Develop Reference

How do calls to the execvp system call work?

I was doing a research into the contents of another StackOverflow question and I thought it was a good time to brush up my knowledge of unix system calls.
While experimenting with execvp (WITHOUT fork on purpose) I ran into something that confuses me
I wrote 4 test programs
Program 1
#include <stdio.h>
int main() {
//printf("Doge\n");
execvp("ls");
printf("Foo\n");
return 0;
}
The program works as expected, the contents of the directory are printed and the Foo print statement is not
Program 2
However when I uncomment the first print statement and have the program be this
#include <stdio.h>
int main() {
printf("Doge\n");
execvp("ls");
printf("Foo\n");
return 0;
}
execvp returns a -1 and both print statements are issued. why?
Program 3
I vaguely remember having to use unistd.h when experimenting with unix system calls from college.
So I included it, but not execvp has a different signature and it needed some more args than just the name of the program. So I did this
#include <stdio.h>
#include <unistd.h>
int main() {
printf("Doge\n");
char *const parmList[] = {"ls", NULL};
execvp("ls", parmList);
printf("Foo\n");
return 0;
}
And this works. This has confused me. Why did exec work in the first program?
I also used This as a reference to the system calls.
Finally I wrote
Program 4
#include <stdio.h>
//#include <unistd.h>
int main() {
printf("Doge\n");
char *const parmList[] = {"ls", NULL};
execvp("ls", parmList);
printf("Foo\n");
return 0;
}
Which also works as expected.
Can someone explain what's going on?

With this snippet
#include <stdio.h>
int main() {
execvp("ls");
printf("Foo\n");
return 0;
}
you're invoking undefined behaviour. You're not providing the prototype for execvp which requires an argument list (null terminated) as a second parameter.
Using gcc without any warning option silently uses execvp as implicitly declared, and doesn't check parameters. It just calls the function. The function then looks for a second parameter and encounters... whatever is left of the call stack (or registers, depending on call conventions), that's why a previous printf call can change the behaviour.
Using gcc -Wall gives the following warning:
test.c:5:9: warning: implicit declaration of function 'execvp' [-Wimplicit-function-declaration]
execvp("ls");
Including the proper include (#include <unistd.h>) leads to:
test.c:6:9: error: too few arguments to function 'execvp'
execvp("ls");
^~~~~~
That's why you've got strange behaviour. Don't look further. Use execvp with 2 arguments, period. In your case "Program 3" is the way to go, and always set warning level to the maximum, if possible (gcc and clang: -Wall -Wextra -pedantic -Werror)

Is there a way to "overload" or reimplement __stack_chk_fail?

I want to enable stack protection feature in gcc for a system i am building that run on x86 linux.
I want that if it detects stack smashing it would call a function of my own that will handle the case or it will call my own implementation of the function __stack_chk_fail , is there a way to do it?
So far i tried to undef __stack_chk_fail and __stack_chk_guard and then defining them myself but it didn't work and resulted in segmentation fault when trying exploiting buffer overflow.
Here is an example of what i did:
#undef __stack_chk_guard
#undef __stack_chk_fail
uintptr_t __stack_chk_guard = 0xdeadbeef;
void __stack_chk_fail(void)
{
printf("Stack smashing detected");
}
void foo(void)
{
char buffer[2];
strcpy(buffer, "hello, I am smashing your stack!");
}
I also tried using LD_PRELOAD but that resulted in segmentation fault when smashing the stack but it also resulted in segmentation fault.

After some research i found out i can use the linker flag --wrap to wrap __stack_chk_fail and insert my own hanlding just as i wanted.
The flag change each call of __stack_chk_fail to __wrap___stack_chk_fail and each call to __real___stack_chk_fail to __stack_chk_fail
I can even skip calling the real __stack_chk_fail if i wanted to
below is an example code in a file named test.c:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void __real___stack_chk_fail(void);
void __wrap___stack_chk_fail(void)
{
printf("our test");
__real___stack_chk_fail();
}
void func()
{
char buffer[2];
strcpy(buffer, "smashhhhhhhhhhhhhhhh");
}
int main(void)
{
func();
return 0;
}
To compile it execute:
gcc -fstack-protector-strong -c test.c
gcc -Wl,--wrap=__stack_chk_fail test.o
The ouput would be "our test" and then the regular behavior of __stack_chk_fail
UPDATE:
Another way to do it is to exclude libssp from the linkage process with the flag --exclude-libs,libssp and implement __stack_chk_fail and guard_setup(the function that initiate __stack_chk_guard value) on your own

