我在閱讀Smashing the Stack for Fun and Profit(特別是,這篇文章是指「緩衝區溢出」部分)。該文章是爲 32位計算機編寫的,但是我正在使用64位,因此我在 中考慮了我的示例。一個特殊的例子是導致一些我不能解釋的問題。 example3.c具有覆蓋返回地址的功能,跳過主函數中的指令 。這裏是我的代碼:堆棧保護和使用GCC粉碎
gcc example3.c -o example3
注意,默認情況下,gcc編譯器似乎執行一些堆棧 保護,如地址:
#include <stdio.h>
void function(int a, int b, int c)
{
char buf1[5];
char buf2[10];
int *retptr;
retptr = (void*)(buf2 + 40);
(*retptr) += 8;
}
int main(void)
{
int x;
x = 0;
function(1,2,3);
x = 1;
printf("%d\n", x);
return 0;
}
我用gcc v4.8.2用以下命令編譯這個程序空間佈局隨機化和堆棧金絲雀。我在計算指針值時考慮了這些安全措施。這裏 是 gcc example3.c -S -fverbose-asm -o stack-protection.s
產生相應的組件:
.file "example3.c"
# GNU C (Ubuntu 4.8.2-19ubuntu1) version 4.8.2 (x86_64-linux-gnu)
# compiled by GNU C version 4.8.2, GMP version 5.1.3, MPFR version 3.1.2-p3, MPC version 1.0.1
# GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
# options passed: -imultiarch x86_64-linux-gnu example3.c -mtune=generic
# -march=x86-64 -auxbase-strip verbose-stack-pro.s -fverbose-asm
# -fstack-protector -Wformat -Wformat-security
# options enabled: -faggressive-loop-optimizations
# -fasynchronous-unwind-tables -fauto-inc-dec -fbranch-count-reg -fcommon
# -fdelete-null-pointer-checks -fdwarf2-cfi-asm -fearly-inlining
# -feliminate-unused-debug-types -ffunction-cse -fgcse-lm -fgnu-runtime
# -fident -finline-atomics -fira-hoist-pressure -fira-share-save-slots
# -fira-share-spill-slots -fivopts -fkeep-static-consts
# -fleading-underscore -fmath-errno -fmerge-debug-strings
# -fmove-loop-invariants -fpeephole -fprefetch-loop-arrays
# -freg-struct-return -fsched-critical-path-heuristic
# -fsched-dep-count-heuristic -fsched-group-heuristic -fsched-interblock
# -fsched-last-insn-heuristic -fsched-rank-heuristic -fsched-spec
# -fsched-spec-insn-heuristic -fsched-stalled-insns-dep -fshow-column
# -fsigned-zeros -fsplit-ivs-in-unroller -fstack-protector
# -fstrict-volatile-bitfields -fsync-libcalls -ftrapping-math
# -ftree-coalesce-vars -ftree-cselim -ftree-forwprop -ftree-loop-if-convert
# -ftree-loop-im -ftree-loop-ivcanon -ftree-loop-optimize
# -ftree-parallelize-loops= -ftree-phiprop -ftree-pta -ftree-reassoc
# -ftree-scev-cprop -ftree-slp-vectorize -ftree-vect-loop-version
# -funit-at-a-time -funwind-tables -fverbose-asm -fzero-initialized-in-bss
# -m128bit-long-double -m64 -m80387 -maccumulate-outgoing-args
# -malign-stringops -mfancy-math-387 -mfp-ret-in-387 -mfxsr -mglibc
# -mieee-fp -mlong-double-80 -mmmx -mno-sse4 -mpush-args -mred-zone -msse
# -msse2 -mtls-direct-seg-refs
.text
.globl function
.type function, @function
function:
.LFB0:
.cfi_startproc
pushq %rbp #
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp #,
.cfi_def_cfa_register 6
subq $64, %rsp #,
movl %edi, -52(%rbp) # a, a
movl %esi, -56(%rbp) # b, b
movl %edx, -60(%rbp) # c, c
movq %fs:40, %rax #, tmp65
movq %rax, -8(%rbp) # tmp65, D.2197
xorl %eax, %eax # tmp65
leaq -32(%rbp), %rax #, tmp61
addq $40, %rax #, tmp62
movq %rax, -40(%rbp) # tmp62, ret
movq -40(%rbp), %rax # ret, tmp63
movl (%rax), %eax # *ret_1, D.2195
leal 8(%rax), %edx #, D.2195
movq -40(%rbp), %rax # ret, tmp64
movl %edx, (%rax) # D.2195, *ret_1
movq -8(%rbp), %rax # D.2197, tmp66
xorq %fs:40, %rax #, tmp66
je .L2 #,
call __stack_chk_fail #
.L2:
leave
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE0:
.size function, .-function
.section .rodata
.LC0:
.string "%d\n"
.text
.globl main
.type main, @function
main:
.LFB1:
.cfi_startproc
pushq %rbp #
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp #,
.cfi_def_cfa_register 6
subq $16, %rsp #,
movl $0, -4(%rbp) #, x
movl $3, %edx #,
movl $2, %esi #,
movl $1, %edi #,
call function #
movl $1, -4(%rbp) #, x
movl -4(%rbp), %eax # x, tmp61
movl %eax, %esi # tmp61,
movl $.LC0, %edi #,
movl $0, %eax #,
call printf #
movl $0, %eax #, D.2200
leave
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE1:
.size main, .-main
