1 / 48

Lecture 9 Aggregate Data Organization

Lecture 9 Aggregate Data Organization. CSCE 212 Computer Architecture. Topics Pointers Aggregate Data Array layout in memory Structures. February 14, 2012. Overview. Last Time GDB recursive Lab 2 – Questions due today Test 1 Feb ?? Not Feb 15 New Datalab Pointers Aggregate Data

mimir
Download Presentation

Lecture 9 Aggregate Data Organization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Lecture 9Aggregate Data Organization CSCE 212 Computer Architecture Topics • Pointers • Aggregate Data • Array layout in memory • Structures February 14, 2012

  2. Overview Last Time • GDB • recursive • Lab 2 – Questions due today • Test 1 Feb ?? Not Feb 15 New • Datalab • Pointers • Aggregate Data • Array layout in memory • Structures Next Time: • Test 1 – Feb 23 • February 27, Mon. Last day to drop a course or withdraw without a grade of "WF" being recorded (Session C002) • Test 1 Review

  3. Pointer Code Recursive Procedure Top-Level Call • Pass pointer to update location void s_helper (int x, int *accum) { if (x <= 1) return; else { int z = *accum * x; *accum = z; s_helper (x-1,accum); } } int sfact(int x) { int val = 1; s_helper(x, &val); return val; }

  4. %ebp Temp. Space val = 1 Unused %esp Creating & Initializing Pointer Initial part of sfact Using Stack for Local Variable • Variable val must be stored on stack • Need to create pointer to it • Compute pointer as -4(%ebp) • Push on stack as second argument _sfact: pushl %ebp # Save %ebp movl %esp,%ebp # Set %ebp subl $16,%esp # Add 16 bytes movl 8(%ebp),%edx # edx = x movl $1,-4(%ebp) # val = 1 _sfact: pushl %ebp # Save %ebp movl %esp,%ebp # Set %ebp subl $16,%esp # Add 16 bytes movl 8(%ebp),%edx # edx = x movl $1,-4(%ebp) # val = 1 _sfact: pushl %ebp # Save %ebp movl %esp,%ebp # Set %ebp subl $16,%esp # Add 16 bytes movl 8(%ebp),%edx # edx = x movl $1,-4(%ebp) # val = 1 _sfact: pushl %ebp # Save %ebp movl %esp,%ebp # Set %ebp subl $16,%esp # Add 16 bytes movl 8(%ebp),%edx # edx = x movl $1,-4(%ebp) # val = 1 8 x 4 Rtn adr 0 Old %ebp -4 -8 -12 -16 int sfact(int x) { int val = 1; s_helper(x, &val); return val; }

  5. &val x %esp Passing Pointer Calling s_helper from sfact Stack at time of call 8 x leal -4(%ebp),%eax # Compute &val pushl %eax # Push on stack pushl %edx # Push x call s_helper # call movl -4(%ebp),%eax # Return val • • • # Finish leal -4(%ebp),%eax # Compute &val pushl %eax # Push on stack pushl %edx # Push x call s_helper # call movl -4(%ebp),%eax # Return val • • • # Finish leal -4(%ebp),%eax # Compute &val pushl %eax # Push on stack pushl %edx # Push x call s_helper # call movl -4(%ebp),%eax # Return val • • • # Finish 4 Rtn adr %ebp 0 Old %ebp -4 val = 1 val =x! -8 Unused -12 int sfact(int x) { int val = 1; s_helper(x, &val); return val; } -16

  6. accum %edx %eax x Using Pointer void s_helper (int x, int *accum) { • • • int z = *accum * x; *accum = z; • • • } • Register %ecx holds x • Register %edx holds pointer to accum • Use access (%edx) to reference memory accum*x accum*x x %ecx • • • movl %ecx,%eax # z = x imull (%edx),%eax # z *= *accum movl %eax,(%edx) # *accum = z • • •

  7. char string[12]; x x + 12 int val[5]; double a[4]; x x + 4 x + 8 x + 12 x + 16 x + 20 x x + 8 x + 16 x + 24 x + 32 x x + 4 x + 8 Array Allocation Basic Principle TA[L]; • Array of data type T and length L • Contiguously allocated region of L * sizeof(T) bytes char *p[3];

