How do you make use of segmentation and paging to prevent buffer overflow?
One guess might be - because segmentation only gives a portion of memory to each process and if the process tried to access an address outside its segment then a segfault will occur. Please tell me if that is correct or not.
Thank you!
Segmentation / paging will not prevent your code from attempting to access memory outside of its boundaries. That is the definition of a buffer overflow, and no sort of memory protections will attempt broken code from attempting to do things it is not allowed to do.
What segmentation or paging can do, is prevent your code from successfully accessing memory it doesn't own. The only option an operating system really has is to kill a process that the hardware has detected attempting to do something "bad".
Related
This is the code I wrote to overwrite the RAM data and eventually leading in crashing the OS.
#include<stdio.h>
#include<conio.h>
int main(){
int i=10;
int *j;
j=&i;
int m=0;
while(true){
*(j+m)=m*m; //next location of i
printf("New Value is. %d \n",(m));
m++;
}
printf("Complete");
getch();
return 0;
}
But the only after m is 46 my program is crashing(the value of m can be different from compiler to compiler).
Why this program is behaving in such manner? Is it because our OS provides some fixed space of memory to load & run a program and overreaching the memory limit would cause crashing the program?
You are overwriting the stack, destroying data from local variables and return from procedure pointers from your current function through all other functions called before it, until you reach a part of memory that is read-only because it contains the actual code of your program, and this part is protected. When you try to overwrite that too, the system will prevent it and the application will crash with a "Memory cannot be written" error of something like that.
Not sure about Linux, but in Windows you can disprotect this memory with VirtualProtect(). But doing that will only make it crash a little down the road as you overwrite the loop code with garbage and die in a Segmentation Fault error.
But still, you won't have access to the actual RAM of your computer, you can't even know the actual address in the real RAM you are in. When you are a process under a operational system, you are in the realm of virtual memory, where the OS will guarantee you cannot interfer directly with the system's or other processes' memory, not without going through the channels the system offers you anyway.
The problem is, after the very first iteration, *(j+m) is invalid memory access, which causes undefined behavior. Then, nothing, absolutely nothing is guaranteed.
In your case, it just happens that until index 46, the memory location is accessible from the process (i.e, the location belongs to the process's virtual address space, though that does not mean you are allowed to access, you may be overwriting some other data) and past that index, the memory location is not accessible from your process, so the access violation happens, causing the segfault.
Understand one thing first... Accessing a block of memory that was not initially defined leads to undefined behavior according to the rules of C language!
Now undefined behavior is seriously not undefined. In my case when I run the program, it crashes only after m=1.
There is no logic behind defining the sense of undefined. Undefined behavior may not only depend upon what causes it but several other issues.
Besides the fact that you program contains an undefined behavior because you tried to access memory you didn't allocate in some way, what you observe is some protection ensured by OS your program is running on.
It is very common for OS to manage space allocated to running programs by chunks of space. Such a chunk is usually called a page. A page is the finer grain of memory an OS can manage on behalf the process. So even if accessing the next memory address of variable i is logically false (undefined behavior), the generated code for the machine probably obviously try to get the memory content. At that time OS/CPU/MMU only verify if that address is in a page of your process. So the crash appears only when you access a page that is not in the space of your process.
If you want more details, read about virtual memory, page fault...
After debugging my code I get the following error:
Program received signal SIGSEGV, Segmentation fault.
0xb7d79a67 in fgets () from /lib/i386-linux-gnu/libc.so.6
Can anybody explain to me what this means? It's a project built using CMake and OpenGL.
When a program tries to access memory it has no privileges, the Linux Kernel interrupts the program by sending a signal called SEGSEGV. In your fgets, may be you are exceeding the memory you have allocated for your pointer by inputting too much text. Signals is one way the Linux Kernel communicates with the programs (processes in correct sense). It's kind of exception.
Since, you are dealing with files. It's worth checking if your file actually exists. May be you don't have privileges to read the file and hence getting the error.
/lib/i386-linux-gnu/libc.so.6 is a shared library on your Linux system in which fgets function resides and 0xb7d79a67 is (I guess) main memory address your program doesn't have privileges may be goes beyond the file length.
The segmentation-fault(SEGSEGV) can occur when you access protected memory areas, or the memory areas which are used by other programs and hence your program doesn't have any right to access.
