Andrew login ID:Full Name:Recitation Section:CS 15-213/18-243, Fall 2009Exam 2Thursday, October 29th, 2009Instructions:• Make sure that your exam is not missing any sheets, then write your full name, Andrew login ID, andrecitation section (A–J) on the front.• Do not write any part of your answers outside of the space given below each question. Writeclearly and at a reasonable size. If we have trouble reading your handwriting you will receiveno credit on that problem.• The exam has a maximum score of XXX points.• The problems are of varying difficulty. The point value of each problem is indicated. Pile up the easypoints quickly and then come back to the harder problems.• This exam is OPEN BOOK. You may use any books or notes you like. No calculators or otherelectronic devices are allowed.• Good luck!Page 1 of 151 (21):2 (4):3 (15):4 (16):5 (12):6 (16):TOTAL (84):Page 2 of 15Problem 1. (21 points):1. What is the most likely immediate result of executing the following code:int foo[10]int*p = (int*) malloc(4*sizeof(int));p = p - 1;*p = foo[0];(a) Initialize the first array element to 4(b) Segmentation fault(c) Reset the pointer p to point to the array named foo(d) Corruption of malloc header information2. What is the maximum number of page faults per second that can be serviced in a system that has adisk with an average access time of 10ms?(a) 10(b) 100(c) 50(d) Depends on the percentage of memory accesses that are page faults3. Why does Count Dracula not have to worry about his program’s memory addresses overlapping thoseof other processes run on the same system?(a) Each process has its own page table(b) The linker carefully lays out address spaces to avoid overlap(c) The loader carefully lays out address spaces to avoid overlap(d) He does need to worry4. Dr. Frankenstein has a disk that rotates at 7,200 RPM (8ms per full revolution), has an average seektime of 5ms, and has 1000 sectors per track. How long (approximately) does the average 1-sectoraccess take?(a) Not enough information to determine the answer(b) 13ms(c) 9ms(d) 10.5msPage 3 of 155. How many times does exec() return?(a) 0(b) 1(c) 2(d) 0 or 1, depending on whether or not an error occurs6. Which of the following is not a default action for any signal type?(a) The process terminates.(b) The process reaps the zombies in the waitlist.(c) The process stops until restarted by a SIGCONT signal.(d) The process ignores the signal.(e) The process terminates and dumps core.7. Imagine a process (called ”process A”) that calls fork() three times. If all three child processes ter-minate before process A is picked by the kernel to be run again, how many times could process Areceive SIGCHLD?(a) 0(b) 1(c) 3(d) 1 or 3(e) Not enough information to determinePage 4 of 15Problem 2. (4 points):1. Consider the following program compiled for x86-64:#include <malloc.h>int main(){int a = 0;int*b = malloc(sizeof(int));if ((&a) > b) {printf("Trick!\n");} else {printf("Treat!\n");}return 0;}What does this program print out and why? (You can assume that the malloc() call does not fail)Page 5 of 15Problem 3. (15 points):You are provided with several files, each of which contains a simple text string without any whitespace orspecial characters. The list of files with their respective contents is given below:one.txt abctwo.txt nidokingthree.txt conflagerationYou are also presented with the main() function of three small programs (header includes omitted), each ofwhich uses simple and familiar functions that perform file i/o operations. For each program, determine whatwill be printed on stdout based on the code and the contents of the file. Assume that calls to open()succeed, and that each program is run from the directory containing the above files. (The program executionorder does not matter; the programs are independent.)Program 1:void main() {char c0 = ’x’, c1 = ’y’, c2 = ’z’;int r, r2 = open("one.txt", O_RDONLY);read(r2, &c0, 1);r = dup(r2);read(r2, &c1, 1);close(r2);read(r, &c2, 1);printf("%c%c%c", c0, c1, c2);}output to stdout from Program 1:Page 6 of 15Program 2:void main() {char c0 = ’x’, c1 = ’y’, c2 = ’z’;char scrap[4];int pid, r, r2 = open("two.txt", O_RDONLY);r = dup(r2);if (!(pid = fork())) {read(r, &c0, 1);close(r2);r2 = open("two.txt", O_RDONLY);read(r2, &scrap, 4);} else {waitpid(pid, NULL, 0);read(r, &c1, 1);read(r2, &c2, 1);}printf("%c%c%c", c0, c1, c2);}output to stdout from Program 2:Page 7 of 15Program 3:void main() {char c[3] = {’x’, ’y’, ’z’};int r, r2, r3;r = open("three.txt", O_RDONLY);r2 = open("three.txt", O_RDWR);dup2(1, r3);dup2(r2, 1);read(r, &c[0], 1);printf("elephant");fflush(stdout);read(r, &c[1], 1);read(r2, &c[2], 1);write(r3, &c[0], 3);printf("%c%c%c", c[0], c[1], c[2]);}output to stdout from Program 3:Page 8 of 15Problem 4. (16 points):Your evil TA Punter Hitelka has redesigned the fish machines to make buflab impossible! Normally, on x86systems, a program’s stack grows down, to lower memory addresses, making a called function have a lowerstack address than the calling function. The new fish machines have stack frames that grow up, this meansthat a called function has a higher stack address than the calling function.For example, under stack-down convention, having main() call foo() would create0x0f0 +---------------+| main’s stack || frame |0x0e0 +---------------+| foo’s stack || frame | | Stack Growing Down |0x0d0 +---------------+ V VUnder the new stack-up convention, having main() call foo() would create0x110 +---------------+| foo’s stack | ˆ ˆ| frame | | Stack Growing Up |0x100 +---------------+| main’s stack || frame |0x0f0 +---------------+This means that a push instruction would increment %esp, and a pop instruction would decrement %esp.Bufflab now contains the following function, which Punter claims to be un-exploitable:int exploitMe(){char password[100];/*prompt the user for the password*/printf("what is the password?\n");/*read it in*/gets(password);printf("You shall not pass!\n");return false;}Page 9 of 151First, let’s go back to the old model of the stack growing down. Please draw a stack diagram from theperspective of the gets() function. Assume that main() calls exploitMe.+-------------------------------------+| Ret Addr to Main |+-------------------------------------+| | Stack Growing Down! || | V| || |2Describe a buffer overflow exploit you could use to make exploitMe return true if the stack grew down. Youdo not need to write
View Full Document
Unlocking...