  8. int val[5]; 1 5 2 1 3 x x + 4 x + 8 x + 12 x + 16 x + 20 Array Access Basic Principle TA[L]; • Array of data type T and length L • Identifier A can be used as a pointer to array element 0 Reference Type Value val[4] int 3 val int * x val+1int * x + 4 &val[2]int * x + 8 val[5]int ?? *(val+1)int 5 val + iint * x + 4 i

  9. zip_dig cmu; zip_dig ucb; zip_dig mit; 0 1 9 4 5 2 1 7 2 2 3 1 9 0 3 36 16 56 40 60 20 24 64 44 28 68 48 32 52 72 76 36 56 Array Example typedef int zip_dig[5]; zip_dig cmu = { 1, 5, 2, 1, 3 }; zip_dig mit = { 0, 2, 1, 3, 9 }; zip_dig ucb = { 9, 4, 7, 2, 0 }; Notes • Declaration “zip_dig cmu” equivalent to “int cmu[5]” • Example arrays were allocated in successive 20 byte blocks • Not guaranteed to happen in general

  10. Array Accessing Example Computation • Register %edx contains starting address of array • Register %eax contains array index • Desired digit at 4*%eax + %edx • Use memory reference (%edx,%eax,4) Memory Reference Code int get_digit (zip_dig z, int dig) { return z[dig]; } # %edx = z # %eax = dig movl (%edx,%eax,4),%eax # z[dig]

  11. zip_dig cmu; zip_dig mit; zip_dig ucb; 1 0 9 2 5 4 7 1 2 2 1 3 9 0 3 36 16 56 40 20 60 44 24 64 68 48 28 32 72 52 56 36 76 Referencing Examples Code Does Not Do Any Bounds Checking! Reference Address Value Guaranteed? mit[3] 36 + 4* 3 = 48 3 mit[5] 36 + 4* 5 = 56 9 mit[-1] 36 + 4*-1 = 32 3 cmu[15] 16 + 4*15 = 76 ?? • Out of range behavior implementation-dependent • No guaranteed relative allocation of different arrays Yes No No No

  12. Array Loop Example int zd2int(zip_dig z) { int i; int zi = 0; for (i = 0; i < 5; i++) { zi = 10 * zi + z[i]; } return zi; } Original Source Transformed Version • As generated by GCC • Eliminate loop variable i • Convert array code to pointer code • Express in do-while form • No need to test at entrance int zd2int(zip_dig z) { int zi = 0; int *zend = z + 4; do { zi = 10 * zi + *z; z++; } while(z <= zend); return zi; }

  13. Array Loop Implementation int zd2int(zip_dig z) { int zi = 0; int *zend = z + 4; do { zi = 10 * zi + *z; z++; } while(z <= zend); return zi; } int zd2int(zip_dig z) { int zi = 0; int *zend = z + 4; do { zi = 10 * zi + *z; z++; } while(z <= zend); return zi; } int zd2int(zip_dig z) { int zi = 0; int *zend = z + 4; do { zi = 10 * zi + *z; z++; } while(z <= zend); return zi; } int zd2int(zip_dig z) { int zi = 0; int *zend = z + 4; do { zi = 10 * zi + *z; z++; } while(z <= zend); return zi; } int zd2int(zip_dig z) { int zi = 0; int *zend = z + 4; do { zi = 10 * zi + *z; z++; } while(z <= zend); return zi; } Registers %ecx z %eax zi %ebx zend Computations • 10*zi + *z implemented as *z + 2*(zi+4*zi) • z++ increments by 4 # %ecx = z xorl %eax,%eax # zi = 0 leal 16(%ecx),%ebx # zend = z+4 .L59: leal (%eax,%eax,4),%edx # 5*zi movl (%ecx),%eax # *z addl $4,%ecx # z++ leal (%eax,%edx,2),%eax # zi = *z + 2*(5*zi) cmpl %ebx,%ecx # z : zend jle .L59 # if <= goto loop # %ecx = z xorl %eax,%eax # zi = 0 leal 16(%ecx),%ebx # zend = z+4 .L59: leal (%eax,%eax,4),%edx # 5*zi movl (%ecx),%eax # *z addl $4,%ecx # z++ leal (%eax,%edx,2),%eax # zi = *z + 2*(5*zi) cmpl %ebx,%ecx # z : zend jle .L59 # if <= goto loop # %ecx = z xorl %eax,%eax # zi = 0 leal 16(%ecx),%ebx # zend = z+4 .L59: leal (%eax,%eax,4),%edx # 5*zi movl (%ecx),%eax # *z addl $4,%ecx # z++ leal (%eax,%edx,2),%eax # zi = *z + 2*(5*zi) cmpl %ebx,%ecx # z : zend jle .L59 # if <= goto loop # %ecx = z xorl %eax,%eax # zi = 0 leal 16(%ecx),%ebx # zend = z+4 .L59: leal (%eax,%eax,4),%edx # 5*zi movl (%ecx),%eax # *z addl $4,%ecx # z++ leal (%eax,%edx,2),%eax # zi = *z + 2*(5*zi) cmpl %ebx,%ecx # z : zend jle .L59 # if <= goto loop # %ecx = z xorl %eax,%eax # zi = 0 leal 16(%ecx),%ebx # zend = z+4 .L59: leal (%eax,%eax,4),%edx # 5*zi movl (%ecx),%eax # *z addl $4,%ecx # z++ leal (%eax,%edx,2),%eax # zi = *z + 2*(5*zi) cmpl %ebx,%ecx # z : zend jle .L59 # if <= goto loop

