Symbolic Execution Fuzzing With KLEE

$ git clone https://github.com/klee/klee.git
$ cd klee
$ docker build -t klee/klee .
$ docker run --rm -ti --ulimit='stack=-1:-1' klee/klee

$ git clone https://github.com/kokke/tiny-bignum-c

From 174727a8d41cf1276849e5d4524f8cd4c4955afd Mon Sep 17 00:00:00 2001
From: raminfp <ramin.blackhat@gmail.com>
Date: Sun, 18 Jul 2021 03:04:40 +0000
Subject: [PATCH] Change code for fuzzing KLEE

---
 bn.c | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/bn.c b/bn.c
index 6526ea7..f71474d 100644
--- a/bn.c
+++ b/bn.c
@@ -663,3 +663,45 @@ static void _rshift_one_bit(struct bn* a)
 }


+void factorial(struct bn* n, struct bn* res)
+{
+  struct bn tmp;
+
+  /* Copy n -> tmp */
+  bignum_assign(&tmp, n);
+
+  /* Decrement n by one */
+  bignum_dec(n);
+  
+  /* Begin summing products: */
+  while (!bignum_is_zero(n))
+  {
+    /* res = tmp * n */
+    bignum_mul(&tmp, n, res);
+
+    /* n -= 1 */
+    bignum_dec(n);
+    
+    /* tmp = res */
+    bignum_assign(&tmp, res);
+  }
+
+  /* res = tmp */
+  bignum_assign(res, &tmp);
+}
+
+int main()
+{
+  struct bn num;
+  struct bn result;
+  char buf[8192];
+
+  klee_make_symbolic(buf, sizeof(buf), "buf");
+  klee_assume(buf[sizeof(buf) - 1] == 0);
+  bignum_from_int(&num, 100);
+  factorial(&num, &result);
+  bignum_to_string(&result, buf, sizeof(buf));
+
+  return 0;
+}
+
-- 
2.17.1

$ clang -emit-llvm -O0 -c -g bn.c
$ llvm-dis ./bn.bc
$ vim bn.ll
$ klee bn.bc

klee@500746a23210:~/tiny-bignum-c$ cat klee-out-0/test000001.ptr.err
Error: memory error: out of bound pointer
File: bn.c
Line: 157
assembly.ll line: 521
State: 2
Stack: 
        #000000521 in bignum_to_string (n=93858042189952, str=93858042462208, nbytes=8192) at bn.c:157
        #100002836 in main () at bn.c:703
Info: 
        address: 93858042470400
        next: object at 22510123060032 of size 1536
                MO40[1536] (no allocation info)