Error of "std::out_of_range" when converting a float number into an int with the dTb[bb].

[kd610]

Summary

An error occurs when attempting to convert a float number into an integer with a basic block (BB) within the dTb[] array, resulting in a std::out_of_range exception. This issue causes a crash when we use the cbi to analyze the target BB distances. The error is related to handling the range of the float value expected in (100 * dTb[bb]).

This issue happened when we ran the cbi on the yara project from the BugOSS benchmark dataset.

Steps to Reproduce

Run the following commands below.

# On the sast-fuzz repository
# We must use the updated Dockerfile.dev because we need to install more packages to run yara.
wget --no-check-certificate 'https://drive.google.com/uc?export=download&id=1vUalfvMlyGY9h4raOW0qxwwb85tE6JAl' -O Dockerfile.dev

sudo docker build -f Dockerfile.dev -t sast-fuzz-pr .

# In my case, the sast-fuzz was stored in /home/my_usr_ID/sast-fuzz-create-pr/
sudo docker run -it --mount type=bind,source=/your_directory_where_sastfuzz_is_stored,target=/mnt sast-fuzz-pr /bin/bash

# Build SASTFuzz
cd /mnt/sast-fuzz
chmod +x build.sh
./build.sh

# Go back to the main mount directory
cd /mnt/
# Clone the yara project and check out with a specific version
git clone https://github.com/VirusTotal/yara.git yara && cd yara
git checkout 5cc28d24a251370218448100de4e9817e0d9233e

# Save all build files and a test harness (pe_fuzzer.cc) from the Google Drive.
wget --no-check-certificate 'https://drive.google.com/uc?export=download&id=1Nq692B9yaSCLsqrUJCOYudXRe7myIzlh' -O build.sh
wget --no-check-certificate 'https://drive.google.com/uc?export=download&id=1BNF-VLepWAfY89ZG24J39GgRZpW52iOU' -O build_bc.sh
wget https://raw.githubusercontent.com/ARISE-Handong/BugOss/main/artifacts/yara-38952/pe_fuzzer.cc -O pe_fuzzer.cc
 
# We're in /mnt/yara atm and run the build file.
chmod +x build_bc.sh
./build.sh - bc

### SAST ###
# Produce yara.json using the sfi tool.
cd /mnt/sast-fuzz/build/sast-fuzz/static_analysis/inspection/src
./sfi /mnt/yara/yara_fuzzer.bc /mnt/yara.json

# First, create an environment using poetry
cd /mnt/sast-fuzz/sast-fuzz/static_analysis/sast
/root/.local/bin/poetry install

# Run SAST with FlowFinder
/root/.local/bin/poetry run sfa --subject /mnt/yara --inspection /mnt/yara.json --tool flawfinder --grouping basic-block-v2 --parallel --output /mnt/yara.csv

### Fuzzing ###
# Instrumentation 1
cd /mnt/yara
/mnt/sast-fuzz/build/sast-fuzz/code_instrumentation/target_sites/src/cbi --targets=/mnt/yara.csv /mnt/yara/yara_fuzzer.bc

Afterward, the system crashed because of the message below.

terminate called after throwing an instance of 'std::out_of_range'                                                                                                                              
  what():  map::at   

Root Cause

The code below converts a float value of (100 * dTb[bb]) to an integer. If a BB is targeted by at least one of the SAST tools in the preceding stage, the distance must be 0; otherwise, distance should be > 0.

sast-fuzz/sast-fuzz/code_instrumentation/target_sites/src/main.cpp

Line 526 in e76916e

auto distance = (uint32_t)(100 * dTb[bb]);

Below are one of the possible cases that cause this issue.

1. dTb[bb] = 0.0070922
   • (100 * dTb[bb]) = 0.70922
   • Cast the result to uint32_t, which truncates the decimal portion, leaving only the integer part.
   • Hence, the distance will be 0.

This means the bb is recognized as a target bb even though it's not flagged by the SAST tool. Afterwards it is used to access the entry in the targetBBIndices, which eventually causes std::out_of_range exception.

sast-fuzz/sast-fuzz/code_instrumentation/target_sites/src/main.cpp

Lines 556 to 558 in e76916e

	if (distance == 0) {
	// Target BBs ...
	uint32_t targetBBId = targetBBIndices.at(bb);

Environment

• OS: Ubuntu 22.04.5 LTS
• Version: Latest in main branch
• Docker version: 27.3.1

Additional Context

@kd610 is working on fixing this issue on the branch of kd_fix_distance_out_of_range.