It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
A challenge for all the C experts out there:
On a linux machine, you have an already compiled C program, and you are given its source code:
...
char buffer[20];
int code;
gets(buffer);
if(code==1234) ...
...
...
if(0) func();
You don't posses root privileges and the program is read-only. Find a way to execute func. I am certain this is possible, so please don't post any "It isn't possible" answers.
Good luck!
The answer lies in the unchecked buffer overflow that is waiting to happen with gets(buffer); and an understanding of what the stack looks like.
You could try setting the return address to the func() call by overflowing buffer.
http://en.wikipedia.org/wiki/Stack_buffer_overflow#Exploiting_stack_buffer_overflows
It may or may not be possible. If there are no other references to func(), the compiler may well have decided not to generate code for it in the first place -- dead code can be optimized away entirely.
This question is pretty underspecified, anyway. What do you mean by "the program is read-only"? The source code, or the executable? Are we attacking it from inside the process at runtime, inside the process by changing the source code, outside the process by trying to invoke it in funny ways, ...?
If the compiler generated code for the function (i.e. it didn't get chopped by the dead code optimizer) and you have a debugger and debug symbols, just attach a debugger and tell it to find and invoke func().
If you want to exploit the code at runtime, you can cause a buffer overflow in gets(), and take control of the process from inside, but you still have to find func() so you can jump to it -- having the source code won't help you here, and nothing will help you here if the compiler didn't generate code for it.
Since we have the source code, I would make the following edit and recompile:
-if(0) func();
+func();
Serious answer, there are thousands of ways of doing it (hacked environments, buffer overflows, etc), but the common pitfall is that a good compiler should optimize if (0) {} away. If that is the case there would be no way of executing func(). If not, then I would just start up my trusty debugger and jumping to the right spot.
Obviously, execute the famous set 0=1 command before running your executable.
But seriously, this is way off-topic...
Related
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
How does GCC ensure that The Stack doesn't overflow?
Shouldn't it check the Size is less than the MAX it can retain and prompt user accordingly,esp when it is implicitly defined?WIll this not be a great programming paradigm?
It doesn't. If you recurse deep enough, you will overflow, and there's nothing the compiler can do about it.
edit: I should point out that at the time I answered this question, the question simply read:
"How does GCC ensure that The Stack doesn't overflow?"
Linux uses a "guard area". It puts one or more access-protect pages at the end of the stack for each thread.
If the program accesses the guard area, the OS handles the fault. If the thread is already using its max permitted stack then it terminates something (the thread or the whole process, I don't remember which). Otherwise it tries to map memory to the addresses occupied by the guard area for use as stack, and protects a new area beyond the end of the newly-enlarged stack.
Prompting the user isn't really suitable for an OS like Linux, in which many processes are not monitored by a user, and for that matter there may not be any logged-in user at the time the problem arises. So your process just fails. Since it's an all-purpose compiler, gcc doesn't attempt runtime user interaction either.
Other OSes and platforms may or may not have stack guard pages (Windows does). About all gcc really needs to do is to ensure that if the stack is going to be exceeded, it doesn't "miss" the guard page by jumping a long way forward.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
My question is particulary to function calls in C. So, either we can call functions normally or through function pointers. When your interface remainas the same but with different implementations, function pointers are used, but even if you have a single implementation having function pointers can improve the readabilty of the code.
So, what are the benefits of having static calls rather than dynamic function pointers. The call will obviously be implemented in 2 instructions as the address of the function needs to be fetched, but return will take equal cycles. I just want to understand, how can if at all processor and compiler optimize static calls over dynamic functions pointers?
Thanks,
Calling a function through a pointer will in most cases result in the compiler not being able to inline the call (if the compiler has determined that it would be beneficial to do so.) In some cases, the compiler is even able to determine the result of a function call at compile time, and thus optimize-away the whole code of the function. Function pointers also prevent this from happening.
That doesn't mean that the impact will be noticeable in any way that actually matters though. The only way to determine that, is to go and benchmark/profile your code.
However, I don't see how function pointers would be able to provide better code readability. You might want to give an example of that.
In general, direct call allows way more optimization to the compiler.
If there is really only one implementation and compiler can see it [*], it can optimize and do exactly as with direct call. But it of course depends on how smart the compiler is and what optimization options you use.
[*] i.e. if the pointer value is known in compile time; i.e. if it is 'static' variable, its address never passed outside the compilation unit, etc.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I am using POSIX threads, and at the end of my program, I am waiting to join each of the threads. After some time of running perfectly well, my code started returning a weird bug when I was waiting for the threads.
pthreads threads[C+P];
for(i = 0; i < (C+P); i++)
{
printf("%d\n", i);
pthread_join(threads[i]);
}
If I remove the printf statement, or replace it with any other printf statement, a delay, or any other operation on i, I still get a segfault.
