为什么此内存地址％fs：0x28（fs [0x28]）具有随机值？ [英] Why does this memory address %fs:0x28 ( fs[0x28] ) have a random value?

问题描述

我已经编写了一段C代码，并对其进行了反汇编，还阅读了寄存器以了解程序在汇编中的工作方式。

I've written a piece of C code and I've disassembled it as well as read the registers to understand how the program works in assembly.

int test(char *this){
    char sum_buf[6];
    strncpy(sum_buf,this,32);
    return 0;
}

我正在检查的代码片段是测试函数。当我反汇编我的测试函数的输出时，我得到...

The piece of my code that I've been examining is the test function. When I disassemble the output my test function I get ...

   0x00000000004005c0 <+12>:        mov    %fs:0x28,%rax
=> 0x00000000004005c9 <+21>:        mov    %rax,-0x8(%rbp)
... stuff ..
   0x00000000004005f0 <+60>:        xor    %fs:0x28,%rdx
   0x00000000004005f9 <+69>:        je     0x400600 <test+76>
   0x00000000004005fb <+71>:        callq  0x4004a0 <__stack_chk_fail@plt>
   0x0000000000400600 <+76>:        leaveq 
   0x0000000000400601 <+77>:        retq 

我想知道的是 mov％fs：0x28，％rax 到底在做什么？

What I would like to know is what mov %fs:0x28,%rax is really doing?

推荐答案

在x86_64上，不再使用分段寻址，而 FS 和 GS 寄存器可用作基本指针地址，以访问特殊的操作系统数据结构。因此，您看到的是一个与 FS 寄存器中保存的值偏移的值，而不是对内容的位操作。 FS 寄存器。

On x86_64, segmented addressing is no longer used, but the both the FS and GS registers can be used as base-pointer addresses in order to access special operating system data-structures. So what you're seeing is a value loaded at an offset from the value held in the FS register, and not bit manipulation of the contents of the FS register.

具体发生的是Linux上的 FS：0x28 正在存储特殊的前哨堆栈保护值，并且代码正在执行堆栈保护检查。例如，如果您进一步看代码，您会发现 FS：0x28 的值存储在堆栈中，然后调用堆栈中的内容然后执行 XOR ，其原始值为 FS：0x28 。如果两个值相等，这意味着因为 XOR 对两个相同值进行运算而得到零值，所以设置了零位，那么我们跳转到 test 例程，否则我们跳转到一个特殊的函数，该函数指示堆栈以某种方式损坏，并且存储在堆栈上的哨兵值已更改。

Specifically what's taking place, is that FS:0x28 on Linux is storing a special sentinel stack-guard value, and the code is performing a stack-guard check. For instance, if you look further in your code, you'll see that the value at FS:0x28 is stored on the stack, and then the contents of the stack are recalled and an XOR is performed with the original value at FS:0x28. If the two values are equal, which means that the zero-bit has been set because XOR'ing two of the same values results in a zero-value, then we jump to the test routine, otherwise we jump to a special function that indicates that the stack was somehow corrupted, and the sentinel value stored on the stack was changed.

如果使用GCC，则可以使用

-fno-stack-protector

这篇关于为什么此内存地址％fs：0x28（fs [0x28]）具有随机值？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！