  14. zip_dig pgh[4]; 1 1 1 1 5 5 5 5 2 2 2 2 1 2 0 1 7 1 6 3 76 96 116 136 156 Nested Array Example #define PCOUNT 4 zip_dig pgh[PCOUNT] = {{1, 5, 2, 0, 6}, {1, 5, 2, 1, 3 }, {1, 5, 2, 1, 7 }, {1, 5, 2, 2, 1 }}; • Declaration “zip_dig pgh[4]” equivalent to “int pgh[4][5]” • Variable pgh denotes array of 4 elements • Allocated contiguously • Each element is an array of 5 int’s • Allocated contiguously • “Row-Major” ordering of all elements guaranteed

  15. A[0][0] • • • A[0][C-1] • • • • • • •  •  • • • • • • • A [0] [0] • • • A [R-1] [0] A [1] [0] A [0] [C-1] A [1] [C-1] A [R-1] [C-1] A[R-1][0] • • • A[R-1][C-1] Nested Array Allocation Declaration TA[R][C]; • Array of data type T • R rows, C columns • Type T element requires K bytes Array Size • R * C * K bytes Arrangement • Row-Major Ordering int A[R][C]; 4*R*C Bytes

  16. A[0] A[i] A[R-1] • • • A [i] [0] • • • A [R-1] [0] A [0] [0] • • • A [0] [C-1] A [i] [C-1] A [R-1] [C-1] Nested Array Row Access Row Vectors • A[i] is array of C elements • Each element of type T • Starting address – base address of A + i * C * K int A[R][C]; •  •  • •  •  • A A+i*C*4 A+(R-1)*C*4

  17. Nested Array Row Access Code int *get_pgh_zip(int index) { return pgh[index]; } Row Vector • pgh[index] is array of 5 int’s • Starting address pgh+20*index Code • Computes and returns address • Compute as pgh + 4*(index+4*index) # %eax = index leal (%eax,%eax,4),%eax # 5 * index leal pgh(,%eax,4),%eax # pgh + (20 * index)

  18. A[0] A[R-1] • • • • • • A [R-1] [0] A [0] [0] A [0] [C-1] A [R-1] [C-1] Nested Array Element Access A [i] [j] Array Elements • A[i][j] is element of type T • Address of A[i][j] is base-of A + (i * C + j) * K • Base-of A = starting address of array &A[0][0] • C = number of columns = number of elements in a row • K = size of individual element A[i] •  •  • • • • • • • A [i] [j] •  •  • A A+i*C*4 A+(R-1)*C*4 A+(i*C+j)*4

  19. Nested Array Element Access Code Array Elements • pgh[index][dig] is int • Address: pgh + 20*index + 4*dig Code • Computes address pgh + 4*dig + 4*(index+4*index) • movl performs memory reference int get_pgh_digit (int index, int dig) { return pgh[index][dig]; } # %ecx = dig # %eax = index leal 0(,%ecx,4),%edx # 4*dig leal (%eax,%eax,4),%eax # 5*index movl pgh(%edx,%eax,4),%eax # *(pgh + 4*dig + 20*index)

