Wanted - example program to execute stack

Discussion in 'C Programming' started by Dr. David Kirkby, Mar 29, 2010.

  1. Can anyone give me a noddy example of a C program that tries to
    execute the stack? I want to create a test to see if an operating
    system is configured with stack protection or not.

    Apparently on SELinux one can use 'setstatus' to determine if stack
    protection is in operation or not, but I'd like a test which avoided
    having to find a test for each platform, if a program could be made to
    test it.

    The The Number Theory Library (NTL) is one application which tries to
    execute the stack and causes problems if stack protection is in use. I
    suspect this is a bug in NTL, though it might be done for speed
    reasons - lots of highly optimised maths code does unusual things.

    Dave
     
    Dr. David Kirkby, Mar 29, 2010
    #1
    1. Advertising

  2. Dr. David Kirkby

    jacob navia Guest

    Dr. David Kirkby a écrit :
    > Can anyone give me a noddy example of a C program that tries to
    > execute the stack? I want to create a test to see if an operating
    > system is configured with stack protection or not.
    >
    > Apparently on SELinux one can use 'setstatus' to determine if stack
    > protection is in operation or not, but I'd like a test which avoided
    > having to find a test for each platform, if a program could be made to
    > test it.
    >
    > The The Number Theory Library (NTL) is one application which tries to
    > execute the stack and causes problems if stack protection is in use. I
    > suspect this is a bug in NTL, though it might be done for speed
    > reasons - lots of highly optimised maths code does unusual things.
    >
    > Dave


    For x86 architectures:

    typedef void(*voidfn)(void);
    int main(void)
    {
    char a[2] = {0xc3,0};
    voidfn fnptr = (voidfn)a;
    fnptr();
    }

    If that works and doesn't crash there is NO stack execution protection.
     
    jacob navia, Mar 29, 2010
    #2
    1. Advertising

  3. On Mar 29, 10:22 am, jacob navia <> wrote:
    > Dr. David Kirkby a écrit :
    >
    > > Can anyone give me a noddy example of a C program that tries to
    > > execute the stack? I want to create a test to see if an operating
    > > system is configured with stack protection or not.

    >
    > > Apparently on SELinux one can use 'setstatus' to determine if stack
    > > protection is in operation or not, but I'd like a test which avoided
    > > having to find a test for each platform, if a program could be made to
    > > test it.

    >
    > > The The Number Theory Library (NTL) is one application which tries to
    > > execute the stack and causes problems if stack protection is in use. I
    > > suspect this is a bug in NTL, though it might be done for speed
    > > reasons - lots of highly optimised maths code does unusual things.

    >
    > > Dave

    >
    > For x86 architectures:
    >
    > typedef void(*voidfn)(void);
    > int main(void)
    > {
    >         char a[2] = {0xc3,0};
    >         voidfn fnptr = (voidfn)a;
    >         fnptr();
    >
    > }
    >
    > If that works and doesn't crash there is NO stack execution protection.


    Thank you very much. I tested this on my OpenSolaris 06/2009 (quad
    core Intel Xeon) workstation and it behaves as you say. First the
    program did not crash, then when I set:

    set noexec_user_stack=1
    set noexec_user_stack_log=1

    in /etc/system (which enables stack protection), so it crashed.

    I must admit, I don't fully understand why it works, so any help on
    that matter would be appreciated.

    I also tried it on a linux box (I do not know what release it is, but
    it crashed on their too. What is odd, is that Sage maths program
    builds on that machine, despite failing to do so on other linux
    systems unless stack protection is enabled.

    I also need to know what is the significance of 0xc3,0. I thought it
    might be a 'noop' but that does not appear to be the case. Perhaps it
    is just some random (but valid) x86 instruction. I need to find one
    for SPARC too and ideally Intel Itanium too, though the later is far
    less important.

    I'm somewhat puzzled why this should crash on a Linux (x86) server,
    which executes code that another linux system complains about
    execution of the stack.

    Dave
     
    Dr. David Kirkby, Mar 29, 2010
    #3
  4. "Dr. David Kirkby" <> writes:

    > On Mar 29, 10:22 am, jacob navia <> wrote:
    >> Dr. David Kirkby a écrit :
    >>
    >> > Can anyone give me a noddy example of a C program that tries to
    >> > execute the stack? I want to create a test to see if an operating
    >> > system is configured with stack protection or not.

    >>
    >> > Apparently on SELinux one can use 'setstatus' to determine if stack
    >> > protection is in operation or not, but I'd like a test which avoided
    >> > having to find a test for each platform, if a program could be made to
    >> > test it.

    >>
    >> > The The Number Theory Library (NTL) is one application which tries to
    >> > execute the stack and causes problems if stack protection is in use. I
    >> > suspect this is a bug in NTL, though it might be done for speed
    >> > reasons - lots of highly optimised maths code does unusual things.

    >>
    >> > Dave

    >>
    >> For x86 architectures:
    >>
    >> typedef void(*voidfn)(void);
    >> int main(void)
    >> {
    >>         char a[2] = {0xc3,0};
    >>         voidfn fnptr = (voidfn)a;
    >>         fnptr();
    >>
    >> }
    >>
    >> If that works and doesn't crash there is NO stack execution protection.

    <snip>
    > I also need to know what is the significance of 0xc3,0. I thought it
    > might be a 'noop' but that does not appear to be the case. Perhaps it
    > is just some random (but valid) x86 instruction.


    It's "return from procedure" which is, under the circumstances,
    exactly what you want.

    <snip>
    > I'm somewhat puzzled why this should crash on a Linux (x86) server,
    > which executes code that another linux system complains about
    > execution of the stack.


    You are likely to get a better answer on a Unix or Linux group.
    comp.unix.programmer is a reasonable guess since you have questions
    about more than one Unix variant.

    --
    Ben.
     
    Ben Bacarisse, Mar 29, 2010
    #4
  5. Dr. David Kirkby

    Noob Guest

    Dr. David Kirkby wrote:

    > I must admit, I don't fully understand why it works, so any help on
    > that matter would be appreciated.


    comp.lang.c is not the right newsgroup for your question.

    comp.lang.asm.x86 may answer your x86 and NX questions.

    ( http://en.wikipedia.org/wiki/NX_bit )

    > I also tried it on a linux box (I do not know what release it is, but
    > it crashed on there too. What is odd, is that Sage maths program
    > builds on that machine, despite failing to do so on other linux
    > systems unless stack protection is enabled.
    >
    > I also need to know what is the significance of 0xc3,0. I thought it
    > might be a 'noop' but that does not appear to be the case. Perhaps it
    > is just some random (but valid) x86 instruction.


    C3 is the IA-32 return instruction.
    http://www.sandpile.org/ia32/

    > I need to find one
    > for SPARC too and ideally Intel Itanium too, though the later is far
    > less important.
    >
    > I'm somewhat puzzled why this should crash on a Linux (x86) server,
    > which executes code that another linux system complains about
    > execution of the stack.


    comp.os.linux.development.apps and comp.os.linux.development.system
    may answer your Linux-specific questions.

    Regards.
     
    Noob, Mar 29, 2010
    #5
  6. Dr. David Kirkby

    bartc Guest

    Dr. David Kirkby wrote:
    > On Mar 29, 10:22 am, jacob navia <> wrote:
    >> Dr. David Kirkby a écrit :
    >>
    >>> Can anyone give me a noddy example of a C program that tries to
    >>> execute the stack? I want to create a test to see if an operating
    >>> system is configured with stack protection or not.


    >> typedef void(*voidfn)(void);
    >> int main(void)
    >> {
    >> char a[2] = {0xc3,0};
    >> voidfn fnptr = (voidfn)a;
    >> fnptr();
    >>
    >> }
    >>
    >> If that works and doesn't crash there is NO stack execution
    >> protection.

    >
    > Thank you very much. I tested this on my OpenSolaris 06/2009 (quad
    > core Intel Xeon) workstation and it behaves as you say. First the
    > program did not crash, then when I set:
    >
    > set noexec_user_stack=1
    > set noexec_user_stack_log=1
    >
    > in /etc/system (which enables stack protection), so it crashed.


    > I also need to know what is the significance of 0xc3,0. I thought it


    0xC3 is a ret instruction. In other words, an empty function containing only
    return. But this only works on x86 machines.

    Not sure about the 0 though.

