Creating test case using base program. Added an environment variable read to the function definition. Completed injection. UNSPECIFIED UNSPECIFIED $SS_TC_ROOT/$SS_TC_INSTALL/bin/grep ./configure --prefix="$SS_TC_ROOT/$SS_TC_INSTALL" --exec-prefix="$SS_TC_ROOT/$SS_TC_INSTALL" --with-included-regex make V=1 CC="$SS_CC" CCLD="$SS_LNK" make V=1 install CC="$SS_CC" CCLD="$SS_LNK" all words beginning with e or x, case sensitive Has a fixed stack buffer of size 64, allocated within a struct (char [64]) NONE AAA $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 ^[ex] input/dict.txt STDOUT-01 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-01/std-out.txt DOES_NOT_RETURN CONTROLLED_EXIT find BIRMINGHAM, ignore case, recursive Has a fixed stack buffer of size 64, allocated within a struct (char [64]) NONE Hellow world! $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -r -i BIRMINGHAM input/zip/ STDOUT-02 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-02/std-out.txt DOES_NOT_RETURN CONTROLLED_EXIT read extented regular expressions from file Has a fixed stack buffer of size 64, allocated within a struct (char [64]) NONE Good-bye cruel world! $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -E -f input/grep-good-03-expr.txt input/mktsymbols.txt STDOUT-03 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-03/std-out.txt DOES_NOT_RETURN CONTROLLED_EXIT search for entire words matching a specific pattern Has a fixed stack buffer of size 64, allocated within a struct (char [64]) NONE AAA $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -w -f input/grep-good-04-expr.txt input/mktsymbols.txt STDOUT-04 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-04/std-out.txt DOES_NOT_RETURN CONTROLLED_EXIT use mmap(), find NASDAQ in file Has a fixed stack buffer of size 64, allocated within a struct (char [64]) NONE Hellow world! $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 --mmap NASDAQ input/mktsymbols.txt STDOUT-05 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-05/std-out.txt DOES_NOT_RETURN CONTROLLED_EXIT match lines not containing NASDAQ, ignore case, count Has a fixed stack buffer of size 64, allocated within a struct (char [64]) NONE Good-bye cruel world! $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -v -i -c NASDAQ input/mktsymbols.txt STDOUT-06 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-06/std-out.txt DOES_NOT_RETURN CONTROLLED_EXIT grep stdin (a device), match words beginning w/ D, P, or Z, redirect file into stdin Has a fixed stack buffer of size 64, allocated within a struct (char [64]) NONE AAA $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -D read -e ^[DPZ] /dev/stdin < input/mktsymbols.txt STDOUT-07 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-07/std-out.txt DOES_NOT_RETURN CONTROLLED_EXIT extended grep, print number of lines of context Has a fixed stack buffer of size 64, allocated within a struct (char [64]) NONE Hellow world! $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -E -C 15 ^[BRT] input/mktsymbols.txt STDOUT-08 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-08/std-out.txt DOES_NOT_RETURN CONTROLLED_EXIT lines not beginning w/ B, R or T Has a fixed stack buffer of size 64, allocated within a struct (char [64]) NONE Good-bye cruel world! $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -v ^[BRT] input/mktsymbols.txt STDOUT-09 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-09/std-out.txt DOES_NOT_RETURN CONTROLLED_EXIT count lines not beginning w/ B, R or T Has a fixed stack buffer of size 64, allocated