  20. i a p 20 0 4 16 Structures Concept • Contiguously-allocated region of memory • Refer to members within structure by names • Members may be of different types Accessing Structure Member struct rec { int i; int a[3]; int *p; }; Memory Layout Assembly void set_i(struct rec *r, int val) { r->i = val; } # %eax = val # %edx = r movl %eax,(%edx) # Mem[r] = val

  21. Generating Pointer to Struct. Member r struct rec { int i; int a[3]; int *p; }; Generating Pointer to Array Element • Offset of each structure member determined at compile time i a p 0 4 16 r + 4 + 4*idx int * find_a (struct rec *r, int idx) { return &r->a[idx]; } # %ecx = idx # %edx = r leal 0(,%ecx,4),%eax # 4*idx leal 4(%eax,%edx),%eax # r+4*idx+4

  22. Element i i i a a p 0 0 4 4 16 16 Structure Referencing (Cont.) C Code struct rec { int i; int a[3]; int *p; }; void set_p(struct rec *r) { r->p = &r->a[r->i]; } # %edx = r movl (%edx),%ecx # r->i leal 0(,%ecx,4),%eax # 4*(r->i) leal 4(%edx,%eax),%eax # r+4+4*(r->i) movl %eax,16(%edx) # Update r->p

  23. Alignment Aligned Data • Primitive data type requires K bytes • Address must be multiple of K • Required on some machines; advised on IA32 • treated differently by Linux and Windows! Motivation for Aligning Data • Memory accessed by (aligned) double or quad-words • Inefficient to load or store datum that spans quad word boundaries • Virtual memory very tricky when datum spans 2 pages Compiler • Inserts gaps in structure to ensure correct alignment of fields

  24. Specific Cases of Alignment Size of Primitive Data Type: • 1 byte (e.g., char) • no restrictions on address • 2 bytes (e.g., short) • lowest 1 bit of address must be 02 • 4 bytes (e.g., int, float, char *, etc.) • lowest 2 bits of address must be 002 • 8 bytes (e.g., double) • Windows (and most other OS’s & instruction sets): • lowest 3 bits of address must be 0002 • Linux: • lowest 2 bits of address must be 002 • i.e., treated the same as a 4-byte primitive data type • 12 bytes (long double) • Linux: • lowest 2 bits of address must be 002 • i.e., treated the same as a 4-byte primitive data type

  25. Satisfying Alignment with Structures Offsets Within Structure • Must satisfy element’s alignment requirement Overall Structure Placement • Each structure has alignment requirement K • Largest alignment of any element • Initial address & structure length must be multiples of K Example (under Windows): • K = 8, due to double element struct S1 { char c; int i[2]; double v; } *p; c i[0] i[1] v p+0 p+4 p+8 p+16 p+24 Multiple of 4 Multiple of 8 Multiple of 8 Multiple of 8

  26. c i[0] i[1] v p+0 p+4 p+8 p+16 p+24 Multiple of 4 Multiple of 8 Multiple of 8 Multiple of 8 c i[0] i[1] v p+0 p+4 p+8 p+12 p+20 Multiple of 4 Multiple of 4 Multiple of 4 Multiple of 4 Linux vs. Windows struct S1 { char c; int i[2]; double v; } *p; Windows (including Cygwin): • K = 8, due to double element Linux: • K = 4; double treated like a 4-byte data type

  27. x i[0] i[1] c p+0 p+8 p+12 p+16 Windows: p+24 Linux: p+20 x[0] x[1] i[0] i[1] c p+0 p+4 p+8 p+12 p+16 p+20 Overall Alignment Requirement struct S2 { double x; int i[2]; char c; } *p; p must be multiple of: 8 for Windows 4 for Linux struct S3 { float x[2]; int i[2]; char c; } *p; p must be multiple of 4 (in either OS)

  28. c1 v c2 i p+0 p+8 p+16 p+20 p+24 v c1 c2 i p+0 p+8 p+12 p+16 Ordering Elements Within Structure struct S4 { char c1; double v; char c2; int i; } *p; 10 bytes wasted space in Windows struct S5 { double v; char c1; char c2; int i; } *p; 2 bytes wasted space