    --
    Bartc
     
    bartc, Mar 29, 2010
    #6
  7. Dr. David Kirkby

    jacob navia Guest

    Dr. David Kirkby a écrit :
    > On Mar 29, 10:22 am, jacob navia <> wrote:
    >> Dr. David Kirkby a écrit :
    >>
    >>> Can anyone give me a noddy example of a C program that tries to
    >>> execute the stack? I want to create a test to see if an operating
    >>> system is configured with stack protection or not.
    >>> Apparently on SELinux one can use 'setstatus' to determine if stack
    >>> protection is in operation or not, but I'd like a test which avoided
    >>> having to find a test for each platform, if a program could be made to
    >>> test it.
    >>> The The Number Theory Library (NTL) is one application which tries to
    >>> execute the stack and causes problems if stack protection is in use. I
    >>> suspect this is a bug in NTL, though it might be done for speed
    >>> reasons - lots of highly optimised maths code does unusual things.
    >>> Dave

    >> For x86 architectures:
    >>
    >> typedef void(*voidfn)(void);
    >> int main(void)
    >> {
    >> char a[2] = {0xc3,0};
    >> voidfn fnptr = (voidfn)a;
    >> fnptr();
    >>
    >> }
    >>
    >> If that works and doesn't crash there is NO stack execution protection.

    >
    > Thank you very much. I tested this on my OpenSolaris 06/2009 (quad
    > core Intel Xeon) workstation and it behaves as you say. First the
    > program did not crash, then when I set:
    >
    > set noexec_user_stack=1
    > set noexec_user_stack_log=1
    >
    > in /etc/system (which enables stack protection), so it crashed.
    >
    > I must admit, I don't fully understand why it works, so any help on
    > that matter would be appreciated.
    >


    I build a one instruction function that executes a "return"
    Since the instruction is in the stack, if you can execute instructions
    in the stack it doesn't crash, but if stack execution prevention is on
    it will crash.

    The return instruction just tells the processor to return to the calling procedure
    (main)

    jacob
     
    jacob navia, Mar 29, 2010
    #7
  8. On Mar 29, 5:13 pm, jacob navia <> wrote:
    > Dr. David Kirkby a crit :
    >
    >
    >
    > > On Mar 29, 10:22 am, jacob navia <> wrote:
    > >> Dr. David Kirkby a crit :

    >
    > >>> Can anyone give me a noddy example of a C program that tries to
    > >>> execute the stack? I want to create a test to see if an operating
    > >>> system is configured with stack protection or not.
    > >>> Apparently on SELinux one can use 'setstatus' to determine if stack
    > >>> protection is in operation or not, but I'd like a test which avoided
    > >>> having to find a test for each platform, if a program could be made to
    > >>> test it.
    > >>> The The Number Theory Library (NTL) is one application which tries to
    > >>> execute the stack and causes problems if stack protection is in use. I
    > >>> suspect this is a bug in NTL, though it might be done for speed
    > >>> reasons - lots of highly optimised maths code does unusual things.
    > >>> Dave
    > >> For x86 architectures:

    >
    > >> typedef void(*voidfn)(void);
    > >> int main(void)
    > >> {
    > >>         char a[2] = {0xc3,0};
    > >>         voidfn fnptr = (voidfn)a;
    > >>         fnptr();

    >
    > >> }

    >
    > >> If that works and doesn't crash there is NO stack execution protection..

    >
    > > Thank you very much. I tested this on my OpenSolaris 06/2009 (quad
    > > core Intel Xeon) workstation and it behaves as you say. First the
    > > program did not crash, then when I set:

    >
    > > set noexec_user_stack=1
    > > set noexec_user_stack_log=1

    >
    > > in /etc/system (which enables stack protection), so it crashed.

    >
    > > I must admit, I don't fully understand why it works, so any help on
    > > that matter would be appreciated.

    >
    > I build a one instruction function that executes a "return"
    > Since the instruction is in the stack, if you can execute instructions
    > in the stack it doesn't crash, but if stack execution prevention is on
    > it will crash.
    >
    > The return instruction just tells the processor to return to the calling procedure
    > (main)
    >
    > jacob


    Thank you very much. That is helpful.

    I can't see to find the opcode for return on SPARC. I know there is a
    'ret' instruction, but I'm stuck there. Is there any way I could
    compile a C program to see what the opcode of the return statement is
    on SPARC? I tried using gcc -S, but the assebly code only had a 'ret'
    in it so not much help. I can't seem to find it on the Sun (now
    Oracle) web site. Perhaps sparc.org might have something.

    dave
     
    Dr. David Kirkby, Mar 29, 2010
    #8
  9. Dr. David Kirkby

    Ian Collins Guest

    On 03/30/10 10:26 AM, Dr. David Kirkby wrote:
    >
    > I can't see to find the opcode for return on SPARC. I know there is a
    > 'ret' instruction, but I'm stuck there. Is there any way I could
    > compile a C program to see what the opcode of the return statement is
    > on SPARC? I tried using gcc -S, but the assebly code only had a 'ret'
    > in it so not much help. I can't seem to find it on the Sun (now
    > Oracle) web site. Perhaps sparc.org might have something.


