【正文】 ... } Stack after call to gets() B return address A foo stack frame bar stack frame B exploit code pad data written by gets() 。 ... return ...。 strings declared in code Text ? Executable machine instructions ? Readonly Upper 2 hex digits of address BF 00 Stack Text Data Heap 08 C pointer declarations int *p p is a pointer to int int *p[13] p is an array[13] of pointer to int int *(p[13]) p is an array[13] of pointer to int int **p p is a pointer to a pointer to an int int (*p)[13] p is a pointer to an array[13] of int int *f() f is a function returning a pointer to int int (*f)() f is a pointer to a function returning int int (*(*f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning int int (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints Malicious Use of Buffer Overflow ? Input string contains byte representation of executable code ? Overwrite return address with address of buffer ? When bar() executes ret, will jump to exploit code int bar() { char buf[64]。 } *sp。 int i[2]。 } *up。 int i[2]。lowest 3 bits of address must be 0002 187。 Linux: 187。lowest 2 bits of address must be 002 187。lowest 2 bits of address must be 002 187。 instruction sets): 187。 Satisfying Alignment with Structures Offsets Within Structure ? Must satisfy element’s alignment requirement Overall Structure Placement ? Each structure has alignment requirement K ? Largest alignment of any element ? Initial address amp。 double v。 } struct S1 { char c。 jTnPk += n。 j n。 int jTnPk = k。 int result = 0。 return result。 j n。 int result = 0。 } int var_ele (int *a, int i, int j, int n) { return a[i*n+j]。 return result。 j N。 int result = 0。 } 361601656164168univcmu1 5 2 1 316 20 24 28 32 36mit0 2 1 3 936 40 44 48 52 56ucb9 4 7 2 056 60 64 68 72 7676 96 116 136 1561 5 2 0 6 1 5 2 1 3 1 5 2 1 7 1 5 2 2 1Using Nested Arrays Strengths ? C piler handles doubly subscripted arrays ? Generates very efficient code ? Avoids multiply in index putation Limitation ? Only works if have fixed array size define N 16 typedef int fix_matrix[N][N]。 } %ecx = dig %eax = index leal 0(,%ecx,4),%edx 4*dig leal (%eax,%eax,4),%eax 5*index movl pgh(%edx,%eax,4),%eax *(pgh + 4*dig + 20*index) Array Element Accesses ? Similar C references Nested Array ? Element at Mem[pgh+20*index+4*dig] ? Different address putation MultiLevel Array ? Element at Mem[Mem[univ+4*index]+4*dig] int get_pgh_digit (int index, int dig) { return pgh[index][dig]。 A+i*C*4 A+(R1)*C*4 ? ? ? Nested Array Element Access Array Elements ? A[i][j] is element of type T ? Address A + i * (C * K) + j * K = A + (i * C + j)* K ? ? ? A [i] [j] A [i] [j] ? ? ? A[i] A [R1] [0] A [R1] [C1] ? ? ? A[R1] ? ? ? A A [0] [0] A [0] [C1] ? ? ? A[0] int A[R][C]。 ? 2D array of data type T ? R rows, C columns ? Type T element requires K bytes Array Size ? R * C * K bytes Arrangement ? RowMajor Ordering A[0][0] A[0][C1] A[R1][0] ? ? ? ? ? ? A[R1][C1] ? ? ? ? ? ? int A[R][C]。 operated on in floating point registers Intel GAS Bytes C Single s 4 float Double l 8 double Extended t 10/12/16 long double Array Allocation Basic Principle T A[L]。a[i+1] jmp swap swap() Interesting Features of Stack Frame Allocate Entire Frame at Once ? All stack accesses can be relative to %rsp ? Do by decrementing stack pointer ? Can delay allocation, since safe to temporarily use red zone Simple Deallocation ? Increment stack pointer Basic Data Types Integral ? Stored amp。 } swap_ele: movslq %esi,%rsi Sign extend i leaq (%rdi,%rsi,8), %rdi amp。a[i], amp。 /* Swap a[i] amp。a[i+1] call swap swap() incq scount(%rip) scount++。 } swap_ele_se: movslq %esi,%rsi Sign extend i leaq (%rdi,%rsi,8), %rdi amp。a[i+1])。 a[i+1] */ void swap_ele_se (long a[], int i) { swap(amp。 } swap_a: movq (%rdi), %rax movq %rax, 24(%rsp) movq (%rsi), %rax movq %rax, 16(%rsp) movq 16(%rsp), %rax movq %rax, (%rdi) movq 24(%rsp), %rax movq %rax, (%rsi) ret rtn Ptr