Read these articles for better grasp:
Segmentation fault why?, Debugging segmentation faults
I need to panic kernel after some operations are done and verify what operation did
Can some one help me to know if there is any way? I searched a lot but no luck
I am looking for some generic call
thanks in Advance!
You can try a sysrq trigger:
echo c > /proc/sysrq-trigger
'c' - Will perform a system crash by a NULL pointer dereference.
A crashdump will be taken if configured.
Higher address range is mapped to the kernel. This if you write something there e.g. Say 0xFFFFFF7 kernel exits your process with a segmentation fault complaining that illegal memory location was accessed.
In user land your process is more like a sand box and any illegal access of memory outside your process is fined with kernel killing your process with a segmentation fault violation.
To panic a kernel you can try to set some wrong hardware registers typically with invocation of a syscntl sys call.
When I run a program I've written, I get the following two error messages (multiple instances of them infact). The program is quite big so can't show it here. Anyway, any idea what kind of programming error can cause these errors? Note that I'm using both mmap and mprotect in my program.
Internal kernel structures could not be allocated.
mprotect: Cannot allocate memory
Most likely you are calling mprotect() on memory that you don't own. Eg., you might be calling mprotect() on memory that wasn't returned by mmap() or that has been unmapped with munmap().
Sometimes in execution I get this error message in VS2010 when trying to free memory:
Windows has triggered a breakpoint in [APPNAME].exe.
This may be due to a corruption of the heap, which indicates a bug in [APPNAME].exe or any of the DLLs it has loaded.
This may also be due to the user pressing F12 while [APPNAME].exe has focus.
The output window may have more diagnostic information.
Wich means something is wrong with heap or pointer.
My issue is that this error crashes my app when it is built as a release.
Also this is just a module of bigger application and when this crashes everithing goes down.
I would like to be able to handle this error.
From msdn on "free":
If an error occurs in freeing the memory, errno is set with information from the operating system on the nature of the failure. For more information, see errno, _doserrno, _sys_errlist, and _sys_nerr.
There is a errno_t _get_errno( int * pValue ); function that returns error code.
If I press continue on the error msg shown above this function returns error code.
Using this code I can detect error, create call stack and exit my function softly.
Is there any compiler switch or something to prevent aplication from crashing when free fails and allow me to exit it my way??
If the heap is corrupted, all bets are off. Memory allocations may fail (unless they're on the stack), they might return pointers to wacky areas, and even existing stuff on the heap could be mangled beyond recognition. In such cases, you're actually better off crashing, as any action you take (even trying to gracefully exit) could just make things much worse.
Find the code that's mangling stuff on the heap, and fix or remove it.
Theoretically you try to prevent your app from crashing using SEH.
AFAIK "debug breakpoint" is a sort of a SEH exception, which can be handled.
__try {
// do something here
} __except(EXCEPTION_EXECUTE_HANDLER) {
}
The above __try/__except block will catch all the exceptions (both C++ and SEH).
HOWEVER
I believe you should not do this. Heap corruption, as well as any other invalid memory access - is an bug Once this happens - the damage is usually unrecoverable. You may prevent the crash (hopefully), but you can not guarantee your program does what it should do. From now on it may crash at any other place.
Instead of preventing the crash I suggest you FIND the outlaw that dares to overwrite the forbidden memory and corrupt the heap.
Fix your code instead of trying to ignore such a serious error. You shouldn't have such serious memory bugs in your production code. AFAIK there's no simple way to handle this and it's for a good reason.
Btw, I thought the dialog appears only in debug mode. In release mode the memory error should not be detected and the application should crash immediately (or run with a corrupted heap, yuk).
Many Windows programs use HeapSetInformation with HeapEnableTerminationOnCorruption to ensure that the program crashes immediately when heap corruption is detected. This is a security measure, since heap corruption might be exploitable. Crashing immediately on heap corruption is the only sane thing to do.
But if you're trying to debug, and it's a release build, this setting can make it difficult to debug the problem. It sounds like you have a module that run inside somebody else's app (though I'm not sure from your description). In that case, it might be that the other application is setting the heap termination flag. Unfortunately, it cannot be unset once set (per process).
You'll need to attach a debugger to generate a dump file when the crash occurs and try to debug from that.