c++ - What do the CFI directives mean? (and some more questions) -


ok, gonna long question. i'm trying understand how "buffer overflow" works. reading smashing stack fun , profit aleph1 , have got disassembly of following code:

void function(int a, int b, int c) {    char buffer1[5];    char buffer2[10]; }  void main() {   function(1,2,3); }

the disameembly using -s flag of gcc gives me:

    .file   "example1.c"     .text     .globl  function     .type   function, @function function: .lfb0:     .cfi_startproc     pushq   %rbp     .cfi_def_cfa_offset 16     .cfi_offset 6, -16     movq    %rsp, %rbp     .cfi_def_cfa_register 6     subq    $48, %rsp     movl    %edi, -36(%rbp)     movl    %esi, -40(%rbp)     movl    %edx, -44(%rbp)     movq    %fs:40, %rax     movq    %rax, -8(%rbp)     xorl    %eax, %eax     movq    -8(%rbp), %rax     xorq    %fs:40, %rax     je  .l2     call    __stack_chk_fail .l2:     leave     .cfi_def_cfa 7, 8     ret     .cfi_endproc .lfe0:     .size   function, .-function     .globl  main     .type   main, @function main: .lfb1:     .cfi_startproc     pushq   %rbp     .cfi_def_cfa_offset 16     .cfi_offset 6, -16     movq    %rsp, %rbp     .cfi_def_cfa_register 6     movl    $3, %edx     movl    $2, %esi     movl    $1, %edi     call    function     popq    %rbp     .cfi_def_cfa 7, 8     ret     .cfi_endproc .lfe1:     .size   main, .-main     .ident  "gcc: (ubuntu 4.8.2-19ubuntu1) 4.8.2"     .section    .note.gnu-stack,"",@progbits

the .cfi directives not in paper aleph1 , guess not used then. have read this question on so , used gcc exception handling. have read another question on so , .lfb0, .lfe0, .lfe1 , .lfb1 labels have following doubts:

  1. i .cfi directives used exception handling don't understand mean. have been here , see definitions like:

.cfi_def_cfa register, offset

.cfi_def_cfa defines rule computing cfa as: take address register , add offset it.

however, if take @ disassembly have put above you don't find register name (like eax, ebx , on) instead find number there (i have found '6') , don't know how's supposed register. especially, can explain .cfi_def_cfa_offset 16, .cfi_offset 6, -16, .cfi_def_cfa_register 6 , .cfi_def_cfa 7, 8 mean? also, cfa mean? asking because in books/papers procedure prolog : 

 pushl %ebp  movl %esp,%ebp  subl $20,%esp

however, think procedure prolog in modern computers follows:

    .cfi_startproc     pushq   %rbp     .cfi_def_cfa_offset 16     .cfi_offset 6, -16     movq    %rsp, %rbp     .cfi_def_cfa_register 6     subq    $48, %rsp

initially thought cfi directives used instead of sub mnemonic set offset that's not case; sub command still being used in spite of using cfi directives.

  1. i understood there labels each procedure. however, why multiple nested labels inside procedure? in case main has .lfb1 , .lfe2 labels. need multiple labels? function procedure has labels .lfb0, .l2 , .lfe0

  2. the last 3 lines both procedures seem used housekeeping functions (telling size of procedure, maybe?) not sure mean. can explain mean , what's use?

edit:

(adding 1 more question)

  1. do cfi directives take space? because in procedure "function", each int parameter take 4 bytes , number of 3, parameter takes 12 bytes in memory. next, first char array takes 8 bytes (round 5bytes 8bytes), , next char array takes 12bytes (round 10bytes 12bytes), whole char array takes 20 bytes. summing these all, parameter , local variables need 12+20=32 bytes.

    but in procedure "function", compiler subtract 48 bytes store values. why?

as per request in reverse engineering putting contents of comments answers here ( dont know if going remain see severe competition down-vote , up-vote question there )

lindy dancer answered cfi , cfa means (call frame information ) , (call frame address )

.l<num> denotes labels per various tidbits in google in x64 gcc names labels in following format start .l , end a numeral .l1 , .l2 , .l....infinity labels

according google , earlier so answers bf<num> indicates function-begin , ef<num> indicates function-end

so .lbf0 , .lbf1 . lbf.....infinity , .lfe0 ,......., .lfe....infinity

denotes function begins , function ends in each function compiler requires take care of internal needs should forget them @ moment unless there grave need dig compiler internals

the other label .l2 exists address branching instruction je in function

je  .l2

also every compiler aligns , pads access arguments , locals boundary

i can't sure x64 default align 16 bytes think gcc if request odd reservation

char foo[5] or
byte blah [10]

the indices 5 , 10 not aligned x86

for 5 x86 compiler assign8 bytes , 10 16 bytes

like wise x64 gcc might assign 16 bytes each of requests

you shouldn't worrying why compiler

when trying understand logic of assembly concentrate on addresses

if compiler decided will put x @ rbp +/- x also access @ same location through out scope or life of variable


Comments

Post a Comment

Popular posts from this blog

javascript - RequestAnimationFrame not working when exiting fullscreen switching space on Safari -

request animation frame stops working when exiting fullscreen clicking on original space's safari window. fine if fullscreen mode canceled escape key or calling cancelfullscreen(). steps reproduce: open https://dl.dropboxusercontent.com/u/769042/prezi/safari-fullscreen.html click "draw raf", kittie appears click "fullscreen", go fullscreen click "draw raf", kittie appears go space original safari was, showing "click exit fullscreen mode", click anywhere, out fullscreen click "draw raf", nothing happens what handling click calling: window.requestanimationframe(draw); which draws on canvas context: function draw() { ctx.drawimage(img, math.random()*500|0, math.random()*400|0, 100, 100); } i checked .hidden , .visibilitystate, updated correctly. tested on osx 10.9.3, safari 7.0.4 (9537.76.4). has workaround/solution other switching old settimeout? this sounds webkit bug 88940 : using reque
Read more

Python ctypes access violation with const pointer arguments -

i have api i'm trying wrap in python (2.7.6 on win7) code using ctypes. here's api: client_dllfunc bool clientapi search_exporttoclipcopy(clienthsearch handle, int channel, lpctstr filename, const time_t& from, const time_t& to, const bool* cameras, int length, bool usepassword, lpctstr password, bool includetextin = false, bool excludeplayer = false); the issue i'm having cameras argument; , i've had issue other const pointer arguments well. here's how i'm wrapping api: def search_exporttoclipcopy(self, hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, password, includetextin=true, excludeplayer=false): exporttoclipcopy = self.sdkdll.search_exporttoclipcopy exporttoclipcopy.argtypes = [c_int, c_int, c_wchar_p, c_long, c_long, pointer(c_bool), c_int, c_bool, c_wchar_p, c_bool, c_bool] exporttoclipcopy.restype = c_bool exporttoclipcopy(hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, pass
Read more