = tport ; tpg -> tport_tpgt = tpgt ; ret = core_tpg_register ( & vhost_scsi_fabric_configfs -> tf_ops, wwn, & tpg -> se_tpg, tpg, TRANSPORT_TPG_TYPE_NORMAL ) ; if ( ret < 0 ) { kfree ( tpg ) ; return NULL ; } mutex_lock ( & vhost_scsi_mutex ) ; list_add_tail ( & tpg -> tv_tpg_list, & vhost_scsi_list ) ; mutex_unlock ( & vhost_scsi_mutex ) ; return & tpg -> se_tpg ; }
",<S2SV_ModStart> * tpg ; u16 <S2SV_ModEnd> tpgt ; int <S2SV_ModStart> ; if ( kstrtou16 <S2SV_ModEnd> ( name + <S2SV_ModStart> || tpgt > VHOST_SCSI_MAX_TARGET <S2SV_ModEnd> ) return ERR_PTR
"CWE-119 static guint32 parse_wbxml_attribute_list_defined ( proto_tree * tree, tvbuff_t * tvb, guint32 offset, guint32 str_tbl, guint8 level, guint8 * codepage_attr, const wbxml_decoding * map ) { guint32 tvb_len = tvb_reported_length ( tvb ) ; <S2SV_StartBug> guint32 off = offset ; <S2SV_EndBug> guint32 len ; guint str_len ; guint32 ent ; guint32 idx ; guint8 peek ; guint8 attr_save_known = 0 ; const char * attr_save_literal = NULL ; DebugLog ( ( ""parse_wbxml_attr_defined <S2SV_blank> (level <S2SV_blank> = <S2SV_blank> %u, <S2SV_blank> offset <S2SV_blank> = <S2SV_blank> %u)\\n"", <S2SV_StartBug> level, offset ) ) ; <S2SV_EndBug> while ( off < tvb_len ) { peek = tvb_get_guint8 ( tvb, off ) ; DebugLog ( ( ""ATTR: <S2SV_blank> (top <S2SV_blank> of <S2SV_blank> while) <S2SV_blank> level <S2SV_blank> = <S2SV_blank> %3u, <S2SV_blank> peek <S2SV_blank> = <S2SV_blank> 0x%02X, <S2SV_blank> "" ""off <S2SV_blank> = <S2SV_blank> %u, <S2SV_blank> tvb_len <S2SV_blank> = <S2SV_blank> %u\\n"", level, peek, off, tvb_len ) ) ; if ( ( peek & 0x3F ) < 5 ) switch ( peek ) { case 0x00 : * codepage_attr = tvb_get_guint8 ( tvb, off + 1 ) ; proto_tree_add_text ( tree, tvb, off, 2, "" <S2SV_blank> <S2SV_blank> <S2SV_blank> <S2SV_blank> <S2SV_blank> <S2SV_blank> | <S2SV_blank> <S2SV_blank> Attr <S2SV_blank> | <S2SV_blank> A <S2SV_blank> -->%3d <S2SV_blank> "" ""| <S2SV_blank> SWITCH_PAGE <S2SV_blank> (Attr <S2SV_blank> code <S2SV_blank> page) <S2SV_blank> <S2SV_blank> <S2SV_blank> <S2SV_blank> |"", * codepage_attr ) ; off += 2 ; break ; case 0x01 : off ++ ; DebugLog ( ( ""ATTR: <S2SV_blank> level <S2SV_blank> = <S2SV_blank> %u, <S2SV_blank> Return: <S2SV_blank> len <S2SV_blank> = <S2SV_blank> %u\\n"", level, off - offset ) ) ; return ( off - offset ) ; case 0x02 : ent = tvb_get_guintvar ( tvb, off + 1, & len ) ; proto_tree_add_text ( tree, tvb, off, 1 + len, "" <S2SV_blank>","<S2SV_ModStart> off = offset, last_off <S2SV_ModStart> offset ) ) ; last_off = off <S2SV_ModStart> ; } } if ( off < last_off ) { THROW ( ReportedBoundsError ) ; } last_off = off ;"
"void ClientSideClass::temperature_changer(s_temperature_modifier *temp_mod_ptr)
{
printf(""I am inside the original temperature changer \n"");
printf(""bytesread inside orig temp change %ld \n"", temp_mod_ptr->bytesRead);
memcpy(&temp_mod_ptr->temperatureChangeIndicator, &temp_mod_ptr->buffer[1], (ssize_t)4 * (temp_mod_ptr->bytesRead)); // This line causes the buffer overflow when malicious code is sent. this is unpatched
temp_mod_ptr->temperature_control = static_cast<int>(temp_mod_ptr->temperatureChangeIndicator); // static_cast<int>(buffer[1]);
//printf(""temp indicator inside orig temp change %d \n"", temperatureChangeIndicator);
//printf(""temp control inside orig temp change %d \n"", *temperature_control);
}","void ClientSideClass::temperature_changer(s_temperature_modifier *temp_mod_ptr)
{
printf(""I am inside the original temperature changer \n"");
printf(""bytesread inside orig temp change %ld \n"", temp_mod_ptr->bytesRead);
<S2SV_ModStart> if (temp_mod_ptr->bytesRead <= 2) <S2SV_ModEnd>
<S2SV_ModStart> { <S2SV_ModEnd>
<S2SV_ModStart> <S2SV_ModEnd> memcpy(&temp_mod_ptr->temperatureChangeIndicator, &temp_mod_ptr->buffer[1], (ssize_t)temp_mod_ptr->bytesRead); // This line causes the buffer overflow when malicious code is sent. this is unpatched
<S2SV_ModStart> <S2SV_ModEnd> temp_mod_ptr->temperature_control = (int)(temp_mod_ptr->temperatureChangeIndicator); // static_cast<int>(buffer[1]);
<S2SV_ModStart> } <S2SV_ModEnd>
//printf(""temp indicator inside orig temp change %d \n"", temperatureChangeIndicator);
//printf(""temp control inside orig temp change %d \n"", *temperature_control);
}"
"void ClientSideClass::temperature_changer(s_temperature_modifier *temp_mod_ptr)
{
printf(""I am inside the original temperature changer \n"");
printf(""bytesread inside orig temp change %ld \n"", temp_mod_ptr->bytesRead);
memcpy(&temp_mod_ptr->temperatureChangeIndicator, &temp_mod_ptr->buffer[1], (ssize_t)4 * (temp_mod_ptr->bytesRead));
temp_mod_ptr->temperature_control = static_cast<int>(temp_mod_ptr->temperatureChangeIndicator);
}","void ClientSideClass::temperature_changer(s_temperature_modifier *temp_mod_ptr)
{
printf(""I am inside the original temperature changer \n"");
printf(""bytesread inside orig temp change %ld \n"", temp_mod_ptr->bytesRead);
<S2SV_ModStart> if (temp_mod_ptr->bytesRead <= 2) <S2SV_ModEnd>
<S2SV_ModStart> { <S2SV_ModEnd>
<S2SV_ModStart> <S2SV_ModEnd> memcpy(&temp_mod_ptr->temperatureChangeIndicator, &temp_mod_ptr->buffer[1], (ssize_t)temp_mod_ptr->bytesRead);
<S2SV_ModStart> <S2SV_ModEnd> temp_mod_ptr->temperature_control = (int)(temp_mod_ptr->temperatureChangeIndicator);
<S2SV_ModStart> <S2SV_ModEnd> temp_mod_ptr->temperature_control = (int)(temp_mod_ptr->temperatureChangeIndicator);
<S2SV_ModStart> } <S2SV_ModEnd>

