This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: GCC4 makes off by ones more exploitable again, misuse of padding?


On Thu, Jan 25, 2007 at 02:02:47PM -0500, In Cognito wrote:
> Let me try to clarify.

> GCC is allocated more than 512 bytes,
> >0x080483a7 <func+3>:    sub    $0x208,%esp
> 0x208= 520 in this case.
> 
> Where are those extra 8 bytes? They're in between what
> gcc is considering the start of buf, &buf[0] and %esp (the top of the 
> stack).
> I'm considering those extra 8 bytes to be the "padding".

A joke attributed to Abraham Lincoln:

"How many legs does a horse have if we call a tail a leg?"

"Five."

"No, four.  Calling a tail a leg doesn't make it a leg."

You just ignored what Denis wrote and said the same thing again.
The extra eight bytes are *not padding*.  They are parameters
to strcpy.  It just so happens that in this particular case,
overwriting those parameters will be harmless *if* copies of
those parameters are in registers and only the registers are used.
But you are falsely generalizing from one example; in other cases
(particularly on x86 with few registers) those parameters will be
read back in from memory again.

You falsely believe that gcc 2.x introduced padding around arrays.
It did not.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]