    You souls ask on comp.unix.solaris. I'd expect the same rules apply on
    all Solaris platforms.

    --
    Ian Collins
     
    Ian Collins, Mar 29, 2010
    #9
  10. Dr. David Kirkby

    bartc Guest

    Dr. David Kirkby wrote:

    > I can't see to find the opcode for return on SPARC. I know there is a
    > 'ret' instruction, but I'm stuck there. Is there any way I could
    > compile a C program to see what the opcode of the return statement is
    > on SPARC? I tried using gcc -S, but the assebly code only had a 'ret'
    > in it so not much help. I can't seem to find it on the Sun (now
    > Oracle) web site. Perhaps sparc.org might have something.


    The following code prints the contents of an empty function (or the first
    ten bytes of one).

    On x86, some compilers show 0xC3 right at the start, others put some junk in
    there first, and the same might be true of your machine.

    Or you can just copy the bytes shown (10 bytes or 100 bytes for good
    measure) into a char array, and execute it as in jacob's example. (Although
    if it fails, it may possibly be due to other reasons: position-dependent
    code for example.)

    #include <stdio.h>

    void emptyfn(void) {}

    int main(void)
    {
    unsigned char *fnptr=(unsigned char*)emptyfn;
    int i;

    for (i=0; i<10; ++i)
    printf("0x%X\n",*fnptr++);
    }

    --
    Bartc
     
    bartc, Mar 30, 2010
    #10
  11. Dr. David Kirkby

    Noob Guest

    bartc wrote:

    > The following code prints the contents of an empty function (or the
    > first ten bytes of one).


    AFAIU, converting function pointers to object pointers has UB.

    On some platforms (e.g. IA-64) a function pointer does not point
    directly to the function's code.

    http://www.gelato.unsw.edu.au/archives/linux-ia64/0201/2679.html

    <quote>
    On IA64 and PPC64 the function pointer does not reference the function
    itself, instead it points to a function descriptor. The function
    descriptor contains a pointer to the function code plus additional data
    such as a pointer to the global data to be used when the function is
    called. This is mandated by the architecture software ABI.
    </quote>

    On IA-64, your code would not print the function code, it would
    print the contents of the function descriptor, and then some garbage.

    > Or you can just copy the bytes shown (10 bytes or 100 bytes for good
    > measure) into a char array, and execute it as in jacob's example.
    > (Although if it fails, it may possibly be due to other reasons:
    > position-dependent code for example.)
    >
    > #include <stdio.h>
    >
    > void emptyfn(void) {}
    >
    > int main(void)
    > {
    > unsigned char *fnptr=(unsigned char*)emptyfn;
    > int i;
    >
    > for (i=0; i<10; ++i)
    > printf("0x%X\n",*fnptr++);
    > }
     
    Noob, Mar 30, 2010
    #11
  12. Noob <root@127.0.0.1> writes:

    > bartc wrote:
    >
    >> The following code prints the contents of an empty function (or the
    >> first ten bytes of one).

    >
    > AFAIU, converting function pointers to object pointers has UB.


    You made me look! I suspected it would be implementation defined but
    it is not. The case is not discussed so it is UB by omission.

    Oddly, converting between an integer and /any/ pointer type is
    implementation defined rather than UB, so this:

    extern void f(void);
    void *vp = (void *)f;

    is UB (and therefore could do pretty much anything) whereas this
    (which looks way more suspicious):

    extern void f(void);
    void *vp = (void *)(int)f;

    might work. You may have to use a type other than int, of course --
    the standard refers to conversions to and from "an integer" rather
    than just plain int.

    <snip>
    --
    Ben.
     
    Ben Bacarisse, Mar 30, 2010
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Harvey
    Replies:
    0
    Views:
    777
    Harvey
    Jul 16, 2004
  2. Harvey
    Replies:
    1
    Views:
    892
    Daniel
    Jul 16, 2004
  3. Surinder Singh
    Replies:
    1
    Views:
    1,242
    Richard Bos
    Dec 20, 2007
  4. Casey Hawthorne
    Replies:
    3
    Views:
    1,137
    Flash Gordon
    Nov 1, 2009
  5. Debajit Adhikary
    Replies:
    36
    Views:
    2,378
    Andre Kaufmann
    Feb 10, 2011
Loading...

Share This Page