堆栈局部变量 [英] Local variables on stack

问题描述

要了解堆栈帧的概念，我写了我自己的一个小程序。首先，我会告诉你的code，它有点草图，然后我将present我的问题：

To understand the stack frame concept, I wrote a little program for my own. First I will show you the code, a little sketch about it and then I will present my question:

所以，该程序：

int check_pw(char *password){
    int valid = 0;
    char buffer[10]; 

    strcpy(buffer, password);

    if(strcmp(buffer, "a") == 0){
       valid = 1;
    }

    return valid;
}

int main(int argc, char *argv[]){
   if(check_pw(argv[1])){
        printf("OK\n");
   }
   else{
        printf("Wrong password\n");
   }
}

我给密码作为命令行参数。而如果是等于'A'，那么它是确定。所以，我认为这是明显的。

I give the password as a command-line argument. And if it is equal to 'a', then it is ok. So, I think it is clear.

现在草图如何函数的栈帧 check_pw 必须是这样的：

Now the sketch how the stack frame of the function check_pw must look like:

               -------------------------         LOW
               |    buffer             |
               -------------------------
               |    valid              |
               -------------------------
               |    old EBP            |
               -------------------------
               |      RET              |
               -------------------------
               |      password         |
               -------------------------        HIGH

现在，我的问题：

• 我认为草图是正确的。所以，那么第一个局部变量有效必须得到更高的内存地址比第二个变量缓冲，对不对？

• I assume that the sketch is correct. So, then the first local variable "valid" must get a higher memory address than the second variable "buffer", right?

但是，当我用GDB的调试器（我使用Ubuntu的清醒山猫），在合适的地方设置我的断点，然后键入以下内容： X / X'放大器;有效和 X / X'放大器;缓冲，然后我得到有效和0xbffff38c的缓冲的地址0xbffff388
所以，很明显，缓冲具有更高的地址，但是为什么呢？

But when I use gdb as debugger(I use Ubuntu Lucid Lynx), set my breakpoints at the right places and type the following: x/x &valid and x/x &buffer then I get the address 0xbffff388 for "valid" and 0xbffff38c for "buffer" So, it is obvious that "buffer" has a higher address, but why?

推荐答案

为了防止缓冲区溢出（如可能通过你的strcpy的使用加以利用，比如一个），有这个技术，它由上写$在堆栈上分配的所有阵列年底p $ p定义值。当函数返回时，值（通常称为金丝雀）已通过验证，如果值被改变程序中止。

In order to protect against buffer overflows (like the one which could be exploited through your strcpy use, for instance), there's this technique which consists on writing a pre-defined value at the end of all arrays allocated on stack. When the function returns, the value (usually called canary) is verified and the program aborts if the value is changed.

该程序具有跳回后函数完成被压入堆栈上的地址。一个常见的​​攻击是覆盖该值使得程序执行$ ​​C $ C由atacker注入。如果有一只金丝雀被感染的缓冲区和指针，攻击者必须以获得对程序执行的控制猜测金丝雀值。

The address where the program has to jump back to after the function finishes is pushed on the stack. A common attack is to override that value making the program execute code injected by the atacker. If there's a canary the compromised buffer and the pointer, the attacker would have to guess the canary value in order to gain control of the program execution.

您可以了解更多关于它的维基百科： http://en.wikipedia.org/wiki / Buffer_overflow_protection＃A_canary_example

You can learn more about it on wikipedia: http://en.wikipedia.org/wiki/Buffer_overflow_protection#A_canary_example

您可以禁用在海湾合作委员会。如果您编译code像这样（假设你的程序的文件名是login.c的）：

You can disable that on gcc. If you compile your code like so (let's say your program filename is login.c):

gcc -g -fno-stack-protector login.c

您会发现这两个变量不再重新排列。

You will notice that the variables are no longer rearranged.

这篇关于堆栈局部变量的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！