  29. a[1].i a[1].v a[1].j • • • a[0] a[1] a[2] a+0 a+12 a+24 a+36 Arrays of Structures Principle • Allocated by repeating allocation for array type • In general, may nest arrays & structures to arbitrary depth struct S6 { short i; float v; short j; } a[10]; a+12 a+16 a+20 a+24

  30. FF C0 BF Stack 80 Heap 7F 40 DLLs 3F Heap Data 08 Text 00 Linux Memory Layout Stack • Runtime stack (8MB limit) Heap • Dynamically allocated storage • When call malloc, calloc, new DLLs • Dynamically Linked Libraries • Library routines (e.g., printf, malloc) • Linked into object code when first executed Data • Statically allocated data • E.g., arrays & strings declared in code Text • Executable machine instructions • Read-only Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit

  31. Some Heap More Heap Initially Linked BF BF BF BF Stack Stack Stack Stack 80 80 80 80 Heap 7F 7F 7F 7F Heap 40 40 DLLs 40 DLLs 40 DLLs 3F 3F 3F 3F Heap Data Data Data Data Text Text Text 08 08 08 08 Text 00 00 00 00 Linux Memory Allocation

  32. Initially BF Stack 80 7F 40 3F Data Text 08 00 Text & Stack Example Main • Address 0x804856f should be read 0x0804856f Stack • Address 0xbffffc78 (gdb) break main (gdb) run Breakpoint 1, 0x804856f in main () (gdb) print $esp $3 = (void *) 0xbffffc78

  33. Linked BF Stack 80 7F 40 DLLs 3F Data Text 08 00 Dynamic Linking Example (gdb) print malloc $1 = {<text variable, no debug info>} 0x8048454 <malloc> (gdb) run Program exited normally. (gdb) print malloc $2 = {void *(unsigned int)} 0x40006240 <malloc> Initially • Code in text segment that invokes dynamic linker • Address 0x8048454 should be read 0x08048454 Final • Code in DLL region

  34. Memory Allocation Example char big_array[1<<24]; /* 16 MB */ char huge_array[1<<28]; /* 256 MB */ int beyond; char *p1, *p2, *p3, *p4; int useless() { return 0; } int main() { p1 = malloc(1 <<28); /* 256 MB */ p2 = malloc(1 << 8); /* 256 B */ p3 = malloc(1 <<28); /* 256 MB */ p4 = malloc(1 << 8); /* 256 B */ /* Some print statements ... */ }

  35. BF Stack 80 Heap 7F 40 DLLs 3F Heap Data 08 Text 00 Example Addresses $esp 0xbffffc78 p3 0x500b5008 p1 0x400b4008 Final malloc 0x40006240 p4 0x1904a640 p2 0x1904a538 beyond 0x1904a524 big_array 0x1804a520 huge_array 0x0804a510 main() 0x0804856f useless() 0x08048560 Initial malloc 0x08048454

  36. C operators Operators Associativity () [] -> . left to right ! ~ ++ -- + - * & (type) sizeof right to left * / % left to right + - left to right << >> left to right < <= > >= left to right == != left to right & left to right ^ left to right | left to right && left to right || left to right ?: right to left = += -= *= /= %= &= ^= != <<= >>= right to left , left to right Note: Unary +, -, and * have higher precedence than binary forms

  37. C pointer declarations int *p p is a pointer to int int *p[13] p is an array[13] of pointer to int int *(p[13]) p is an array[13] of pointer to int int **p p is a pointer to a pointer to an int int (*p)[13] p is a pointer to an array[13] of int int *f() f is a function returning a pointer to int int (*f)() f is a pointer to a function returning int int (*(*f())[13])() f is a function returning ptr to an array[13] of pointers to functions returning int int (*(*x[3])())[5] x is an array[3] of pointers to functions returning pointers to array[5] of ints

  38. Internet Worm and IM War November, 1988 • Internet Worm attacks thousands of Internet hosts. • How did it happen? July, 1999 • Microsoft launches MSN Messenger (instant messaging system). • Messenger clients can access popular AOL Instant Messaging Service (AIM) servers AIM client MSN server MSN client AIM server AIM client

  39. Internet Worm and IM War (cont.) August 1999 • Mysteriously, Messenger clients can no longer access AIM servers. • Microsoft and AOL begin the IM war: • AOL changes server to disallow Messenger clients • Microsoft makes changes to clients to defeat AOL changes. • At least 13 such skirmishes. • How did it happen? The Internet Worm and AOL/Microsoft War were both based on stack buffer overflow exploits! • many Unix functions do not check argument sizes. • allows target buffers to overflow.