Strange behaviour while wrapping abort() system call

I need, to write unitary tests, to wrap the abort() system call.
Here is a snippet of code:
#include <stdio.h>
#include <stdlib.h>
#include <assert.h>
extern void __real_abort(void);
extern void * __real_malloc(int c);
extern void __real_free(void *);
void __wrap_abort(void)
{
printf("=== Abort called !=== \n");
}
void * __wrap_malloc(int s)
{
void *p = __real_malloc(s);
printf("allocated %d bytes #%p\n",s, (void *)p);
return p;
}
void __wrap_free(void *p)
{
printf("freeing #%p\n",(void *)p);
return __real_free((void *)p);
}
int main(int ac, char **av)
{
char *p = NULL;
printf("pre malloc: p=%p\n",p);
p = malloc(40);
printf("post malloc p=%p\n",p);
printf("pre abort\n");
//abort();
printf("post abort\n");
printf("pre free\n");
free(p);
printf("post free\n");
return -1;
}
Then i compile this using the following command line :
gcc -Wl,--wrap=abort,--wrap=free,--wrap=malloc -ggdb -o test test.c
Running it give the following output:
$ ./test
pre malloc: p=(nil)
allocated 40 bytes #0xd06010
post malloc p=0xd06010
pre abort
post abort
pre free
freeing #0xd06010
post free
So everything is fine.
Now let's test the same code but with abort() call uncommented:
$ ./test
pre malloc: p=(nil)
allocated 40 bytes #0x1bf2010
post malloc p=0x1bf2010
pre abort
=== Abort called !===
Segmentation fault (core dumped)
I don't really understand why i get a segmentation fault while mocking abort() syscall...
Every advice is welcome !
I run Debian GNU/Linux 8.5 on an x86_64 kernel. Machine is a Core i7 based laptop.

In glibc (which is the libc Debian uses) the abort function (it's not a system call, it's a normal function) is declared like this:
extern void abort (void) __THROW __attribute__ ((__noreturn__));
This bit: __attribute__ ((__noreturn__)) is a gcc extension that tells it that the function can't return. Your wrapper function does return which the compiler didn't expect. Because of that it will crash or do something completely unexpected.
Your code when compiled will be using the declarations from stdlib.h for the call to abort, the flags you gave to the linker won't change that.
Noreturn functions are called differently, the compiler doesn't have to preserve registers, it can just jump to the function instead of doing a proper call, it might even just not generate any code after it because that code is by definition not reachable.
Here's a simple example:
extern void ret(void);
extern void noret(void) __attribute__((__noreturn__));
void
foo(void)
{
ret();
noret();
ret();
ret();
}
Compiled into assembler (even without optimizations):
$ cc -S foo.c
$ cat foo.s
[...]
foo:
.LFB0:
.cfi_startproc
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
call ret
call noret
.cfi_endproc
.LFE0:
.size foo, .-foo
.ident "GCC: (GNU) 4.8.5 20150623 (Red Hat 4.8.5-4)"
.section .note.GNU-stack,"",#progbits
Notice that there is a call to noret, but there isn't any code after this. The two calls to ret were not generated and there is no ret instruction. The function just ends. This means that if the function noret actually returns because of a bug (which your implementation of abort has), anything can happen. In this case we'll just continue executing whatever happens to be in the code segment after us. Maybe another function, or some strings, or just zeroes, or maybe we're lucky and the memory mapping ends just after this.
In fact, let's do something evil. Never do this in real code. If you ever think that this is a good idea you'll need to hand over the keys to your computer and slowly step away from the keyboard while keeping your hands up:
$ cat foo.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void __wrap_abort(void)
{
printf("=== Abort called !=== \n");
}
int
main(int argc, char **argv)
{
abort();
return 0;
}
void
evil(void)
{
printf("evil\n");
_exit(17);
}
$ gcc -Wl,--wrap=abort -o foo foo.c && ./foo
=== Abort called !===
evil
$ echo $?
17
As I thought, the code just keeps going after whatever happened to be placed after main and in this simple example the compiler didn't think it would be a good idea to reorganize the functions.

