This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
Re: GCC4 makes off by ones more exploitable again, misuse of padding?
- From: Denis Vlasenko <vda dot linux at googlemail dot com>
- To: gcc at gcc dot gnu dot org
- Cc: "In Cognito" <defend dot the dot world at gmail dot com>
- Date: Thu, 25 Jan 2007 01:34:48 +0100
- Subject: Re: GCC4 makes off by ones more exploitable again, misuse of padding?
- References: <5a20704e0701241622y9f93bdfq696bc63992225a8f@mail.gmail.com>
On Thursday 25 January 2007 01:22, In Cognito wrote:
> Hello,
>
> It's nice to see a more security-minded release of gcc with v4.
> Variables are moved around to reduce chances for exploitation,
> -fstack-protector, etc. Great!
>
> Why are local variables once-again adjacent to the saved frame pointer
> though? gcc v 2 called and wants one of its "features" back.
>
> func(char *b){
> char buf[512];
> if( strlen(b) > sizeof buf) return;
> strcpy(buf, b);
> }
>
> 0x080483a7 <func+3>: sub $0x208,%esp
> 0x080483ad <func+9>: mov 0x8(%ebp),%eax
> 0x080483b0 <func+12>: mov %eax,0x4(%esp)
> 0x080483b4 <func+16>: lea 0xfffffe00(%ebp),%eax
> 0x080483ba <func+22>: mov %eax,(%esp)
> 0x080483bd <func+25>: call 0x80482e8 <strcpy@plt>
> 0x080483c2 <func+30>: leave
> 0x080483c3 <func+31>: ret
>
> 0x208 = 520 bytes; alright padding can be useful
> 0xfffffe00(%ebp) = -512 + ebp.
What padding? It's a place for strcpy parameters...
--
vda