This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: GCC4 makes off by ones more exploitable again, misuse of padding?

From: Denis Vlasenko <vda dot linux at googlemail dot com>
To: gcc at gcc dot gnu dot org
Cc: "In Cognito" <defend dot the dot world at gmail dot com>
Date: Thu, 25 Jan 2007 01:34:48 +0100
Subject: Re: GCC4 makes off by ones more exploitable again, misuse of padding?
References: <5a20704e0701241622y9f93bdfq696bc63992225a8f@mail.gmail.com>

On Thursday 25 January 2007 01:22, In Cognito wrote:
> Hello,
> 
> It's nice to see a more security-minded release of gcc with v4.
> Variables are moved around to reduce chances for exploitation,
> -fstack-protector, etc. Great!
> 
> Why are local variables once-again adjacent to the saved frame pointer
> though? gcc v 2 called and wants one of its "features" back.
> 
> func(char *b){
> char buf[512];
> if( strlen(b) > sizeof buf) return;
> strcpy(buf, b);
> }
> 
> 0x080483a7 <func+3>:    sub    $0x208,%esp
> 0x080483ad <func+9>:    mov    0x8(%ebp),%eax
> 0x080483b0 <func+12>:   mov    %eax,0x4(%esp)
> 0x080483b4 <func+16>:   lea    0xfffffe00(%ebp),%eax
> 0x080483ba <func+22>:   mov    %eax,(%esp)
> 0x080483bd <func+25>:   call   0x80482e8 <strcpy@plt>
> 0x080483c2 <func+30>:   leave
> 0x080483c3 <func+31>:   ret
> 
> 0x208 = 520 bytes; alright padding can be useful
> 0xfffffe00(%ebp) = -512 + ebp.

What padding? It's a place for strcpy parameters...
--
vda

Follow-Ups:
- Re: GCC4 makes off by ones more exploitable again, misuse of padding?
  - From: In Cognito

References:
- GCC4 makes off by ones more exploitable again, misuse of padding?
  - From: In Cognito

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]