Linux Debugging 7 - Stack and Heap

1. 进程空间布局

对于32位机器来说，kernel占用了0xC0000000以及更高的地址，代码装载到0x08048000，数据段和BSS在代码段上面，栈从0xBFFFFFFF开始往下，堆的位置不确定，共享对象在最下面。



可以查看进程的maps来看，下面是64位机器的例子，

/home/a/j/nomad2:cat /proc/16683/maps
00400000-004be000 r-xp 00000000 08:01 17694722                           /bin/bash
006bd000-006c7000 rw-p 000bd000 08:01 17694722                           /bin/bash
006c7000-00979000 rw-p 006c7000 00:00 0                                  [heap]
7f61e9968000-7f61eb968000 r--s 00000000 08:01 8323249                    /var/cache/nscd/passwd
7f61eb968000-7f61ebac0000 r-xp 00000000 08:01 17825953                   /lib/libc-2.7.so
7f61ebac0000-7f61ebcc0000 ---p 00158000 08:01 17825953                   /lib/libc-2.7.so
7f61ebcc0000-7f61ebcc3000 r--p 00158000 08:01 17825953                   /lib/libc-2.7.so
7f61ebcc3000-7f61ebcc5000 rw-p 0015b000 08:01 17825953                   /lib/libc-2.7.so
7f61ebcc5000-7f61ebcca000 rw-p 7f61ebcc5000 00:00 0
7f61ebcca000-7f61ebccc000 r-xp 00000000 08:01 17825970                   /lib/libdl-2.7.so
7f61ebccc000-7f61ebecc000 ---p 00002000 08:01 17825970                   /lib/libdl-2.7.so
7f61ebecc000-7f61ebece000 rw-p 00002000 08:01 17825970                   /lib/libdl-2.7.so
7f61ebece000-7f61ebf05000 r-xp 00000000 08:01 17825802                   /lib/libncurses.so.5.6
7f61ebf05000-7f61ec104000 ---p 00037000 08:01 17825802                   /lib/libncurses.so.5.6
7f61ec104000-7f61ec109000 rw-p 00036000 08:01 17825802                   /lib/libncurses.so.5.6
7f61ec109000-7f61ec126000 r-xp 00000000 08:01 17825944                   /lib/ld-2.7.so
7f61ec316000-7f61ec318000 rw-p 7f61ec316000 00:00 0
7f61ec323000-7f61ec326000 rw-p 7f61ec323000 00:00 0
7f61ec326000-7f61ec328000 rw-p 0001d000 08:01 17825944                   /lib/ld-2.7.so
7ffff4312000-7ffff4327000 rw-p 7ffffffea000 00:00 0                      [stack]
7ffff43fe000-7ffff4400000 r-xp 7ffff43fe000 00:00 0                      [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