  40. String Library Code • Implementation of Unix function gets • No way to specify limit on number of characters to read • Similar problems with other Unix functions • strcpy: Copies string of arbitrary length • scanf, fscanf, sscanf, when given %s conversion specification /* Get string from stdin */ char *gets(char *dest){ int c = getc(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getc(); } *p = '\0'; return dest; }

  41. Vulnerable Buffer Code /* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);} int main(){ printf("Type a string:"); echo(); return 0;}

  42. Buffer Overflow Executions unix>./bufdemo Type a string:123 123 unix>./bufdemo Type a string:12345 Segmentation Fault unix>./bufdemo Type a string:12345678 Segmentation Fault

  43. Stack Frame for main Return Address Saved %ebp %ebp [3] [2] [1] [0] buf Stack Frame for echo Buffer Overflow Stack /* Echo Line */void echo(){ char buf[4]; /* Way too small! */ gets(buf); puts(buf);} echo: pushl %ebp # Save %ebp on stack movl %esp,%ebp subl $20,%esp # Allocate space on stack pushl %ebx # Save %ebx addl $-12,%esp # Allocate space on stackleal -4(%ebp),%ebx # Compute buf as %ebp-4 pushl %ebx # Push buf on stack call gets # Call gets . . .

  44. Stack Frame for main Stack Frame for main Return Address Return Address Saved %ebp %ebp Saved %ebp 0xbffff8d8 [3] [2] [1] [0] buf [3] [2] [1] [0] buf Stack Frame for echo bf Stack Frame for echo ff f8 f8 08 04 86 4d xx xx xx xx unix> gdb bufdemo (gdb) break echo Breakpoint 1 at 0x8048583 (gdb) run Breakpoint 1, 0x8048583 in echo () (gdb) print /x *(unsigned *)$ebp $1 = 0xbffff8f8 (gdb) print /x *((unsigned *)$ebp + 1) $3 = 0x804864d Buffer Overflow Stack Example Before call to gets 8048648: call 804857c <echo> 804864d: mov 0xffffffe8(%ebp),%ebx # Return Point

  45. Stack Frame for main Stack Frame for main Return Address Return Address Saved %ebp 0xbffff8d8 Saved %ebp %ebp [3] [2] [1] [0] buf [3] [2] [1] [0] buf Stack Frame for echo Stack Frame for echo bf ff f8 f8 08 04 86 4d 00 33 32 31 Buffer Overflow Example #1 Before Call to gets Input = “123” No Problem

  46. Stack Frame for main Return Address Stack Frame for main Saved %ebp 0xbffff8d8 [3] [2] [1] [0] buf Stack Frame for echo Return Address Saved %ebp %ebp [3] [2] [1] [0] buf Stack Frame for echo bf ff 00 35 08 04 86 4d 34 33 32 31 Buffer Overflow Stack Example #2 Input = “12345” Saved value of %ebp set to 0xbfff0035 Bad news when later attempt to restore %ebp echo code: 8048592: push %ebx 8048593: call 80483e4 <_init+0x50> # gets 8048598: mov 0xffffffe8(%ebp),%ebx 804859b: mov %ebp,%esp 804859d: pop %ebp # %ebp gets set to invalid value 804859e: ret

  47. Stack Frame for main Return Address Stack Frame for main Saved %ebp 0xbffff8d8 [3] [2] [1] [0] buf Stack Frame for echo Return Address Saved %ebp %ebp [3] [2] [1] [0] buf Invalid address Stack Frame for echo 38 37 36 35 No longer pointing to desired return point 08 04 86 00 34 33 32 31 Buffer Overflow Stack Example #3 Input = “12345678” %ebp and return address corrupted 8048648: call 804857c <echo> 804864d: mov 0xffffffe8(%ebp),%ebx # Return Point

  48. Malicious Use of Buffer Overflow Stack after call to gets() • Input string contains byte representation of executable code • Overwrite return address with address of buffer • When bar() executes ret, will jump to exploit code void foo(){ bar(); ... } foo stack frame return address A B data written by gets() pad void bar() { char buf[64]; gets(buf); ... } exploit code bar stack frame B

More Related