Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > C Programming > Wanted - example program to execute stack

Reply
Thread Tools

Wanted - example program to execute stack

 
 
Dr. David Kirkby
Guest
Posts: n/a
 
      03-29-2010
Can anyone give me a noddy example of a C program that tries to
execute the stack? I want to create a test to see if an operating
system is configured with stack protection or not.

Apparently on SELinux one can use 'setstatus' to determine if stack
protection is in operation or not, but I'd like a test which avoided
having to find a test for each platform, if a program could be made to
test it.

The The Number Theory Library (NTL) is one application which tries to
execute the stack and causes problems if stack protection is in use. I
suspect this is a bug in NTL, though it might be done for speed
reasons - lots of highly optimised maths code does unusual things.

Dave
 
Reply With Quote
 
 
 
 
jacob navia
Guest
Posts: n/a
 
      03-29-2010
Dr. David Kirkby a écrit :
> Can anyone give me a noddy example of a C program that tries to
> execute the stack? I want to create a test to see if an operating
> system is configured with stack protection or not.
>
> Apparently on SELinux one can use 'setstatus' to determine if stack
> protection is in operation or not, but I'd like a test which avoided
> having to find a test for each platform, if a program could be made to
> test it.
>
> The The Number Theory Library (NTL) is one application which tries to
> execute the stack and causes problems if stack protection is in use. I
> suspect this is a bug in NTL, though it might be done for speed
> reasons - lots of highly optimised maths code does unusual things.
>
> Dave


For x86 architectures:

typedef void(*voidfn)(void);
int main(void)
{
char a[2] = {0xc3,0};
voidfn fnptr = (voidfn)a;
fnptr();
}

If that works and doesn't crash there is NO stack execution protection.
 
Reply With Quote
 
 
 
 
Dr. David Kirkby
Guest
Posts: n/a
 
      03-29-2010
On Mar 29, 10:22*am, jacob navia <(E-Mail Removed)> wrote:
> Dr. David Kirkby a écrit :
>
> > Can anyone give me a noddy example of a C program that tries to
> > execute the stack? I want to create a test to see if an operating
> > system is configured with stack protection or not.

>
> > Apparently on SELinux one can use 'setstatus' to determine if stack
> > protection is in operation or not, but I'd like a test which avoided
> > having to find a test for each platform, if a program could be made to
> > test it.

>
> > The The Number Theory Library (NTL) is one application which tries to
> > execute the stack and causes problems if stack protection is in use. I
> > suspect this is a bug in NTL, though it might be done for speed
> > reasons - lots of highly optimised maths code does unusual things.

>
> > Dave

>
> For x86 architectures:
>
> typedef void(*voidfn)(void);
> int main(void)
> {
> * * * * char a[2] = {0xc3,0};
> * * * * voidfn fnptr = (voidfn)a;
> * * * * fnptr();
>
> }
>
> If that works and doesn't crash there is NO stack execution protection.


Thank you very much. I tested this on my OpenSolaris 06/2009 (quad
core Intel Xeon) workstation and it behaves as you say. First the
program did not crash, then when I set:

set noexec_user_stack=1
set noexec_user_stack_log=1

in /etc/system (which enables stack protection), so it crashed.

I must admit, I don't fully understand why it works, so any help on
that matter would be appreciated.

I also tried it on a linux box (I do not know what release it is, but
it crashed on their too. What is odd, is that Sage maths program
builds on that machine, despite failing to do so on other linux
systems unless stack protection is enabled.

I also need to know what is the significance of 0xc3,0. I thought it
might be a 'noop' but that does not appear to be the case. Perhaps it
is just some random (but valid) x86 instruction. I need to find one
for SPARC too and ideally Intel Itanium too, though the later is far
less important.

I'm somewhat puzzled why this should crash on a Linux (x86) server,
which executes code that another linux system complains about
execution of the stack.

Dave
 
Reply With Quote
 
Ben Bacarisse
Guest
Posts: n/a
 
      03-29-2010
"Dr. David Kirkby" <(E-Mail Removed)> writes:

> On Mar 29, 10:22Â*am, jacob navia <(E-Mail Removed)> wrote:
>> Dr. David Kirkby a écrit :
>>
>> > Can anyone give me a noddy example of a C program that tries to
>> > execute the stack? I want to create a test to see if an operating
>> > system is configured with stack protection or not.

>>
>> > Apparently on SELinux one can use 'setstatus' to determine if stack
>> > protection is in operation or not, but I'd like a test which avoided
>> > having to find a test for each platform, if a program could be made to
>> > test it.

>>
>> > The The Number Theory Library (NTL) is one application which tries to
>> > execute the stack and causes problems if stack protection is in use. I
>> > suspect this is a bug in NTL, though it might be done for speed
>> > reasons - lots of highly optimised maths code does unusual things.

>>
>> > Dave

>>
>> For x86 architectures:
>>
>> typedef void(*voidfn)(void);
>> int main(void)
>> {
>> Â* Â* Â* Â* char a[2] = {0xc3,0};
>> Â* Â* Â* Â* voidfn fnptr = (voidfn)a;
>> Â* Â* Â* Â* fnptr();
>>
>> }
>>
>> If that works and doesn't crash there is NO stack execution protection.

<snip>
> I also need to know what is the significance of 0xc3,0. I thought it
> might be a 'noop' but that does not appear to be the case. Perhaps it
> is just some random (but valid) x86 instruction.


It's "return from procedure" which is, under the circumstances,
exactly what you want.

<snip>
> I'm somewhat puzzled why this should crash on a Linux (x86) server,
> which executes code that another linux system complains about
> execution of the stack.


You are likely to get a better answer on a Unix or Linux group.
comp.unix.programmer is a reasonable guess since you have questions
about more than one Unix variant.

--
Ben.
 
Reply With Quote
 
Noob
Guest
Posts: n/a
 
      03-29-2010
Dr. David Kirkby wrote:

> I must admit, I don't fully understand why it works, so any help on
> that matter would be appreciated.


comp.lang.c is not the right newsgroup for your question.

comp.lang.asm.x86 may answer your x86 and NX questions.

( http://en.wikipedia.org/wiki/NX_bit )

> I also tried it on a linux box (I do not know what release it is, but
> it crashed on there too. What is odd, is that Sage maths program
> builds on that machine, despite failing to do so on other linux
> systems unless stack protection is enabled.
>
> I also need to know what is the significance of 0xc3,0. I thought it
> might be a 'noop' but that does not appear to be the case. Perhaps it
> is just some random (but valid) x86 instruction.


C3 is the IA-32 return instruction.
http://www.sandpile.org/ia32/

> I need to find one
> for SPARC too and ideally Intel Itanium too, though the later is far
> less important.
>
> I'm somewhat puzzled why this should crash on a Linux (x86) server,
> which executes code that another linux system complains about
> execution of the stack.


comp.os.linux.development.apps and comp.os.linux.development.system
may answer your Linux-specific questions.

Regards.
 
Reply With Quote
 
bartc
Guest
Posts: n/a
 
      03-29-2010
Dr. David Kirkby wrote:
> On Mar 29, 10:22 am, jacob navia <(E-Mail Removed)> wrote:
>> Dr. David Kirkby a écrit :
>>
>>> Can anyone give me a noddy example of a C program that tries to
>>> execute the stack? I want to create a test to see if an operating
>>> system is configured with stack protection or not.


>> typedef void(*voidfn)(void);
>> int main(void)
>> {
>> char a[2] = {0xc3,0};
>> voidfn fnptr = (voidfn)a;
>> fnptr();
>>
>> }
>>
>> If that works and doesn't crash there is NO stack execution
>> protection.

>
> Thank you very much. I tested this on my OpenSolaris 06/2009 (quad
> core Intel Xeon) workstation and it behaves as you say. First the
> program did not crash, then when I set:
>
> set noexec_user_stack=1
> set noexec_user_stack_log=1
>
> in /etc/system (which enables stack protection), so it crashed.


> I also need to know what is the significance of 0xc3,0. I thought it


0xC3 is a ret instruction. In other words, an empty function containing only
return. But this only works on x86 machines.

Not sure about the 0 though.

--
Bartc

 
Reply With Quote
 
jacob navia
Guest
Posts: n/a
 
      03-29-2010
Dr. David Kirkby a écrit :
> On Mar 29, 10:22 am, jacob navia <(E-Mail Removed)> wrote:
>> Dr. David Kirkby a écrit :
>>
>>> Can anyone give me a noddy example of a C program that tries to
>>> execute the stack? I want to create a test to see if an operating
>>> system is configured with stack protection or not.
>>> Apparently on SELinux one can use 'setstatus' to determine if stack
>>> protection is in operation or not, but I'd like a test which avoided
>>> having to find a test for each platform, if a program could be made to
>>> test it.
>>> The The Number Theory Library (NTL) is one application which tries to
>>> execute the stack and causes problems if stack protection is in use. I
>>> suspect this is a bug in NTL, though it might be done for speed
>>> reasons - lots of highly optimised maths code does unusual things.
>>> Dave

>> For x86 architectures:
>>
>> typedef void(*voidfn)(void);
>> int main(void)
>> {
>> char a[2] = {0xc3,0};
>> voidfn fnptr = (voidfn)a;
>> fnptr();
>>
>> }
>>
>> If that works and doesn't crash there is NO stack execution protection.

>
> Thank you very much. I tested this on my OpenSolaris 06/2009 (quad
> core Intel Xeon) workstation and it behaves as you say. First the
> program did not crash, then when I set:
>
> set noexec_user_stack=1
> set noexec_user_stack_log=1
>
> in /etc/system (which enables stack protection), so it crashed.
>
> I must admit, I don't fully understand why it works, so any help on
> that matter would be appreciated.
>


I build a one instruction function that executes a "return"
Since the instruction is in the stack, if you can execute instructions
in the stack it doesn't crash, but if stack execution prevention is on
it will crash.