补充一个32位的例子，

查看当前bash进程的空间分布，

/home/a/j/nomad2:cat /proc/31626/maps
08048000-08124000 r-xp 00000000 08:01 1569873    /bin/bash
08124000-08125000 r--p 000db000 08:01 1569873    /bin/bash
08125000-0812a000 rw-p 000dc000 08:01 1569873    /bin/bash
0812a000-0812f000 rw-p 00000000 00:00 0
091ac000-09322000 rw-p 00000000 00:00 0          [heap]
b7393000-b739a000 r--s 00000000 08:01 656728     /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache
b739a000-b73cf000 r--s 00000000 08:06 523349     /var/cache/nscd/passwd
b73cf000-b7559000 r--p 00000000 08:01 659827     /usr/lib/locale/locale-archive
b7559000-b755a000 rw-p 00000000 00:00 0
b755a000-b76f9000 r-xp 00000000 08:01 1438995    /lib/i386-linux-gnu/libc-2.15.so
b76f9000-b76fb000 r--p 0019f000 08:01 1438995    /lib/i386-linux-gnu/libc-2.15.so
b76fb000-b76fc000 rw-p 001a1000 08:01 1438995    /lib/i386-linux-gnu/libc-2.15.so
b76fc000-b7700000 rw-p 00000000 00:00 0
b7700000-b7703000 r-xp 00000000 08:01 1439002    /lib/i386-linux-gnu/libdl-2.15.so
b7703000-b7704000 r--p 00002000 08:01 1439002    /lib/i386-linux-gnu/libdl-2.15.so
b7704000-b7705000 rw-p 00003000 08:01 1439002    /lib/i386-linux-gnu/libdl-2.15.so
b7705000-b7721000 r-xp 00000000 08:01 1439045    /lib/i386-linux-gnu/libtinfo.so.5.9
b7721000-b7723000 r--p 0001b000 08:01 1439045    /lib/i386-linux-gnu/libtinfo.so.5.9
b7723000-b7724000 rw-p 0001d000 08:01 1439045    /lib/i386-linux-gnu/libtinfo.so.5.9
b7728000-b772a000 rw-p 00000000 00:00 0
b772a000-b772b000 r-xp 00000000 00:00 0          [vdso]
b772b000-b774b000 r-xp 00000000 08:01 1438992    /lib/i386-linux-gnu/ld-2.15.so
b774b000-b774c000 r--p 0001f000 08:01 1438992    /lib/i386-linux-gnu/ld-2.15.so
b774c000-b774d000 rw-p 00020000 08:01 1438992    /lib/i386-linux-gnu/ld-2.15.so
bfdf7000-bfe18000 rw-p 00000000 00:00 0          [stack]

legend:

r-xp always indicates a text (executable, read-only) segment

rw-p is a data (writable, but not executable) segment

2. 栈

SP指向栈顶(低地址)，入栈操作会减小SP的值。

PUSH <==> movl %eax, %esp; addl %esp, 4

POP <==> subl $4, %esp; movl %eax, %esp

关于stack frame pointer (BP),前一个栈帧的BP保存在当前栈里；调用参数使用BP+...获取；局部变量使用BP-...获取

关于栈顶指针stack pointer (SP), BP is left unused; 调用参数和局部变量均使用SP-...获取

| |

| 调用参数 |

-------------

| |

| 返回地址 |

-------------

| | <== EBP

| OLD BP |

-------------

| |

| 局部变量 |

-------------

| 保存的寄 |

| 存器值 |

-------------

32位函数调用时，参数从右到左，依次入栈。

64位函数调用时，参数从左到右，存到寄存器，最多6个。

At the very beginning of the frame, the function usually stores the previous value of EBP, using a "PUSH EBP" instruction. Once it is saved, the current value of ESP may be used as the new frame pointer. The function can then set up its own space on the
stack, usually be a "SUB ESP, ..." instruction, that decrements the stack pointer by however many bytes the function needs for its automatic variables.

Surprisingly often it makes sense to omit the frame pointer and reference the frame values as offsets from the SP, rather than the BP. This is known as "Frame Pointer Omission"(FPO) or sometimes as "Frame Pointer Optimization". the main benefit from this
approach is that it releases BP from its assigned role as Frame Pointer, and makes it usable as another general purpose register. With only four general registers in the x86 architecture, this can be a significant improvement.

3. stack

问题：overflow，explosion

smash the stack => refer http://insecure.org/stf/smashstack.html
在一个函数里面，如果smash了栈，如果没有return，不会core；一旦return，会core。

4. heap

问题：overflow，double free，use after free(可能会被分配到别的地方了)，free unused

只有在free的时候才发现，因为heap已经坏了。

A Memory Allocator http://g.oswego.edu/dl/html/malloc.html
检测工具：

1) memwatch 参考 http://blog.csdn.net/lengxingfei/archive/2006/08/09/1040800.aspx
2) YAMD

3) GlibC __malloc_hook

5. 总结

1) 关于进程，有4个map文件对于调试很重要，分别是status, maps, fd(fdinfo), smaps.对于线程，还可以查看*task文件。

2) /proc/sys/kernel/randomize_va_space 文件内容如果为0，每次运行栈和堆的位置均不变；如果为1，堆的位置不变；如果为2，堆和栈的位置均变。不要用0，否则，一个被crack，所有的被crack。

3) 关于alloca, 不要返回分配的地址，不推荐使用。http://oss.org.cn/kernel-book/ccfaq/node121.html