string constants in -fpie mode?

Tycho Andersen tycho@tycho.ws
Sat Oct 29 22:02:00 GMT 2016 

Hi everyone,

I'm a little confused by the assembly gcc generating for a program
built in -fpie mode. Consider the following:

$ cat tester.c
__attribute__((always_inline))
void inline func(char *arg)
{
	arg[0] = 0;
}

void main(void)
{
	char *foo;

	foo = "this is a string";

	func(foo);
}

I can compile and link it:

$ gcc -c -fpie -Wa,--noexecstack -fno-jump-tables -nostdlib tester.c -o tester.o
$ ld -r tester.o -o tester.bin

and when I disassemble it I get:

$ objdump -D tester.bin 

tester.bin:     file format elf64-x86-64


Disassembly of section .text:

0000000000000000 <main>:
   0:	55                   	push   rbp
   1:	48 89 e5             	mov    rbp,rsp
   4:	48 8d 05 00 00 00 00 	lea    rax,[rip+0x0]        # b <main+0xb>
   b:	48 89 45 f8          	mov    QWORD PTR [rbp-0x8],rax
   f:	48 8b 45 f8          	mov    rax,QWORD PTR [rbp-0x8]
  13:	48 89 45 f0          	mov    QWORD PTR [rbp-0x10],rax
  17:	48 8b 45 f0          	mov    rax,QWORD PTR [rbp-0x10]
  1b:	c6 00 00             	mov    BYTE PTR [rax],0x0
  1e:	90                   	nop
  1f:	5d                   	pop    rbp
  20:	c3                   	ret    

Disassembly of section .rodata:

0000000000000000 <.rodata>:
   0:	74 68                	je     6a <main+0x6a>
   2:	69 73 20 69 73 20 61 	imul   esi,DWORD PTR [rbx+0x20],0x61207369
   9:	20 73 74             	and    BYTE PTR [rbx+0x74],dh
   c:	72 69                	jb     77 <main+0x77>
   e:	6e                   	outs   dx,BYTE PTR ds:[rsi]
   f:	67                   	addr32
	...

So now I'm confused. .rodata is clearly my string (using a cheap hack by doing
objdump -D to display it), but the code at 0x4 in .text has me confused,

   4: 48 8d 05 00 00 00 00  lea    rax,[rip+0x0]        # b <main+0xb>

This doesn't load my string; in fact it doesn't really do anything useful. I
suspect that this is something that is rewritten at load time, but I don't
really know. I also haven't had much luck looking for information
about what's going on here :(

What I'm really interested in is compiling something from C that's
entirely shellcode, and doesn't have any of this load time rewriting;
I could use a linker script to stuff .rodata into .text, but it
doesn't seem to help anything (other than make the offset easily
computable from rip, but gcc doesn't actually emit assembly that does
it).

Is there a way to do this?

Thanks,

Tycho

More information about the Gcc-help mailing list