This is a continuation of the discussion under Art's answer, and is meant purely as an experiment.
Do not do this in real code!
The problem can be averted using longjmp to restore the environment, before calling the real abort.
The following program does not display undefined behavior:
#include <stdlib.h>
#include <stdio.h>
#include <setjmp.h>
_Noreturn void __real_abort( void ) ;
jmp_buf env ;
_Noreturn void __wrap_abort( void )
{
printf( "%s\n" , __func__ ) ;
longjmp( env , 1 ) ;
__real_abort() ;
}
int main( void )
{
const int abnormal = setjmp( env ) ;
if( abnormal )
{
printf( "saved!\n" ) ;
}
else
{
printf( "pre abort\n" ) ;
abort() ;
printf( "post abort\n" ) ;
}
printf( "EXIT_SUCCESS\n" ) ;
return EXIT_SUCCESS ;
}
Output:
pre abort
__wrap_abort
saved!
EXIT_SUCCESS

Nice answer, above, with the assembly output. I had the same problem, again, while creating unit tests and stubbing the abort() call - the compiler sees the __noreturn__characteristic in stdlib.h, knows it CAN stop generating code after the call to a __noreturn__ function, but GCC and other compilers DO stop generating code, even with optimization suppressed. Returns after the call to the stubbed abort() just fell through to the next function, declared data, etc. I tried the --wrap approach, above, but the calling function is just missing code after the __wrap_abort() returns.
One way I found to override this behavior is to catch the abort() declaration at the preprocessor level - keep your stubbed abort() in a separate source file, and add to the CFLAGS for the file that's calling abort()
-D__noreturn__="/* __noreturn__ */"
This modifies the effect of the declaration found in stdlib.h. Check your preprocessor output via gcc -E and verify this worked. You can also check your compiler's output via objdump of the .o file.
This whole approach will have the added side effect of generating code for source that follows other abort() calls, exit() calls, and anything else that appears in stdlib.h with the __noreturn__ characteristic, but most of us don't have code that follows an exit(), and most of us just want to clean the stack and return from the abort() caller.
You can keep the linker --wrap logic in order to invoke your __wrap_abort() call, or, since you won't be calling __real_abort(), you can do something similar to the above to get to your stubbed abort():
-Dabort=my_stubbed_abort
Hope this helps.

C program: __start [duplicate]

This question already has answers here:
What is the use of _start() in C?
(4 answers)
Closed 3 years ago.
Can you help me to understand how
__start
is used in C internally?
Is it the exact replica of the main function or is it the entry point to the compiled program?
Just wondering, how its getting used?

Here is a good overview of what happens during program startup before main. In particular, it shows that __start is the actual entry point to your program from OS viewpoint.
It is the very first address from which the instruction pointer will start counting in your program.
The code there invokes some C runtime library routines just to do some housekeeping, then call your main, and then bring things down and call exit with whatever exit code main returned.
A picture is worth a thousand words:

As per C/C++ standard, main() is the starting point of a program. If you're using GCC, _start function is the entry point of a C program which makes a call to main(). The main job of _start() function is to perform a few initialization tasks.
// $ gcc program_entry.c -nostartfiles
// $ ./a.out
// custom program entry
#include <stdio.h>
#include <stdlib.h>
void program_entry(void);
void
_start(void)
{
program_entry();
}
void
program_entry(void)
{
printf("custom program entry\n");
exit(0);
}
If you want, the program entry can also be compiled with -e switch in GCC.
// $ gcc program_entry.c -e __start
// $ ./a.out
// custom program entr
#include <stdio.h>
void program_entry(void);
void
_start(void)
{
program_entry();
}
void
program_entry(void)
{
printf("custom program entry\n");
}

_start is a operating system function....which is entry point for any program...as our compiler knows about main(main is not pre defined function it is user defined but all the compiler knows about them) this _start function will call main and from that point our program enters in CPU

How to write a Hello World in C

I wrote little program to print "Hello world" in C. I'm not a C programmer, but I liked to try it. In my program there is an error. Please tell me what is it?
This is my program:
int main(){
printf("Hello World");
}
I wrote this with my Java Experiences. I can't find what is wrong.

