Skip to content

WIP: OSCMD2:Add oscmdpatches report for Command Injection analysis#280

Merged
sipma merged 10 commits into
static-analysis-engineering:masterfrom
dvorak42:dvorak42/add_oscmdpatches
Jun 19, 2026
Merged

WIP: OSCMD2:Add oscmdpatches report for Command Injection analysis#280
sipma merged 10 commits into
static-analysis-engineering:masterfrom
dvorak42:dvorak42/add_oscmdpatches

Conversation

@dvorak42

Copy link
Copy Markdown
Contributor

No description provided.

@dvorak42

Copy link
Copy Markdown
Contributor Author

@waskyo Could you do a first pass over this, before I ask @sipma to review/merge it.

@dvorak42 dvorak42 changed the title WIP: Add oscmdpatches report for Command Injection analysis WIP: OSCMD2:Add oscmdpatches report for Command Injection analysis Jun 15, 2026

@waskyo waskyo left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some questions and minor comments!

Comment thread chb/cmdline/reportcmds.py
Comment thread chb/cmdline/reportcmds.py Outdated
Comment thread chb/cmdline/reportcmds.py Outdated
Comment thread chb/cmdline/reportcmds.py
Comment thread chb/cmdline/reportcmds.py Outdated
Comment thread chb/cmdline/reportcmds.py Outdated
buffersize, sizeorigin = calculate_buffer_size(stackframe, argoffset, instr)
fn_args.append({"type": "pointer", "max-length": buffersize, "size-origin": sizeorigin})
else:
fn_args.append({"type": "unknown"})

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think we should log a warning here? (which would normally cause the rest of the pipeline to fail)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do want to be able to continue in this case, if we're able to derive the type from the format string (in hawkeye), we can replace this type with "string" or "int". Some of the doSystemCmd cases have some non-stack address passed in.

Added a comment.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with Ricardo that we probably want a warning here, because it is extremely rare for a format argument to actually be a pointer.

I have just merged in code that exposes the format string specifiers produced by the ocaml analyzer. The code is in chb/api/FormatStringSpec.py, A particular format string spec is accessed from the Function object with the address of the instruction that has the format string as argument: function.formatstrings[iaddr].

Could you please integrate this code (and expand FormatStringSpec.py as necessary to return the types instead of just the specifiers)?

If this would take care of most of the cases not handled right now, I think it's worth to add the warning.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there additional parameters to pass into codehawk? It looks like the only format string this recognizes in insulin_inject is the "exection failed" one, and missing the one with actual strings (and its not finding any of the strings passed into doSystemCmd in the other case).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It shouldn't need any additional parameters, but it does require that the analysis knows about the format string, either from a function summary, or from an annotated signature in a header file, or from an inferred function summary. It doesn't discover format strings, it just records them.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't it infer the format string for both snprintf calls in insulin_inject (function 0x119a0, it finds the one at 0x11ba8 but not the one at 0x11aa0)?

Looking at the function analysism, I think it knows about the "/sbin/ifconfig %s 2>&1" format string at 0x11aa0 (there's a po for 0x11aa0: output-format-string("/sbin/ifconfig %s 2>&1") (safe, constant string: /sbin/ifconfig %s 2>&1), but it doesn't seem to generate the format string specifier?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the problem with the recorded format strings was that they were not persistent: only the ones recorded in the last analysis round were kept. I have checked in a new version (codehawk/CodeHawk-Binary) to make them persistent. Could you please try again? Thank you.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, that seems to fix it, and the doSystemCmd ones also show up now. Thanks, I'll update the CL to use those now.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The latest patch set should incorporate this change and should be ready for another review.

@waskyo waskyo left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me, but I don't know enough about CHB to faithfully say "ship it". Maybe Henny can review too?

Thank you!

Comment thread chb/cmdline/reportcmds.py Outdated
Comment thread chb/cmdline/reportcmds.py Outdated
@dvorak42 dvorak42 force-pushed the dvorak42/add_oscmdpatches branch from bb43d7d to 1b5302a Compare June 16, 2026 20:50
@dvorak42

Copy link
Copy Markdown
Contributor Author

@sipma Could you review this change to add oscmdpatches to Codehawk-Binary.

Comment thread chb/cmdline/reportcmds.py Outdated
buffersize, sizeorigin = calculate_buffer_size(stackframe, argoffset, instr)
fn_args.append({"type": "pointer", "max-length": buffersize, "size-origin": sizeorigin})
else:
fn_args.append({"type": "unknown"})

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with Ricardo that we probably want a warning here, because it is extremely rare for a format argument to actually be a pointer.

I have just merged in code that exposes the format string specifiers produced by the ocaml analyzer. The code is in chb/api/FormatStringSpec.py, A particular format string spec is accessed from the Function object with the address of the instruction that has the format string as argument: function.formatstrings[iaddr].

Could you please integrate this code (and expand FormatStringSpec.py as necessary to return the types instead of just the specifiers)?

If this would take care of most of the cases not handled right now, I think it's worth to add the warning.

@dvorak42 dvorak42 force-pushed the dvorak42/add_oscmdpatches branch from 1b5302a to 6032402 Compare June 19, 2026 20:49

@sipma sipma left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Thank you for doing the update.

@sipma sipma merged commit 508df09 into static-analysis-engineering:master Jun 19, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants