如何解决gcc 太聪明了,无法生成 __strcpy_chk
我的代码看起来像
struct MyData {
int len;
char data[1];
};
MyData *d1 = malloc(1024);
strcpy(d1->data,a_string);
我将其用作可变长度缓冲区,并确保缓冲区不会手动和小心溢出。但是程序崩溃了。
objdump -d
2f3dc: 48 8b 44 24 10 mov 0x10(%rsp),%rax
2f3e1: 48 89 ee mov %rbp,%rsi
2f3e4: ba 01 00 00 00 mov $0x1,%edx
2f3e9: 48 8d 78 20 lea 0x20(%rax),%rdi
2f3ed: e8 ce b3 fd ff callq a7c0 <__strcpy_chk@plt>
我怎样才能说服 gcc 这个特定的缓冲区不会溢出并关闭对它的检查,但对其他人仍然打开。
巴西 / 2021 年 4 月 2 日
这里是gcc-4.8编译的简化代码 ======>>>>
#include <string.h>
typedef struct _EncodedBuffer1 {
int encoding;
char data[1024];
} EncodedBuffer1;
typedef struct _EncodedBuffer2 {
int encoding;
char data[512];
} EncodedBuffer2;
typedef struct _MyData1 {
int size;
int data_type;
union {
bool bool_balue;
int int_value;
double double_value;
char string1[1];
};
/* something else */
union {
struct {
EncodedBuffer1 x_buf1;
EncodedBuffer2 x_buf2;
};
struct {
EncodedBuffer2 y_buf1;
EncodedBuffer1 y_buf2;
};
};
} MyData1;
int main(int argc,char *argv[])
{
MyData1 d1;
memset(&d1,sizeof(d1));
d1.size = sizeof(d1);
strcpy(d1.string1,argv[1]);
return 0;
}
gcc -O2 -v
Using built-in specs.
COLLECT_GCC=gcc-4.8
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.8/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 4.8.5-4ubuntu2' --with-bugurl=file:///usr/share/doc/gcc-4.8/README.Bugs --enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.8 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.8 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-libmudflap --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.8-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.8-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 4.8.5 (Ubuntu 4.8.5-4ubuntu2)
COLLECT_GCC_OPTIONS='-O2' '-v' '-mtune=generic' '-march=x86-64'
/usr/lib/gcc/x86_64-linux-gnu/4.8/cc1plus -quiet -v -imultiarch x86_64-linux-gnu -D_GNU_SOURCE 2.cpp -quiet -dumpbase 2.cpp -mtune=generic -march=x86-64 -auxbase 2 -O2 -version -fstack-protector -Wformat -Wformat-security -o /tmp/cc7vXPnz.s
GNU C++ (Ubuntu 4.8.5-4ubuntu2) version 4.8.5 (x86_64-linux-gnu)
compiled by GNU C version 4.8.5,GMP version 6.1.0,MPFR version 3.1.3-p5,MPC version 1.0.3
warning: MPFR header version 3.1.3-p5 differs from library version 3.1.4.
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
ignoring duplicate directory "/usr/include/x86_64-linux-gnu/c++/4.8"
ignoring nonexistent directory "/usr/local/include/x86_64-linux-gnu"
ignoring nonexistent directory "/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../x86_64-linux-gnu/include"
#include "..." search starts here:
#include <...> search starts here:
/usr/include/c++/4.8
/usr/include/x86_64-linux-gnu/c++/4.8
/usr/include/c++/4.8/backward
/usr/lib/gcc/x86_64-linux-gnu/4.8/include
/usr/local/include
/usr/lib/gcc/x86_64-linux-gnu/4.8/include-fixed
/usr/include/x86_64-linux-gnu
/usr/include
End of search list.
GNU C++ (Ubuntu 4.8.5-4ubuntu2) version 4.8.5 (x86_64-linux-gnu)
compiled by GNU C version 4.8.5,MPC version 1.0.3
warning: MPFR header version 3.1.3-p5 differs from library version 3.1.4.
GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
Compiler executable checksum: f5d21a1dc5d9b70befc71d2006b2e7c5
COLLECT_GCC_OPTIONS='-O2' '-v' '-mtune=generic' '-march=x86-64'
as -v --64 -o /tmp/ccpgLPzV.o /tmp/cc7vXPnz.s
GNU assembler version 2.26.1 (x86_64-linux-gnu) using BFD version (GNU Binutils for Ubuntu) 2.26.1
COMPILER_PATH=/usr/lib/gcc/x86_64-linux-gnu/4.8/:/usr/lib/gcc/x86_64-linux-gnu/4.8/:/usr/lib/gcc/x86_64-linux-gnu/:/usr/lib/gcc/x86_64-linux-gnu/4.8/:/usr/lib/gcc/x86_64-linux-gnu/
LIBRARY_PATH=/usr/lib/gcc/x86_64-linux-gnu/4.8/:/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/:/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../lib/:/lib/x86_64-linux-gnu/:/lib/../lib/:/usr/lib/x86_64-linux-gnu/:/usr/lib/../lib/:/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../:/lib/:/usr/lib/
COLLECT_GCC_OPTIONS='-O2' '-v' '-mtune=generic' '-march=x86-64'
/usr/lib/gcc/x86_64-linux-gnu/4.8/collect2 --sysroot=/ --build-id --eh-frame-hdr -m elf_x86_64 --hash-style=gnu --as-needed -dynamic-linker /lib64/ld-linux-x86-64.so.2 -z relro /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/crt1.o /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/crti.o /usr/lib/gcc/x86_64-linux-gnu/4.8/crtbegin.o -L/usr/lib/gcc/x86_64-linux-gnu/4.8 -L/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu -L/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../../lib -L/lib/x86_64-linux-gnu -L/lib/../lib -L/usr/lib/x86_64-linux-gnu -L/usr/lib/../lib -L/usr/lib/gcc/x86_64-linux-gnu/4.8/../../.. /tmp/ccpgLPzV.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/lib/gcc/x86_64-linux-gnu/4.8/crtend.o /usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/crtn.o
解决方法
Gcc 不太聪明 - 它完全按照你告诉他的去做,你的代码使用缓冲区溢出作为一个特性。
当您编写示例时
struct MyData {
int len;
char data[1];
};
MyData *d1 = malloc(1024);
strcpy(d1->data,a_string);
gcc 看到一个 strcpy 被调用,它的目标是大小为 1 的缓冲区 - 因为这是您在字段声明 char data[1]; 中告诉编译器的内容。 gcc 正像它应该的那样聪明。
声明 MyData 的正确方法是使用 zero sized array
struct MyData {
int len;
char data[0];
};
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
