On Fri, Dec 27, 2002 at 02:14:33AM +0200, Selcuk Goren wrote:
> Hello list,
> There is a serious bug which cause my mud crash and I cannot hunt it down. I
> am really deperate about this. The only message I get when I debug the core
> file is:
>
> Program terminated with signal 11, Segmentation fault.
> Cannot access memory at address 0x40013730
> #0 0x2073746e in ?? ()
> (gdb) bt
> #0 0x2073746e in ?? ()
> Cannot access memory at address 0x69616c70
You know, if you pretended that 32-bit address was a series of 4
characters, you'd have 'play'.
This is what you get when you stomp on your stack.
> Normally, I could see which part of the code has a problem in the past. This
> one is trackless.
> Do you know possible causes of such a crash?
Yes, the long explanation is below:
Suppose you have the following code:
void foo()
{
char bar[3]; /* okay, I'm lazy and don't want to type a long string */
strcpy(bar, "go play my game");
return;
}
int main(int argc, char**argv)
{
foo();
return 0;
}
What happens when you run it? You guessed it:
thorin:~] 9:28:27am 108 % gcc t.c
[thorin:~] 9:28:30am 109 % ./a.out
Segmentation fault (core dumped)
And look at what gdb says:
#0 0x6720796d in ?? ()
(gdb) bt
#0 0x6720796d in ?? ()
Cannot access memory at address 0x2079616c
(gdb)
Look familiar?
This is because bar[] is an automatic variable, allocated on the stack.
The same stack that is used for return addresses. When foo() is
called, the address of the "return 0;" in main is pushed on the stack so
the processor knows where to go when done running foo().
foo() then moves the stack pointer a bit to make room for bar[] and
any other things it needs....
But... writing too many characters to bar[] will write to the stacked
entry for the return address, meaning that instead of returning to
wherever in memory the 'return 0;' is, we try to return to some bizarre
value that you get when you pretend a piece of a string is an address.
So, where is your bug?
Somehere, you have an automatic string that you overflowed and smashed
the stack with. The word 'play' was in that string, which may or may
not be helpful.
For more details see http://www.insecure.org/stf/smashstack.txt