You can't directly use printf() function as in Java. You should tell the compiler that you are going to use the input/output stream. You can tell it in this line:
#include <stdio.h>
and also you should enter this line at the end of the source code:
return 0;
this will tell the compiler :
"If the program succeed It will return 0 otherwise It will return any other number"
This means if your program is successful main() function will return 0. Then the compile know the program is Ok.
Then at last your complete code is:
#include <stdio.h>
int main() {
printf("Hello world");
return 0;
}
To compile this and see the word "Hello World", just save this file as a .c file and Open cmd in your program directory and type
gcc hello.c -o hello && hello
(Replace the 'hello.c' with your filename, and 'hello' with the name you want to put with your .exe file)
Remember My computer is Windows. And this compile code is for windows. If your OS is UNIX like OS. then use this code to compile:
gcc hello.c -o hello
./hello

A full hello world program in C:
#include <stdio.h>
int main(void) {
printf("Hello World\n");
return 0;
}
Then compile (assuming gcc) and execute it:
gcc -o test test.c
./test

First, you have to use a header file.
#include <stdio.h>
What that does is bring up a header file with a bunch of commands in them. That will make it recognize the "printf" piece of code.
Next, you have to close your program. By not having a closing statement, the program will not compile because it doesn't know if that is the end of the code. Use this at the end of your program...
return 0;
That closes the program, meaning that the compiler can stop looking for other code. You may also want to look at some programming manuals (there are dozens of free online ones) to learn about the syntax.
One last thing: Most pieces of C code require a semicolon at the end. This is not true for the "int main" statement, nor is it for the header file which I have defined above. The "return" function that closes the program, does however, need a semicolon.
Hoped this helped.

Should also include a pause at the end:
#include <stdio.h>
int main(void) {
printf("Hello World\n");
//Read a character from the console
getchar();
return 0;
}

Just like import in Java programs, in here you have to include libraries you're using in your program. You have used library function printf, but not included stdio.h.

I agree there are many ways to write one of the simplest way is
#include<stdio.h>
int main(void){
printf("Hello World\n");
return 0;
}
You can even use different ways as suggested above.

You should first look at the structure of "main". Try to understand the various parts as already explained so well in the above answers.
"#include" : The preprocessing directives to be included in the program. But why? Because you are trying to use the functions defined inside them.
int : The return type of "main" program. But why? Because the function calling "main" needs to know if the "main" program has functioned correctly.
main : The entry point of your code. Dont ask why here :-)
main( void ) : To tell the compiler that we are not passing any arguments to program "main"
return 0 : Beacuse you promised "main" that you will return something if "main" will function properly.
Finally the code:
#include <stdio.h>
int main( void )
{
printf( "Hello World\n" ) ; //Notice the '\n' here. Good coding practice.
return 0 ;
}

#include <stdio.h> //Pre-processor commands<br/>
void main() //Starting point of the program<br/>{ //Opening Braces
printf("Hello World\n"); //Print Hello World on the screen<br/>
return 0;
} //Ending Braces

Check it once it will work, I have written it with comments:
#include<stdio.h> //Pre-processor commands
void main() {
printf("Hello World\n"); //Print Hello World on the screen
}

A full hello world program in C:
#include <stdio.h>
int main(void) {
printf("Hello World\n");
return 0;
}
Then compile (assuming gcc) and execute it:
gcc -o test test.c
./test

You can't use printf() function as in Java. You have to tell the compiler what you are going to use.
You can tell this as follows:-
#include <stdio.h>
You must enter this line in last:-
return 0;
Then Your complete code is:-
#include <stdio.h>
int main(){
printf("Hello World");
return 0;
}
For compiling this and see the word "Hello World", just save this file as a .c file and Open cmd in your program directory and type:-
gcc hello.c -o hello && hello
(Replace the 'hello.c' with your filename, and 'hello' with the name you want to put with your .exe file)
Remember My computer is Windows. So I can compile only for Windows OS.

#include <stdio.h>
int main() {
// printf, used to print (display) Hello World
printf("Hello World ! ");
// return 0, as the main function is of type int so it must return an integer value
return 0;
}