Bugtraq mailing list archives

Re: Smashing the stack

From: sommerfeld () apollo hp com (Bill Sommerfeld)
Date: Tue, 21 Jan 1997 10:50:59 -0500

Some architectures grow the stack "upwards" in memory instead of
"downwards"; this means that buffer overrun doesn't overwrite existing
stack frames at all.


This doesn't follow at all.  The buffer which is overrun could have
been allocated within a separate frame from the frame which actually
"commits" the overrun.

e.g.,

        foo()
        {
                char buf[10];
                gets(buf);
        }



The actual overrun occurs in gets(), which writes to memory which is
"below" the stack location of gets's frame, so (in the case of a
hypothetical machine with an upward-growing stack) the flow of control
is derailed on return from gets(), not return from foo()...

                                        - Bill

Current thread:

[linux-security] SECURITY: Important bug fix for /sbin/login, (continued)
- - [linux-security] SECURITY: Important bug fix for /sbin/login Erik Troan (Jan 16)
  - Smashing the stack on a DEC Alpha Lamont Granquist (Jan 16)
    - Re: Smashing the stack on a DEC Alpha Digital Dreamer (Jan 16)
    - Re: Smashing the stack on a DEC Alpha Julian Assange (Jan 16)
    - FreeBSD Security Advisory: SA-96:21 - talkd FreeBSD Security Officer (Jan 18)
    - Re: FreeBSD Security Advisory: SA-96:21 - talkd Theo de Raadt (Jan 20)
    - talkd problem Theo de Raadt (Jan 20)
    - Re: talkd problem David Holland (Jan 20)
    - Smashing the stack Zygo Blaxell (Jan 20)
    - Re: Smashing the stack David Holland (Jan 20)
    - Re: Smashing the stack Bill Sommerfeld (Jan 21)
    - [linux-security] write(1) leak David Holland (Jan 19)
    - [linux-security] write(1) leak David Holland (Jan 20)
- Irix: csetup hole Yuri Volobuev (Jan 06)