0

I'm trying to understand what happens when a stack gets corrupted. This is the sample program i tried to understand. I have defined the size of the buffer as 1 byte. But the stack corruption happens after I enter the 13th byte. why is that getting corrupted after 13th byte?

C code :

#include<stdio.h>
#include<string.h>
int main(int argc,char *argv[]){
 char buffer[1];
 strcpy(buffer,argv[1]);
 printf("\n buffer : %s \n",buffer);
 return 0;
}

Assembly code :

        .file   "buffer_overflow.c"
        .section        .rodata
.LC0:
        .string "\n buffer : %s \n"
        .text
.globl main
        .type   main, @function
main:
        pushl   %ebp
        movl    %esp, %ebp
        andl    $-16, %esp
        subl    $32, %esp
        movl    12(%ebp), %eax
        addl    $4, %eax
        movl    (%eax), %eax
        movl    %eax, 4(%esp)
        leal    31(%esp), %eax
        movl    %eax, (%esp)
        call    strcpy
        movl    $.LC0, %eax
        leal    31(%esp), %edx
        movl    %edx, 4(%esp)
        movl    %eax, (%esp)
        call    printf
        movl    $0, %eax
        leave
        ret
        .size   main, .-main
        .ident  "GCC: (Ubuntu/Linaro 4.4.4-14ubuntu5) 4.4.5"
        .section        .note.GNU-stack,"",@progbits
Angus
  • 12,133
  • 29
  • 96
  • 151
  • if you go about and write silly code then expect silly results. – Ed Heal Apr 01 '13 at 03:19
  • 1
    @EdHeal - I don't think the OP would disagree. I suspect he's trying to understand why he crashes in some scenarios, but not in other cases. Which makes this a great question on the nature of buffer overflows. – selbie Apr 01 '13 at 03:34
  • possible duplicate of [why doesn't my program crash when I write past the end of an array?](http://stackoverflow.com/questions/6452959/why-doesnt-my-program-crash-when-i-write-past-the-end-of-an-array) (Note that the array in that question is also allocated on the stack, in case you are interested in stack (as opposed to heap) buffer overflows specifically.) – jogojapan Apr 01 '13 at 03:36
  • possible duplicate of [corrupt main function stack](http://stackoverflow.com/questions/14694680/corrupt-main-function-stack) – Jim Balter Apr 01 '13 at 04:05
  • @selbie "Which makes this a great question on the nature of buffer overflows" -- Only if it hadn't been asked and answered numerous times before. – Jim Balter Apr 01 '13 at 04:06

3 Answers3

2

When CPU enter a function, it need to push some values in to memory stack.According to your codes, before call 'strcpy', the stack frame is shown like this on x86 system.

------------  offset 13
char buffer[1]
------------  offset 12
char *argv[]
------------  offset 8
int argc
------------  offset 4
ret
------------  offset 0

So after you wrote 13bytes, strcpy has rewrite the ret area. when main finish, it is corrupted.

MYMNeo
  • 818
  • 5
  • 9
1

Stacks grow downwards on Intel processors. And variables are placed on the stack. After the function call, the ABI (application binary interface) may also take up a few bytes to store things like frame pointers, pointers to the variable block, and anything else it desires. You can see that in your assembly with it pushing ebp at the beginning.

So why do you see stack corruption only after the 13th byte? Well, 1 byte is ok because you have 1 byte of memory. The next 12 are ok because the ABI pushed additional variables into that room. You may have odd results due to overwriting it, but you won't crash. Then you get into the next variable, which is the return address. Overwrite that and you'll almost certainly crash (short of remarkable luck).

Gabe Sechan
  • 90,003
  • 9
  • 87
  • 127
1

Most important - The stack got corrupted as you went past the first byte. :) But I digress.

The stack likely had the following pushed onto it just prior to main being invoked.

4 bytes for the return address from this function.

4 bytes for "argc"

4 bytes for "argv".

1 byte for "buffer", but the compiler likely aligned this on 4-byte boundary

So the first 12 bytes of the stack are all variables. Once you corrupt the return address, at around offset 12 or 13, you put the program in a bad state and likely crashed upon attempting to return from this call.

selbie
  • 100,020
  • 15
  • 103
  • 173
  • I removed argc and argv parameters, so 8 bytes are removed from the stack. So I can expect the seg fault to happen at 7th byte, but still the seg fault happens at the 13th byte. – Angus Apr 01 '13 at 04:36
  • I suspect this is a special case for "main". argc and argv got pushed on to the stack regardless of whether of how you declared main. Change the name of your function to be "foo" and just have main invoke foo - either by passing argc/argv directly to it, or without. – selbie Apr 01 '13 at 04:57
  • #include #include void foo(){ char buffer[1]; strcpy(buffer,"Angusdecl"); printf("\n buffer : %s \n",buffer); } int main(){ foo(); return 0; } – Angus Apr 01 '13 at 05:23
  • I tried. So in this case it has to seg fault at the 2nd byte. but its seg faulting at the 9th byte. – Angus Apr 01 '13 at 05:25
  • @Angus - for me to answer, what are you trying to understand? Are you trying to understand why "main" has a different behavior with regards to buffer overflows, or are you just trying to ascertain at what stack variable that corruption will happen. – selbie Apr 01 '13 at 07:09
  • :I could understand that the stack corruption happens as the data writes past the return address as expalined by you. I'm trying to understand why main is having a different behaviour with regards to buffer overflows. – Angus Apr 01 '13 at 07:37