Wanted - example program to execute stack

[Dr. David Kirkby]

Can anyone give me a noddy example of a C program that tries to
execute the stack? I want to create a test to see if an operating
system is configured with stack protection or not.

Apparently on SELinux one can use 'setstatus' to determine if stack
protection is in operation or not, but I'd like a test which avoided
having to find a test for each platform, if a program could be made to
test it.

The The Number Theory Library (NTL) is one application which tries to
execute the stack and causes problems if stack protection is in use. I
suspect this is a bug in NTL, though it might be done for speed
reasons - lots of highly optimised maths code does unusual things.

Dave

 

[jacob navia]

Dr. David Kirkby a écrit :

Can anyone give me a noddy example of a C program that tries to
execute the stack? I want to create a test to see if an operating
system is configured with stack protection or not.

Apparently on SELinux one can use 'setstatus' to determine if stack
protection is in operation or not, but I'd like a test which avoided
having to find a test for each platform, if a program could be made to
test it.

The The Number Theory Library (NTL) is one application which tries to
execute the stack and causes problems if stack protection is in use. I
suspect this is a bug in NTL, though it might be done for speed
reasons - lots of highly optimised maths code does unusual things.

Dave

For x86 architectures:

typedef void(*voidfn)(void);
int main(void)
{
char a[2] = {0xc3,0};
voidfn fnptr = (voidfn)a;
fnptr();
}

If that works and doesn't crash there is NO stack execution protection.

 

[Dr. David Kirkby]

Dr. David Kirkby a écrit :

Can anyone give me a noddy example of a C program that tries to
execute the stack? I want to create a test to see if an operating
system is configured with stack protection or not.

Apparently on SELinux one can use 'setstatus' to determine if stack
protection is in operation or not, but I'd like a test which avoided
having to find a test for each platform, if a program could be made to
test it.

The The Number Theory Library (NTL) is one application which tries to
execute the stack and causes problems if stack protection is in use. I
suspect this is a bug in NTL, though it might be done for speed
reasons - lots of highly optimised maths code does unusual things.

Dave

For x86 architectures:

typedef void(*voidfn)(void);
int main(void)
{
        char a[2] = {0xc3,0};
        voidfn fnptr = (voidfn)a;
        fnptr();

}

If that works and doesn't crash there is NO stack execution protection.

Thank you very much. I tested this on my OpenSolaris 06/2009 (quad
core Intel Xeon) workstation and it behaves as you say. First the
program did not crash, then when I set:

set noexec_user_stack=1
set noexec_user_stack_log=1

in /etc/system (which enables stack protection), so it crashed.

I must admit, I don't fully understand why it works, so any help on
that matter would be appreciated.

I also tried it on a linux box (I do not know what release it is, but
it crashed on their too. What is odd, is that Sage maths program
builds on that machine, despite failing to do so on other linux
systems unless stack protection is enabled.

I also need to know what is the significance of 0xc3,0. I thought it
might be a 'noop' but that does not appear to be the case. Perhaps it
is just some random (but valid) x86 instruction. I need to find one
for SPARC too and ideally Intel Itanium too, though the later is far
less important.

I'm somewhat puzzled why this should crash on a Linux (x86) server,
which executes code that another linux system complains about
execution of the stack.

Dave

 

[Ben Bacarisse]

Dr. David Kirkby a écrit :

Can anyone give me a noddy example of a C program that tries to
execute the stack? I want to create a test to see if an operating
system is configured with stack protection or not.

Apparently on SELinux one can use 'setstatus' to determine if stack
protection is in operation or not, but I'd like a test which avoided
having to find a test for each platform, if a program could be made to
test it.

The The Number Theory Library (NTL) is one application which tries to
execute the stack and causes problems if stack protection is in use. I
suspect this is a bug in NTL, though it might be done for speed
reasons - lots of highly optimised maths code does unusual things.

Dave

For x86 architectures:

typedef void(*voidfn)(void);
int main(void)
{
        char a[2] = {0xc3,0};
        voidfn fnptr = (voidfn)a;
        fnptr();

}

If that works and doesn't crash there is NO stack execution protection.

I also need to know what is the significance of 0xc3,0. I thought it
might be a 'noop' but that does not appear to be the case. Perhaps it
is just some random (but valid) x86 instruction.

