This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: GCC4 makes off by ones more exploitable again, misuse of padding?

On Thursday 25 January 2007 01:43, In Cognito wrote:
> > > 0x080483a7 <func+3>:    sub    $0x208,%esp
> > > 0x080483ad <func+9>:    mov    0x8(%ebp),%eax
> > > 0x080483b0 <func+12>:   mov    %eax,0x4(%esp)
> > > 0x080483b4 <func+16>:   lea    0xfffffe00(%ebp),%eax
> > > 0x080483ba <func+22>:   mov    %eax,(%esp)
> > > 0x080483bd <func+25>:   call   0x80482e8 <strcpy@plt>
> > > 0x080483c2 <func+30>:   leave
> > > 0x080483c3 <func+31>:   ret
> > >
> > > 0x208 = 520 bytes; alright padding can be useful
> > > 0xfffffe00(%ebp) = -512 + ebp.
> >
> > What padding? It's a place for strcpy parameters...
>
> char buf[512]
> 
> sub    $0x208,%esp
> 
> 0x208 = 520 bytes allocated on the stack. there are 8 extra bytes
> between %esp and buf[0].

Exactly. Two 32-bit stack slots.
And look for what these two stack slots are used:

> > > 0x080483ad <func+9>:    mov    0x8(%ebp),%eax
> > > 0x080483b0 <func+12>:   mov    %eax,0x4(%esp)         [esp+4] = b
> > > 0x080483b4 <func+16>:   lea    0xfffffe00(%ebp),%eax
> > > 0x080483ba <func+22>:   mov    %eax,(%esp)            [esp] = &buf 
> > > 0x080483bd <func+25>:   call   0x80482e8 <strcpy@plt> call strcpy

This is it. strcpy will see them on stack as parameters.
It isn't padding.
--
vda
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]