}"
"void ClientSideClass::temperature_changer(s_temperature_modifier *temp_mod_ptr)
{
memcpy(&temp_mod_ptr->temperatureChangeIndicator, &temp_mod_ptr->buffer[1], (ssize_t)4 * (temp_mod_ptr->bytesRead));
temp_mod_ptr->temperature_control = static_cast<int>(temp_mod_ptr->temperatureChangeIndicator);
}","void ClientSideClass::temperature_changer(s_temperature_modifier *temp_mod_ptr)
{
<S2SV_ModStart> if (temp_mod_ptr->bytesRead <= 2) <S2SV_ModEnd>
<S2SV_ModStart> { <S2SV_ModEnd>
<S2SV_ModStart> <S2SV_ModEnd> memcpy(&temp_mod_ptr->temperatureChangeIndicator, &temp_mod_ptr->buffer[1], (ssize_t)temp_mod_ptr->bytesRead);
<S2SV_ModStart> <S2SV_ModEnd> temp_mod_ptr->temperature_control = (int)(temp_mod_ptr->temperatureChangeIndicator);
<S2SV_ModStart> } <S2SV_ModEnd>

}"
"CWE-119void ClientSideClass::temperature_changer(s_temperature_modifier *temp_mod_ptr)
{
printf(""I am inside the original temperature changer \n"");
printf(""bytesread inside orig temp change %ld \n"", temp_mod_ptr->bytesRead);
memcpy(&temp_mod_ptr->temperatureChangeIndicator, &temp_mod_ptr->buffer[1], (ssize_t)4 * (temp_mod_ptr->bytesRead)); // This line causes the buffer overflow when malicious code is sent. this is unpatched
temp_mod_ptr->temperature_control = static_cast<int>(temp_mod_ptr->temperatureChangeIndicator); // static_cast<int>(buffer[1]);
//printf(""temp indicator inside orig temp change %d \n"", temperatureChangeIndicator);
//printf(""temp control inside orig temp change %d \n"", *temperature_control);
}","void ClientSideClass::temperature_changer(s_temperature_modifier *temp_mod_ptr)
{
printf(""I am inside the original temperature changer \n"");
printf(""bytesread inside orig temp change %ld \n"", temp_mod_ptr->bytesRead);
<S2SV_ModStart> if (temp_mod_ptr->bytesRead <= 2) <S2SV_ModEnd>
<S2SV_ModStart> { <S2SV_ModEnd>
<S2SV_ModStart> <S2SV_ModEnd> memcpy(&temp_mod_ptr->temperatureChangeIndicator, &temp_mod_ptr->buffer[1], (ssize_t)temp_mod_ptr->bytesRead); // This line causes the buffer overflow when malicious code is sent. this is unpatched
<S2SV_ModStart> <S2SV_ModEnd> temp_mod_ptr->temperature_control = (int)(temp_mod_ptr->temperatureChangeIndicator); // static_cast<int>(buffer[1]);
<S2SV_ModStart> } <S2SV_ModEnd>
//printf(""temp indicator inside orig temp change %d \n"", temperatureChangeIndicator);
//printf(""temp control inside orig temp change %d \n"", *temperature_control);
}"
Loading

0 comments on commit 6b77034

Please sign in to comment.