[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Need help with stack smash



On 08/27/2009 01:59 PM, Orion Poplawski wrote:
Thanks, but my trouble though is what to watch. My thought was to watch
the location of the guard variable that the stack protector code checks,
but I have no idea how to find that out.


By looking at the disassembly of the funtcion, I'm able to see the stack check code at the end:

0x08058f39 <an_check_lab_desc+553>:     mov    -0x1c(%ebp),%eax
0x08058f3c <an_check_lab_desc+556>:     xor    %gs:0x14,%eax
0x08058f43 <an_check_lab_desc+563>: jne 0x8058f50 <an_check_lab_desc+576>

so it's watching %ebp - 0x1c (it appears).

(gdb) print $ebp - 0x1c
$1 = (PTR TO -> ( void )) 0xbfffcb5c
(gdb) watch *(0xbfffcb5c)
Hardware watchpoint 2: *(0xbfffcb5c)
(gdb) c
Continuing.
Hardware watchpoint 2: *(0xbfffcb5c)

Old value = -987698962
New value = -987699200
DFANIgetann (filename=0x8125d10 "tdfanF.hdf", tag=<value optimized out>,
ref=<value optimized out>, ann=0xbfffcb3e "Object label #1: sds ",
    maxlen=31, type=0) at dfan.c:1103
1103      Lastref = annref;   /* remember ref last accessed */
Current language:  auto; currently c
(gdb) list
1098          HCLOSE_GOTO_ERROR(file_id,DFE_READERROR,FAIL);
1099        }
1100      if (type == DFAN_LABEL)
1101        ann[annlen] = '\0';     /* terminate string properly */
1102
1103      Lastref = annref;   /* remember ref last accessed */
(gdb) print &ann[annlen]
$7 = (uint8 *) 0xbfffcb5c ""

So that's where I get clobbered. Need to figure out why, but at least I solved the watch location question.

--
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA/CoRA Division                    FAX: 303-415-9702
3380 Mitchell Lane                  orion cora nwra com
Boulder, CO 80301              http://www.cora.nwra.com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]