局部变量在栈上的顺序是什么? [英] What is the order of local variables on the stack?

问题描述

我目前正在尝试对缓冲区溢出漏洞进行一些测试.这是易受攻击的代码

I'm currently trying to do some tests with the buffer overflow vulnerability. Here is the vulnerable code

void win()
  {
      printf("code flow successfully changed
");
  }

int main(int argc, char **argv)
  {
      volatile int (*fp)();
      char buffer[64];

      fp = 0;

      gets(buffer);

      if(fp) {
           printf("calling function pointer, jumping to 0x%08x
", fp);
           fp();
             }
   }

该漏洞利用非常简单且非常基本:这里我需要的只是溢出缓冲区并覆盖 fp 值以使其保存 win() 函数的地址.在尝试调试程序时，我发现 fb 位于缓冲区下方(即内存中的较低地址)，因此我无法修改其值.我认为一旦我们在 y 之前声明了一个局部变量 x，x 将在内存中更高(即在堆栈的底部)所以x 可以覆盖 y 如果它超出了它的边界，这里不是这种情况.我正在用 gcc gcc 版本 5.2.1 编译程序，没有特殊标志(仅测试 -O0)

The exploit is quite sample and very basic: all what I need here is to overflow the buffer and override the fp value to make it hold the address of win() function. While trying to debug the program, I figured out that fb is placed below the buffer (i.e with a lower address in memory), and thus I am not able to modify its value. I thought that once we declare a local variable x before y, x will be higher in memory (i.e at the bottom of the stack) so x can override y if it exceeds its boundaries which is not the case here. I'm compiling the program with gcc gcc version 5.2.1, no special flags (only tested -O0)

有什么线索吗?

推荐答案

局部变量在栈上的顺序未指定.

The order of local variable on the stack is unspecified.

它可能会在不同的编译器、不同的版本或不同的优化选项之间发生变化.它甚至可能取决于变量的名称或其他看似无关的事物.

It may change between different compilers, different versions or different optimization options. It may even depend on the names of the variables or other seemingly unrelated things.

这篇关于局部变量在栈上的顺序是什么?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！