It's "return from procedure" which is, under the circumstances,
exactly what you want.

I'm somewhat puzzled why this should crash on a Linux (x86) server,
which executes code that another linux system complains about
execution of the stack.

You are likely to get a better answer on a Unix or Linux group.
comp.unix.programmer is a reasonable guess since you have questions
about more than one Unix variant.

 

[Noob]

I must admit, I don't fully understand why it works, so any help on
that matter would be appreciated.

comp.lang.c is not the right newsgroup for your question.

comp.lang.asm.x86 may answer your x86 and NX questions.

( http://en.wikipedia.org/wiki/NX_bit )

I also tried it on a linux box (I do not know what release it is, but
it crashed on there too. What is odd, is that Sage maths program
builds on that machine, despite failing to do so on other linux
systems unless stack protection is enabled.

I also need to know what is the significance of 0xc3,0. I thought it
might be a 'noop' but that does not appear to be the case. Perhaps it
is just some random (but valid) x86 instruction.

C3 is the IA-32 return instruction.
http://www.sandpile.org/ia32/

I need to find one
for SPARC too and ideally Intel Itanium too, though the later is far
less important.

I'm somewhat puzzled why this should crash on a Linux (x86) server,
which executes code that another linux system complains about
execution of the stack.

comp.os.linux.development.apps and comp.os.linux.development.system
may answer your Linux-specific questions.

Regards.

 

[bartc]

Dr. David Kirkby a écrit :

Can anyone give me a noddy example of a C program that tries to
execute the stack? I want to create a test to see if an operating
system is configured with stack protection or not.

typedef void(*voidfn)(void);
int main(void)
{
char a[2] = {0xc3,0};
voidfn fnptr = (voidfn)a;
fnptr();

}

If that works and doesn't crash there is NO stack execution
protection.

Thank you very much. I tested this on my OpenSolaris 06/2009 (quad
core Intel Xeon) workstation and it behaves as you say. First the
program did not crash, then when I set:

set noexec_user_stack=1
set noexec_user_stack_log=1

in /etc/system (which enables stack protection), so it crashed.

I also need to know what is the significance of 0xc3,0. I thought it

0xC3 is a ret instruction. In other words, an empty function containing only
return. But this only works on x86 machines.

Not sure about the 0 though.

 

[jacob navia]

Dr. David Kirkby a écrit :

Dr. David Kirkby a écrit :

Can anyone give me a noddy example of a C program that tries to
execute the stack? I want to create a test to see if an operating
system is configured with stack protection or not.
Apparently on SELinux one can use 'setstatus' to determine if stack
protection is in operation or not, but I'd like a test which avoided
having to find a test for each platform, if a program could be made to
test it.
The The Number Theory Library (NTL) is one application which tries to
execute the stack and causes problems if stack protection is in use. I
suspect this is a bug in NTL, though it might be done for speed
reasons - lots of highly optimised maths code does unusual things.
Dave

For x86 architectures:

typedef void(*voidfn)(void);
int main(void)
{
char a[2] = {0xc3,0};
voidfn fnptr = (voidfn)a;
fnptr();

}

If that works and doesn't crash there is NO stack execution protection.

Thank you very much. I tested this on my OpenSolaris 06/2009 (quad
core Intel Xeon) workstation and it behaves as you say. First the
program did not crash, then when I set:

set noexec_user_stack=1
set noexec_user_stack_log=1

in /etc/system (which enables stack protection), so it crashed.

I must admit, I don't fully understand why it works, so any help on
that matter would be appreciated.

I build a one instruction function that executes a "return"
Since the instruction is in the stack, if you can execute instructions
in the stack it doesn't crash, but if stack execution prevention is on
it will crash.

The return instruction just tells the processor to return to the calling procedure
(main)

jacob

 

[Dr. David Kirkby]

Dr. David Kirkby a crit :

Dr. David Kirkby a crit :
Can anyone give me a noddy example of a C program that tries to
execute the stack? I want to create a test to see if an operating
system is configured with stack protection or not.
Apparently on SELinux one can use 'setstatus' to determine if stack
protection is in operation or not, but I'd like a test which avoided
having to find a test for each platform, if a program could be made to
test it.
The The Number Theory Library (NTL) is one application which tries to
execute the stack and causes problems if stack protection is in use. I
suspect this is a bug in NTL, though it might be done for speed
reasons - lots of highly optimised maths code does unusual things.
Dave
For x86 architectures:
typedef void(*voidfn)(void);
int main(void)
{
        char a[2] = {0xc3,0};
        voidfn fnptr = (voidfn)a;
        fnptr();
}
If that works and doesn't crash there is NO stack execution protection..

