How do canary words allow gcc to detect buffer overflows?

后端 未结 1 1420
野趣味
野趣味 2021-01-24 06:24

I could test using strncpy() with larger source string then the destination:

int main() {
  char *ptr = malloc(12);
  strcpy(ptr,\"hello world!\");
         


        
1条回答
  •  爱一瞬间的悲伤
    2021-01-24 07:12

    Could someone explain to me how does this work ?

    Canary word is read from fs:40 and store at top of frame here:

    movq    %fs:40, %rax
    movq    %rax, -8(%rbp)
    

    It's below the return address so if your code happens to overflow the buffer (which will be below -8(%rbp)), it'll first overwrite the -8(%rbp) location. This will be detected by GCC prior to issuing ret here:

    movq    -8(%rbp), %rcx
    xorq    %fs:40, %rcx      ; Checks that %fs:40 == -8(%rbp)
    je  .L3                   ; Ok, return
    call    __stack_chk_fail  ; Die
    

    as overwritten contents of -8(%rbp) will likely to be different from proper value (installed from fs:40).

    And why is not the canary word also overwritten by the \0 of the hello world!?

    Your code has heap overflow, not buffer overflow so SSP can't help...

    0 讨论(0)
提交回复
热议问题