Add CBMC proof for s2n_stuffer_printf #4309
Conversation
tests/cbmc/proofs/s2n_stuffer_wipe_n/s2n_stuffer_wipe_n_harness.c
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
These updates are great! I'm quite happy to see such improvements over the CBMC harnesses. I only have a few remarks. First, I got this list of warning from the CBMC HTML report:
Warnings
Functions omitted from test (unexpected):
madvise
s2n_blob_slice
s2n_stuffer_wipe
vsnprintf
Are these expected?
tests/cbmc/proofs/s2n_stuffer_printf/s2n_stuffer_printf_harness.c
Outdated
Show resolved
Hide resolved
|
The function PROOF_SOURCES += $(PROOF_STUB)/madvise.c |
lrstewart
force-pushed
the
fips_comp_1b
branch
from
7557c69
to
ef86db3
Compare
You called out how to fix madvise in your other comment, and I fixed that. I thought I was handling s2n_blob_slice and s2n_stuffer_wipe by using REMOVE_BODY, but I guess not so I removed that. They're never hit because the stuffer never shrinks. vsnprintf is the only one on the list now, and I think that's expected. We could stub it, but idk what we'd do other than the current default "assume it could return anything" behavior. |
Resolved issues:
Resolves #4298 (comment)
Description of changes:
Add a proof for the new s2n_stuffer_printf method.
I also changed the existing s2n_stuffer_wipe_n behavior and rewrote the associated proof. My s2n_stuffer_printf tracked the tainted flag closely and found some unexpected behavior in how s2n_stuffer_wipe_n handled the tainted flag. Previously, if s2n_stuffer_wipe_n resulted in wiping the last few bytes of a stuffer, the stuffer was also wiped-- specifically, the
high_water_markandtaintedfields. This makes s2n_stuffer_wipe_n hard to reason about, and seems like a potential way to accidentally "untaint" a stuffer. wipe_n is about wiping individual bytes, not wiping the whole stuffer. I don't know why you'd have an outstanding raw pointer to a stuffer with write_cursor==0, but the memory still exists so you could, and it doesn't seem any different from having an outstanding raw pointer to wiped memory with write_cursor>0.Testing:
Proofs pass.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.