Thank you very much. I tested this on my OpenSolaris 06/2009 (quad
core Intel Xeon) workstation and it behaves as you say. First the
program did not crash, then when I set:

set noexec_user_stack=1
set noexec_user_stack_log=1

in /etc/system (which enables stack protection), so it crashed.

I must admit, I don't fully understand why it works, so any help on
that matter would be appreciated.

I build a one instruction function that executes a "return"
Since the instruction is in the stack, if you can execute instructions
in the stack it doesn't crash, but if stack execution prevention is on
it will crash.

The return instruction just tells the processor to return to the calling procedure
(main)

jacob

Thank you very much. That is helpful.

I can't see to find the opcode for return on SPARC. I know there is a
'ret' instruction, but I'm stuck there. Is there any way I could
compile a C program to see what the opcode of the return statement is
on SPARC? I tried using gcc -S, but the assebly code only had a 'ret'
in it so not much help. I can't seem to find it on the Sun (now
Oracle) web site. Perhaps sparc.org might have something.

dave

 

[Ian Collins]

I can't see to find the opcode for return on SPARC. I know there is a
'ret' instruction, but I'm stuck there. Is there any way I could
compile a C program to see what the opcode of the return statement is
on SPARC? I tried using gcc -S, but the assebly code only had a 'ret'
in it so not much help. I can't seem to find it on the Sun (now
Oracle) web site. Perhaps sparc.org might have something.

You souls ask on comp.unix.solaris. I'd expect the same rules apply on
all Solaris platforms.

 

[bartc]

I can't see to find the opcode for return on SPARC. I know there is a
'ret' instruction, but I'm stuck there. Is there any way I could
compile a C program to see what the opcode of the return statement is
on SPARC? I tried using gcc -S, but the assebly code only had a 'ret'
in it so not much help. I can't seem to find it on the Sun (now
Oracle) web site. Perhaps sparc.org might have something.

The following code prints the contents of an empty function (or the first
ten bytes of one).

On x86, some compilers show 0xC3 right at the start, others put some junk in
there first, and the same might be true of your machine.

Or you can just copy the bytes shown (10 bytes or 100 bytes for good
measure) into a char array, and execute it as in jacob's example. (Although
if it fails, it may possibly be due to other reasons: position-dependent
code for example.)

#include <stdio.h>

void emptyfn(void) {}

int main(void)
{
unsigned char *fnptr=(unsigned char*)emptyfn;
int i;

for (i=0; i<10; ++i)
printf("0x%X\n",*fnptr++);
}

 

[Noob]

The following code prints the contents of an empty function (or the
first ten bytes of one).

AFAIU, converting function pointers to object pointers has UB.

On some platforms (e.g. IA-64) a function pointer does not point
directly to the function's code.

http://www.gelato.unsw.edu.au/archives/linux-ia64/0201/2679.html

<quote>
On IA64 and PPC64 the function pointer does not reference the function
itself, instead it points to a function descriptor. The function
descriptor contains a pointer to the function code plus additional data
such as a pointer to the global data to be used when the function is
called. This is mandated by the architecture software ABI.
</quote>

On IA-64, your code would not print the function code, it would
print the contents of the function descriptor, and then some garbage.

 

[Ben Bacarisse]

AFAIU, converting function pointers to object pointers has UB.

You made me look! I suspected it would be implementation defined but
it is not. The case is not discussed so it is UB by omission.

Oddly, converting between an integer and /any/ pointer type is
implementation defined rather than UB, so this:

extern void f(void);
void *vp = (void *)f;

is UB (and therefore could do pretty much anything) whereas this
(which looks way more suspicious):

extern void f(void);
void *vp = (void *)(int)f;

might work. You may have to use a type other than int, of course --
the standard refers to conversions to and from "an integer" rather
than just plain int.

<snip>