B
Borked Pseudo Mailed
Programmatore said:
Change that to
printf("secret\n");
and you should get a pleasant surprise. What's happening
is that the function a() gets entered, but because stdout
is line-buffered on your system by default, you need the
newline character in the printf() string to flush the
stdout buffer.
The ebp register takes on the first 0x080483eb when ciao()
returns, and the eip register takes on the second 0x080483eb.
That eip value causes function a() to be entered. The old
ebp value, 0x080483eb, gets pushed on the stack below
0xbffadcd8. Then printf() is called, but because of the
buffering mentioned above, you don't see the "secret" output
string. When function a() returns, 0x080483eb gets restored to
ebp, while eip takes on the value 0xbffadcd8. From the second
stack dump, this memory location contains 0xbffadd38, which
is 0x38, 0xdd, 0xfa, 0xbf in little-endian order. The bytes
0x38, 0xdd correspond to the instruction cmp %bl,%ch, which
gets executed. Then the byte at 0xbffadcda is 0xfa, which is
the cli instruction, a privileged instruction in protected
mode. Trying to execute this instruction in unprivileged
mode raises a general protection fault on the x86. The Linux
kernel handler for a GPF is do_general_protection(), which
is defined in arch/x86/kernel/traps_32.c. This handler sends
the SIGSEGV signal to the process.
If you need any further help with your C security
programming - or even your C kernel programming - just post to
comp.lang.c, and some of us will be happy to help you.
Best of luck.
Yours,
Han from China