How would I start debugging this?
Inserting printf() call affects memory layout (and thus it can, by pure accident, mask some memory corruption), as well as execution timing (you use threads, so timing is also relevant).
But instead of any sort of guesswork, you should do some regular debugging:
run you executable under gdb, this way you should be able to see what exact operation is causing a crash, where is it called from, etc.
run it under valgrind - this tool detects a lot of common errors, like accessing free'd memory block, using uninitialized variables, exceeding array/buffer boundaries, etc. It's not uncommon to immediately get exact position of the error with valgrind, I highly recommend it!
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 10 years ago.
I'm using the PellesC C compiler. Sometimes my code randomly stops working. A particular statement can trigger it. For example, I multiplied a variable by sin(c) (c is a double) and my code seemed to just finish execution with no result. Sometimes it freezes, sometimes it appears to just return, but I can always fix it by removing the offending statement or disabling compiler optimizations, specifically "maximize speed" or "maximize speed more". The freezing will also go away nearly 100% of the time if I add a printf statement somewhere near the point at which it crashes. I've never found anything to suggest that I am accessing memory improperly, I'm fairly sure its a compiler issue. I was wondering if anybody could shed some light on this. Is it possible that I am, in fact, doing something wrong? Or is this a known issue with the Pelles C compiler?
Edit:
Changing
canvas->pixels[(y*canvas->pitch)+(x*canvas->Bpp)+2]=(unsigned char)(255.0*dtempA*(1-sin(c)));
canvas->pixels[(y*canvas->pitch)+(x*canvas->Bpp)+1]=(unsigned char)(255.0*dtempA*(1+cos(c)));
canvas->pixels[(y*canvas->pitch)+(x*canvas->Bpp)]=(unsigned char)(255.0*dtempA*(1+sin(c)));
to (difference at the end of the last line)
canvas->pixels[(y*canvas->pitch)+(x*canvas->Bpp)+2]=(unsigned char)(255.0*dtempA*(1-sin(c)));
canvas->pixels[(y*canvas->pitch)+(x*canvas->Bpp)+1]=(unsigned char)(255.0*dtempA*(1+cos(c)));
canvas->pixels[(y*canvas->pitch)+(x*canvas->Bpp)]=(unsigned char)(255.0*dtempA*(1+1));
makes it work.
It could be either but a good bet is that it's you :) Variables that are not explicitly initialized will often get different values in a optimized vs an un-optimized build because the stack layout can change subtly depending on how aggressively the compiler removes temporaries, as well as other factors.
You're probably accidentally using undefined behavior somewhere, and changing random instructions in the program is breaking the very fragile alignment of the code on the stack that happens to make the program work.
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
Closed 11 years ago.
What are the security breaches possible ? or any attacks?
Which argument of the printf function?
printf("%s\n", untrusted_string); is mostly OK, although if output is going to a terminal, and if the terminal responds to control codes, then it potentially could mess up the terminal settings beyond all recognition.
Obviously it also gets interesting when the output of your program is going to be used as executable code. It may not always be obvious to you that it is. For example, suppose you write a program that scans your web server logs and produces an HTML report listing all the URLs visited. Suppose further that I visit http://example/<script>...</script>. I get an error message, but the URL is still logged. If you've printed the input without modification, then you might be in for an educational evening when you review your report files. The user input needs to be sanitized somewhere along the line.
Echoing data that the user has supplied, back the same user, is somewhat safer. However, again in a web context, XSRF attacks are a common technique -- you might think that your users wrote the input themselves, when really they didn't, and so actually you're echoing some attacker's data back to the user. The same could apply even in command-line programs -- if the user supplies a file as a command-line argument, but the file (like my server log above) was written by an attacker, then printing parts of that file back to the user potentially has consequences the user never intended.
None of which is necessarily a reason not to do it. As ever in security, you can't say whether a particular action "is" or "isn't" secure, because it depends on the context in which that action occurs.
printf(untrusted_string); is definitely no good, since the string supplied might be "%s", with undefined behavior. You might think to yourself, "oh, well, it only reads where it shouldn't, what harm can that possibly do?" In which case you will eventually join the long list of people who've been surprised at the ingenuity which attackers show in combining multiple bugs to create a workable attack. Reading where you shouldn't clearly can lead to DoS, but also in combination with other issues could leak sensitive information.
A buffer overflow attack. See http://en.wikipedia.org/wiki/Buffer_overflow