2

I am trying to demonstrate a buffer overflow via an array index (when there isn't any bounds checking). What I am trying to do is change my bool authenticated = false to true by passing in a bad value.
I am using GCC 4.8.5

arrayVulnerability(int size)
{
   int array[4];
   bool authenticated = false;

   for (int i = 0; i < size; i++)
   {
      array[i] = size;
   }
}

My understanding is that my memory is set up as follows: enter image description here

I was hoping that by passing an int larger than 4 I would be able to overwrite that position to true but it's not working. I'm curious if I have my memory misunderstood or if I am missing something?

Edit: I printed out the locations as suggested and got the following:

bool authenticated = 0x7ffc4741612f
array[0] = 0x7ffc47416130
array[1] = 0x7ffc47416134
array[2] = 0x7ffc47416138
array[3] = 0x7ffc4741613c
array[4] = 0x7ffc47416140

So it looks like bool authenticated is before my array and my memory layout was wrong. I'm still confused about why it is before my array however.

Improve this question
12
  • 1
    retry with order of array and authenticated reverted. Commented Nov 9, 2018 at 21:09
  • 3
    What you're trying to do is considered Undefined Behavior, which means you cannot guarantee the behavior you want on every platform and compiler. If, however, you specify exactly which compiler you're using, and the target environment you're compiling for, we might be able to answer this question more directly. Commented Nov 9, 2018 at 21:19
  • 1
    If this is the real code posted, the whole function is most likely to be optimized away altogether. If this is not, please post one - including target system, compiler and compiler switches. When dealing with undefined behavior, every little bit matters. Commented Nov 9, 2018 at 21:20
  • 3
    Did you try checking the actual addresses of these variables while debugging the program? Commented Nov 9, 2018 at 21:24
  • 1
    Look at that. Commented Nov 9, 2018 at 21:30

1 Answer 1

Reset to default
2

The most likely implementation of automatic storage, the stack, grows downwards as objects are allocated. This means that array is allocated a certain address, and then authenticated is allocated a lower address. You can do some quick experiments to verify if this is the case. Either look at the state of an object defined before array, or print the addresses of the objects.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

I printed out the locations like you suggested, and you were right. It looks like the item I'm looking for is before the array. I'm not sure why that is however.
@Kirby: Sometimes it isn't. That's the kind of wackiness you can expect when you rely on behavior outside of what C++ guarantees. Hell, in some cases, you might overwrite some temporary variable the compiler decided to stick in between the two.
@Kirby: Not necessarily every time...but if you are intentionally overrunning your buffer, you would do well to know how your compiler is arranging things. Which implies you should check the relevant addresses once at least. The resulting code might not work anywhere else, but it might still help you. :)
Even better -- the arrangement of the stack can change based on compiler options and optimizations.
@Kirby you may also want to visit the gcc specific page GNU libc - 3.2.1 Memory Allocation in C Programs and note "In GNU C, the size of the automatic storage can be an expression that varies. In other C implementations, it must be a constant."
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.