局部变量在堆栈上的顺序是什么? [英] What is the order of local variables on the stack?

问题描述

我目前正在尝试使用缓冲区溢出漏洞进行一些测试.这是易受攻击的代码

I'm currently trying to do some tests with the buffer overflow vulnerability. Here is the vulnerable code

void win()
  {
      printf("code flow successfully changed\n");
  }

int main(int argc, char **argv)
  {
      volatile int (*fp)();
      char buffer[64];

      fp = 0;

      gets(buffer);

      if(fp) {
           printf("calling function pointer, jumping to 0x%08x\n", fp);
           fp();
             }
   }

该漏洞利用非常简单且非常基础:我在这里所需要的只是溢出缓冲区并覆盖fp值以使其保留win()函数的地址.在尝试调试程序时，我发现fb放在缓冲区下方(即，内存中的地址较低)，因此我无法修改其值.我以为，一旦我们在 y 之前声明了局部变量 x ， x 的内存就会更高(即在堆栈的底部)，因此如果 x 超出其边界，则可以覆盖 y (此处不是这种情况).我正在使用gcc gcc版本5.2.1编译程序，没有特殊标志(仅已测试-O0)

The exploit is quite sample and very basic: all what I need here is to overflow the buffer and override the fp value to make it hold the address of win() function. While trying to debug the program, I figured out that fb is placed below the buffer (i.e with a lower address in memory), and thus I am not able to modify its value. I thought that once we declare a local variable x before y, x will be higher in memory (i.e at the bottom of the stack) so x can override y if it exceeds its boundaries which is not the case here. I'm compiling the program with gcc gcc version 5.2.1, no special flags (only tested -O0)

有任何线索吗?

推荐答案

堆栈上局部变量的顺序未定义.

The order of local variable on the stack is undefined.

在不同的编译器，不同的版本或不同的优化选项之间可能会有所不同.它甚至可能取决于变量的名称或其他看似无关的东西.

It may change between different compilers, different versions or different optimization options. It may even depend on the names of the variables or other seemingly unrelated things.

这篇关于局部变量在堆栈上的顺序是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！