This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: GCC4 makes off by ones more exploitable again, misuse of padding?


Let me try to clarify.

GCC is allocated more than 512 bytes,
0x080483a7 <func+3>: sub $0x208,%esp
0x208= 520 in this case.

Where are those extra 8 bytes? They're in between what
gcc is considering the start of buf, &buf[0] and %esp (the top of the stack).
I'm considering those extra 8 bytes to be the "padding".

buf[0] is at  0xfffffe00(%ebp)  [ -512(%ebp) ]. I would prefer that
gcc started buf at  0xfffffdf8(%ebp), leaving those 8 bytes in between
buf[511] and the saved frame pointer *(%ebp) instead.

If the padding is there anyway, I would prefer it was used to improve
security, as gcc 3 used to.

On 1/25/07, Denis Vlasenko <vda.linux@googlemail.com> wrote:
On Thursday 25 January 2007 01:43, In Cognito wrote:
> > > 0x080483a7 <func+3>:    sub    $0x208,%esp
> > > 0x080483ad <func+9>:    mov    0x8(%ebp),%eax
> > > 0x080483b0 <func+12>:   mov    %eax,0x4(%esp)
> > > 0x080483b4 <func+16>:   lea    0xfffffe00(%ebp),%eax
> > > 0x080483ba <func+22>:   mov    %eax,(%esp)
> > > 0x080483bd <func+25>:   call   0x80482e8 <strcpy@plt>
> > > 0x080483c2 <func+30>:   leave
> > > 0x080483c3 <func+31>:   ret
> > >
> > > 0x208 = 520 bytes; alright padding can be useful
> > > 0xfffffe00(%ebp) = -512 + ebp.
> >
> > What padding? It's a place for strcpy parameters...
>
> char buf[512]
>
> sub    $0x208,%esp
>
> 0x208 = 520 bytes allocated on the stack. there are 8 extra bytes
> between %esp and buf[0].

Exactly. Two 32-bit stack slots.
And look for what these two stack slots are used:

> > > 0x080483ad <func+9>:    mov    0x8(%ebp),%eax
> > > 0x080483b0 <func+12>:   mov    %eax,0x4(%esp)         [esp+4] = b
> > > 0x080483b4 <func+16>:   lea    0xfffffe00(%ebp),%eax
> > > 0x080483ba <func+22>:   mov    %eax,(%esp)            [esp] = &buf
> > > 0x080483bd <func+25>:   call   0x80482e8 <strcpy@plt> call strcpy

This is it. strcpy will see them on stack as parameters.
It isn't padding.
--
vda



Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]