The return instruction just tells the processor to return to the calling procedure
(main)

jacob
 
Reply With Quote
 
Dr. David Kirkby
Guest
Posts: n/a
 
      03-29-2010
On Mar 29, 5:13*pm, jacob navia <(E-Mail Removed)> wrote:
> Dr. David Kirkby a crit :
>
>
>
> > On Mar 29, 10:22 am, jacob navia <(E-Mail Removed)> wrote:
> >> Dr. David Kirkby a crit :

>
> >>> Can anyone give me a noddy example of a C program that tries to
> >>> execute the stack? I want to create a test to see if an operating
> >>> system is configured with stack protection or not.
> >>> Apparently on SELinux one can use 'setstatus' to determine if stack
> >>> protection is in operation or not, but I'd like a test which avoided
> >>> having to find a test for each platform, if a program could be made to
> >>> test it.
> >>> The The Number Theory Library (NTL) is one application which tries to
> >>> execute the stack and causes problems if stack protection is in use. I
> >>> suspect this is a bug in NTL, though it might be done for speed
> >>> reasons - lots of highly optimised maths code does unusual things.
> >>> Dave
> >> For x86 architectures:

>
> >> typedef void(*voidfn)(void);
> >> int main(void)
> >> {
> >> * * * * char a[2] = {0xc3,0};
> >> * * * * voidfn fnptr = (voidfn)a;
> >> * * * * fnptr();

>
> >> }

>
> >> If that works and doesn't crash there is NO stack execution protection..

>
> > Thank you very much. I tested this on my OpenSolaris 06/2009 (quad
> > core Intel Xeon) workstation and it behaves as you say. First the
> > program did not crash, then when I set:

>
> > set noexec_user_stack=1
> > set noexec_user_stack_log=1

>
> > in /etc/system (which enables stack protection), so it crashed.

>
> > I must admit, I don't fully understand why it works, so any help on
> > that matter would be appreciated.

>
> I build a one instruction function that executes a "return"
> Since the instruction is in the stack, if you can execute instructions
> in the stack it doesn't crash, but if stack execution prevention is on
> it will crash.
>
> The return instruction just tells the processor to return to the calling procedure
> (main)
>
> jacob


Thank you very much. That is helpful.

I can't see to find the opcode for return on SPARC. I know there is a
'ret' instruction, but I'm stuck there. Is there any way I could
compile a C program to see what the opcode of the return statement is
on SPARC? I tried using gcc -S, but the assebly code only had a 'ret'
in it so not much help. I can't seem to find it on the Sun (now
Oracle) web site. Perhaps sparc.org might have something.

dave
 
Reply With Quote
 
Ian Collins
Guest
Posts: n/a
 
      03-29-2010
On 03/30/10 10:26 AM, Dr. David Kirkby wrote:
>
> I can't see to find the opcode for return on SPARC. I know there is a
> 'ret' instruction, but I'm stuck there. Is there any way I could
> compile a C program to see what the opcode of the return statement is
> on SPARC? I tried using gcc -S, but the assebly code only had a 'ret'
> in it so not much help. I can't seem to find it on the Sun (now
> Oracle) web site. Perhaps sparc.org might have something.


You souls ask on comp.unix.solaris. I'd expect the same rules apply on
all Solaris platforms.

--
Ian Collins
 
Reply With Quote
 
bartc
Guest
Posts: n/a
 
      03-30-2010
Dr. David Kirkby wrote:

> I can't see to find the opcode for return on SPARC. I know there is a
> 'ret' instruction, but I'm stuck there. Is there any way I could
> compile a C program to see what the opcode of the return statement is
> on SPARC? I tried using gcc -S, but the assebly code only had a 'ret'
> in it so not much help. I can't seem to find it on the Sun (now
> Oracle) web site. Perhaps sparc.org might have something.


The following code prints the contents of an empty function (or the first
ten bytes of one).

On x86, some compilers show 0xC3 right at the start, others put some junk in
there first, and the same might be true of your machine.

Or you can just copy the bytes shown (10 bytes or 100 bytes for good
measure) into a char array, and execute it as in jacob's example. (Although
if it fails, it may possibly be due to other reasons: position-dependent
code for example.)

#include <stdio.h>

void emptyfn(void) {}

int main(void)
{
unsigned char *fnptr=(unsigned char*)emptyfn;
int i;

for (i=0; i<10; ++i)
printf("0x%X\n",*fnptr++);
}

--
Bartc

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Why does std::stack::pop() not throw an exception if the stack is empty? Debajit Adhikary C++ 36 02-10-2011 08:54 PM
C/C++ compilers have one stack for local variables and return addresses and then another stack for array allocations on the stack. Casey Hawthorne C Programming 3 11-01-2009 08:23 PM
stack frame size on linux/solaris of a running application stack Surinder Singh C Programming 1 12-20-2007 01:16 PM
HELP WANTED HELP WANTED HELP WANTED Harvey ASP .Net 1 07-16-2004 01:12 PM
HELP WANTED HELP WANTED HELP WANTED Harvey ASP .Net 0 07-16-2004 10:00 AM



Advertisments