within a struct (char [64]) NONE AAA $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -c -v ^[BRT] input/mktsymbols.txt STDOUT-10 AND NOT TIMEOUT AND NOT CONTROLLED_EXIT good-10/std-out.txt DOES_NOT_RETURN CONTROLLED_EXIT Has a fixed stack buffer of size 64, allocated within a struct (char [64]) DOS_UNCONTROLLED_EXIT AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -E -f input/grep-good-03-expr.txt input/mktsymbols.txt weakness_started_z9bUJA1kDUCfD4laniRO AND ((NOT PERFORMER AND (segfault_code_n50k3wcVOw OR segfault_code_BCha7ePt38 OR segfault_code_u1zI1oAfsB OR segfault_code_61Z0S5GlUZ OR segfault_code_zG85FIDqqq OR segfault_msg_ktfT43RsTC OR illegal_inst_msg_ozMe12v82j) AND NOT timeout_b2BYXJ5Lvm) or (PERFORMER AND NOT ((segfault_code_n50k3wcVOw OR segfault_code_BCha7ePt38 OR segfault_code_u1zI1oAfsB OR segfault_code_61Z0S5GlUZ OR segfault_code_zG85FIDqqq OR segfault_msg_ktfT43RsTC OR illegal_inst_msg_ozMe12v82j) OR timeout_b2BYXJ5Lvm))) (NOT PERFORMER AND (segfault_code_n50k3wcVOw OR segfault_code_BCha7ePt38 OR segfault_code_u1zI1oAfsB OR segfault_code_61Z0S5GlUZ OR segfault_code_zG85FIDqqq OR segfault_msg_ktfT43RsTC OR illegal_inst_msg_ozMe12v82j) AND NOT timeout_b2BYXJ5Lvm) or (PERFORMER AND NOT ((segfault_code_n50k3wcVOw OR segfault_code_BCha7ePt38 OR segfault_code_u1zI1oAfsB OR segfault_code_61Z0S5GlUZ OR segfault_code_zG85FIDqqq OR segfault_msg_ktfT43RsTC OR illegal_inst_msg_ozMe12v82j) OR timeout_b2BYXJ5Lvm)) DOES_NOT_RETURN CONTROLLED_EXIT CONTINUED_EXECUTION None 132 None 134 None 135 None 136 None 139 None Segmentation fault None Illegal instruction None stonesoup_trace:weakness_start Has a fixed stack buffer of size 64, allocated within a struct (char [64]) DOS_UNCONTROLLED_EXIT This is probably going to overflow a buffer of some sort. Let's run it anyway and see what happens. I hope that everything turns out ok, because I would love to see what this looks like in all CAPS. Converting ASCII characters to upper case is easy, you can either call a system function, or just add the standard difference between the start of the two character sets. But, I am sure there is a reason that system functions exist for this sort of functionality. $SS_TC_ROOT/logs/execute/lttng $SS_TC_DEPS/lib64/liblttng-stonesoup-c.so:$SS_TC_DEPS/lib64/liblttng-ust-fork.so 0 -E -f input/grep-good-03-expr.txt input/mktsymbols.txt weakness_started_DPWXZ2DXaO1jSyBSOeJG AND ((NOT PERFORMER AND (segfault_code_A5vqkCqOqN OR segfault_code_indsZLxR00 OR segfault_code_VsW8akpMUs OR segfault_code_mPOKSxBYwW OR segfault_code_nekKtWMPjz OR segfault_msg_MCBIW5pbNP OR illegal_inst_msg_UzHubVbhgw) AND NOT timeout_C39vH7nqbp) or (PERFORMER AND NOT ((segfault_code_A5vqkCqOqN OR segfault_code_indsZLxR00 OR segfault_code_VsW8akpMUs OR segfault_code_mPOKSxBYwW OR segfault_code_nekKtWMPjz OR segfault_msg_MCBIW5pbNP OR illegal_inst_msg_UzHubVbhgw) OR timeout_C39vH7nqbp))) (NOT PERFORMER AND (segfault_code_A5vqkCqOqN OR segfault_code_indsZLxR00 OR segfault_code_VsW8akpMUs OR segfault_code_mPOKSxBYwW OR segfault_code_nekKtWMPjz OR segfault_msg_MCBIW5pbNP OR illegal_inst_msg_UzHubVbhgw) AND NOT timeout_C39vH7nqbp) or (PERFORMER AND NOT ((segfault_code_A5vqkCqOqN OR segfault_code_indsZLxR00 OR segfault_code_VsW8akpMUs OR segfault_code_mPOKSxBYwW OR segfault_code_nekKtWMPjz OR segfault_msg_MCBIW5pbNP OR illegal_inst_msg_UzHubVbhgw) OR timeout_C39vH7nqbp)) DOES_NOT_RETURN CONTROLLED_EXIT CONTINUED_EXECUTION None 132 None 134 None 135 None 136 None 139 None Segmentation fault None Illegal instruction None stonesoup_trace:weakness_start