.ident "GCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2"
.section .note.GNU-stack,"",@progbits
執行示例3具有第二分配跳躍到x
和程序輸出0
期望的效果。
然而,如果代替我編譯使用-fno-stack-protector
選項:
gcc -fno-stack-protector example3.c -S -fverbose-asm -o no-stack-protection.s
我收到以下組件的文件:
.file "example3.c"
# GNU C (Ubuntu 4.8.2-19ubuntu1) version 4.8.2 (x86_64-linux-gnu)
# compiled by GNU C version 4.8.2, GMP version 5.1.3, MPFR version 3.1.2-p3, MPC version 1.0.1
# GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
# options passed: -imultiarch x86_64-linux-gnu example3.c -mtune=generic
# -march=x86-64 -auxbase-strip verbose-no-stack-pro.s -fno-stack-protector
# -fverbose-asm -Wformat -Wformat-security
# options enabled: -faggressive-loop-optimizations
# -fasynchronous-unwind-tables -fauto-inc-dec -fbranch-count-reg -fcommon
# -fdelete-null-pointer-checks -fdwarf2-cfi-asm -fearly-inlining
# -feliminate-unused-debug-types -ffunction-cse -fgcse-lm -fgnu-runtime
# -fident -finline-atomics -fira-hoist-pressure -fira-share-save-slots
# -fira-share-spill-slots -fivopts -fkeep-static-consts
# -fleading-underscore -fmath-errno -fmerge-debug-strings
# -fmove-loop-invariants -fpeephole -fprefetch-loop-arrays
# -freg-struct-return -fsched-critical-path-heuristic
# -fsched-dep-count-heuristic -fsched-group-heuristic -fsched-interblock
# -fsched-last-insn-heuristic -fsched-rank-heuristic -fsched-spec
# -fsched-spec-insn-heuristic -fsched-stalled-insns-dep -fshow-column
# -fsigned-zeros -fsplit-ivs-in-unroller -fstrict-volatile-bitfields
# -fsync-libcalls -ftrapping-math -ftree-coalesce-vars -ftree-cselim
# -ftree-forwprop -ftree-loop-if-convert -ftree-loop-im -ftree-loop-ivcanon
# -ftree-loop-optimize -ftree-parallelize-loops= -ftree-phiprop -ftree-pta
# -ftree-reassoc -ftree-scev-cprop -ftree-slp-vectorize
# -ftree-vect-loop-version -funit-at-a-time -funwind-tables -fverbose-asm
# -fzero-initialized-in-bss -m128bit-long-double -m64 -m80387
# -maccumulate-outgoing-args -malign-stringops -mfancy-math-387
# -mfp-ret-in-387 -mfxsr -mglibc -mieee-fp -mlong-double-80 -mmmx -mno-sse4
# -mpush-args -mred-zone -msse -msse2 -mtls-direct-seg-refs
.text
.globl function
.type function, @function
function:
.LFB0:
.cfi_startproc
pushq %rbp #
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp #,
.cfi_def_cfa_register 6
movl %edi, -36(%rbp) # a, a
movl %esi, -40(%rbp) # b, b
movl %edx, -44(%rbp) # c, c
leaq -32(%rbp), %rax #, tmp61
addq $40, %rax #, tmp62
movq %rax, -8(%rbp) # tmp62, ret
movq -8(%rbp), %rax # ret, tmp63
movl (%rax), %eax # *ret_1, D.2195
leal 8(%rax), %edx #, D.2195
movq -8(%rbp), %rax # ret, tmp64
movl %edx, (%rax) # D.2195, *ret_1
popq %rbp #
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE0:
.size function, .-function
.section .rodata
.LC0:
.string "%d\n"
.text
.globl main
.type main, @function
main:
.LFB1:
.cfi_startproc
pushq %rbp #
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp #,
.cfi_def_cfa_register 6
subq $16, %rsp #,
movl $0, -4(%rbp) #, x
movl $3, %edx #,
movl $2, %esi #,
movl $1, %edi #,
call function #
movl $1, -4(%rbp) #, x
movl -4(%rbp), %eax # x, tmp61
movl %eax, %esi # tmp61,
movl $.LC0, %edi #,
movl $0, %eax #,
call printf #
movl $0, %eax #, D.2196
leave
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE1:
.size main, .-main
.ident "GCC: (Ubuntu 4.8.2-19ubuntu1) 4.8.2"
.section .note.GNU-stack,"",@progbits
和相應的可執行不產生0但一個所需的值 隨機值,我不能與彙編文件調和。
我在-fno-stack-protector
情況下棧幀的心理畫面(SFP =保存的幀指針,RET =返回地址):
low memory address buf2 (16 bytes) buf1 (8 bytes) retptr (8 bytes) sfp (8 bytes) ret high memory address
<--- [ ][ ][ ][ ][ ] ...
top of stack bottom of stack
我的問題:
我是錯估的位置在不受保護的情況下的返回地址?
使用'-S -fverbose-asm'編譯,也可能使用'-O' –
我已更新我的問題以包含'-fverbose-asm'的輸出。 '-O'似乎抹去了輸出,使得無堆棧保護版本沒有'功能'。我無法從其他註釋中看到該選項在程序集文件中出現了什麼問題。這兩個版本似乎都對'retptr'變量執行相同的操作。 – incomplete
最好的辦法就是單步執行代碼,以便觀察寄存器/內存值。自從我做了asm之後已經有一段時間了,但是rsp寄存器中有一個sub qword指令,它在非保護版本中不存在。 –