Machine-Level Programming III:ProceduresFebruary 6, 2001Topics• IA32 stack discipline• Register saving conventions• Creating pointers to local variables• Stack buffer overflow exploits–finger–AIM (AOL Instant Messenger)class07.ppt15-213“The course that gives CMU its Zip!”CS 213 S’01–2 –class07.pptIA32 Stack• Region of memory managed with stack discipline• Register %esp indicates lowest allocated position in stack–i.e., address of top elementPushing• pushl Src• Fetch operand at Src• Decrement %esp by 4• Write operand at address given by %espPopping• popl Dest• Read operand at address given by %esp• Increment %esp by 4• Write to DestStackPointer%espStack GrowsDownIncreasingAddressesStack “Top”Stack “Bottom”CS 213 S’01–3 –class07.ppt0x1080x10c0x1100x104555%esp213%eax2131230x104%edxStack Operation Examples0x1080x10c0x110555%esp213%eax1230x108%edxpushl %eax0x1080x10c0x110213%esp213%eax1230x108%edxpopl %edxCS 213 S’01–4 –class07.pptProcedure Control FlowUse stack to support procedure call and returnProcedure call:call label Push return address on stack; Jump to labelReturn address value• Address of instruction beyond call• Example from disassembly804854e: e8 3d 06 00 00 call 8048b90 <main>8048553: 50 pushl %eax–Return address = 0x8048553Procedure return:• ret Pop address from stack; Jump to addressCS 213 S’01–5 –class07.ppt0x1080x10c0x1100x1040x804854e0x8048553123Procedure Call / Return Example0x1080x10c0x110%esp%eip1230x108call 8048b900x1080x10c0x110123ret804854e: e8 3d 06 00 00 call 8048b90 <main>8048553: 50 pushl %eax0x8048b900x104%esp%eip0x80485530x108%esp%eip%eip is program counterCS 213 S’01–6 –class07.pptStack-Based LanguagesLanguages that Support Recursion• e.g., C, Pascal, Java• Code must be “Reentrant”–Multiple simultaneous instantiations of single procedure• Need some place to store state of each instantiation–Arguments–Local variables–Return pointerStack Discipline• State for given procedure needed for limited time–From when called to when return• Callee returns before caller doesStack Allocated in Frames• state for single procedure instantiationCS 213 S’01–7 –class07.pptCall Chain ExampleCode Structureyoo(…){••who();••}who(…){••amI();••}amI(…){••amI();••}yoowhoamIamIamICall Chain• Procedure amI recursiveCS 213 S’01–8 –class07.pptStackPointer%espyoowhoamIamIamI•••FramePointer%ebpStack GrowsIncreasingAddressesStack“Top”IA32 Stack StructureStack Growth• Toward lower addressesStack Pointer• Address of next available location in stack• Use register %espFrame Pointer• Start of current stack frame• Use register %ebpCS 213 S’01–9 –class07.pptIA32/Linux Stack FrameCallee Stack Frame (“Top” to Bottom)• Parameters for called functions• Local variables–If can’t keep in registers• Saved register context• Old frame pointerCaller Stack Frame• Return address–Pushed by call instruction• Arguments for this callStack Pointer(%esp)Frame Pointer(%ebp)Return AddrSavedRegistersArgumentBuildOld %ebpLocalVariablesArgumentsCallerFrameCS 213 S’01–10 –class07.pptRevisiting swapvoid swap(int *xp, int *yp){intt0=*xp;intt1=*yp;*xp = t1;*yp = t0;}int zip1 = 15213;int zip2 = 91125;void call_swap(){swap(&zip1, &zip2);}call_swap:•••pushl $zip2pushl $zip1call swap•••&zip2&zip1Rtn adr%espResultingStack•••CS 213 S’01–11 –class07.pptRevisiting swapvoid swap(int *xp, int *yp){intt0=*xp;intt1=*yp;*xp = t1;*yp = t0;}swap:pushl %ebpmovl %esp,%ebppushl %ebxmovl 12(%ebp),%ecxmovl 8(%ebp),%edxmovl (%ecx),%eaxmovl (%edx),%ebxmovl %eax,(%edx)movl %ebx,(%ecx)movl -4(%ebp),%ebxmovl %ebp,%esppopl %ebpretBodySetUpFinishCS 213 S’01–12 –class07.pptswap Setupswap:pushl %ebpmovl %esp,%ebppushl %ebxypxpRtn adrOld %ebp%ebp04812OffsetResultingStack•••&zip2&zip1Rtn adr%espEnteringStack•••%ebpOld %ebx%espCS 213 S’01–13 –class07.pptswap Finishmovl -4(%ebp),%ebxmovl %ebp,%esppopl %ebpretypxpRtn adrOld %ebp%ebp04812Offsetswap’sStack•••&zip2&zip1%espExitingStack•••%ebpOld %ebx%esp-4Observation• Saved & restored register %ebx• Didn’t do so for %eax, %ecx, or %edxCS 213 S’01–14 –class07.pptRegister Saving ConventionsWhen procedure yoo calls who:• yoo is the caller, who is the calleeCan Register be Used for Temporary Storage?• Contents of register %edx overwritten by whoConventions• “Caller Save”–Caller saves temporary in its frame before calling• “Callee Save”–Callee saves temporary in its frame before usingyoo:•••movl $15213, %edxcall whoaddl %edx, %eax•••retwho:•••movl 8(%ebp), %edxaddl $91125, %edx•••retCS 213 S’01–15 –class07.pptIA32/Linux Register Usage• Surmised by looking at code examplesInteger Registers• Two have special uses%ebp, %esp• Three managed as callee-save%ebx, %esi, %edi–Old values saved on stack prior to using• Three managed as caller-save%eax, %edx, %ecx–Do what you please, but expect any callee to do so, as well• Register %eax also stores returned value%eax%edx%ecx%ebx%esi%edi%esp%ebpCaller-SaveTemporariesCallee-SaveTemporariesSpecialCS 213 S’01–16 –class07.pptint rfact(int x){int rval;if (x <= 1)return 1;rval = rfact(x-1);return rval * x;}.globl rfact.typerfact,@functionrfact:pushl %ebpmovl %esp,%ebppushl %ebxmovl 8(%ebp),%ebxcmpl $1,%ebxjle .L78leal -1(%ebx),%eaxpushl %eaxcall rfactimull %ebx,%eaxjmp .L79.align 4.L78:movl $1,%eax.L79:movl -4(%ebp),%ebxmovl %ebp,%esppopl %ebpretRecursive FactorialComplete Assembly• Assembler directives–Lines beginning with “.”–Not of concern to us• Labels– .Lxx• Actual instructionsCS 213 S’01–17 –class07.pptRfact Stack Setuprfact:pushl %ebpmovl %esp,%ebppushl %ebxEntering StackxRtn adrOld %ebp%ebp048Old %ebx%esp-4CallerCalleexRtn adrCaller%espCS 213 S’01–18 –class07.pptRfact BodyRegisters$ebx Stored value of x$eax–Temporary value of x-1–Returned value from rfact(x-1)–Returned value from this callmovl 8(%ebp),%ebx # ebx = xcmpl$1,%ebx #Comparex:1jle .L78 # If <= goto Termleal -1(%ebx),%eax # eax = x-1pushl %eax # Push x-1call rfact # rfact(x-1)imull %ebx,%eax # rval * xjmp .L79 # Goto done.L78: # Term:movl $1,%eax # return val = 1.L79: # Done:int rfact(int x){int rval;if (x <= 1)return 1;rval = rfact(x-1);return rval * x;}CS 213 S’01–19 –class07.pptRfact Recursionpushl %eaxxRtn adrOld %ebp%ebpOld
View Full Document
Unlocking...