Re: Parameter Overflow Attack?

From: Walter Roberson (roberson@ibd.nrc.ca)
Date: 11/29/02

  • Next message: Dazz: "Re: A Royal Name" 
    From: roberson@ibd.nrc.ca (Walter Roberson)
Date: 29 Nov 2002 03:38:03 GMT

    In article <as5plf$rg3$1@canopus.cc.umanitoba.ca>,
    Walter Roberson <roberson@ibd.nrc.ca> wrote:
    :I would also point out to you that if you look at <varargs.h>
    :or <stdarg.h> then the code for va_arg(), which {deliberately}
    :has the side-effect of leaving you ready for the next parameter,
    :does the adjustment by *adding* the parameter size to the previous
    :pointer. This only works if the calling convention is that the
    :arguments are arranged into increasing memory -- which would
    :imply pushing in normal order if "pushing onto the stack" increases
    :the stack pointer, and pushing in reverse order if "pushing onto the
    :stack" decreases the stack pointer. See the code at
    :http://nemesis.sourceforge.net/browse/h/ix86/stdarg.h.html

    http://www.leto.net/mail/linuxasm/2000/msg00818.html
    has a description of the gcc calling convention for Intel machines.
    It does use left-to-right ordering, the stack growing downwards;
    it -also- uses frame pointers.

    http://www.home.ix.netcom.com/~stonybrk/env/index575.htm
    indicates the calling conventions for a number of different architectures.
    Of the ones it shows, only Windows 16-bit IA-32 ABI is
    left-to-right; the 32-bit ABI is right-to-left.

    It appears on closer examination that IRIX grows its stack downwards.
    I had difficulty finding an explicit statement of this; it can
    be deduced from the code example at
    http://techpubs.sgi.com/library/tpl/cgi-bin/getdoc.cgi?coll=0650&db=bks&srch=n64&fname=/SGI_Developer/Mpro_n32_ABI/sgi_html/ch04.html.uk> <as5plf$rg3$1@canopus.cc.umanitoba.ca>

    This would in fact be consistant with the "standard C calling convention"
    that I had objected to: at the time I objected, I was considering stacks
    to grow upwards. The MIPS architecture does not have explicit stack
    operations such as push and pop, so the stack direction could have gone
    either way; either way, the arguments end up in increasing-memory order. 

    --
   *We* are now the times.                  -- Wim Wenders (WoD)

    Relevant Pages

    • Re: StdCall vs. CDecl
      ... __cdecl means that the caller needs to remove the args. ... caller to clean up the stack, while the caller will expect the function to ... why does our VB.NET code work well when the calling convention ...
      (microsoft.public.dotnet.framework.interop)
    • Re: printf doubt
      ... If the format is exhausted while arguments remain, ... same stack, like the old 6502, manage this. ... At least one popular compiler does not. ... The __stdcall calling convention is used to call Win32 API functions. ...
      (comp.lang.c)
    • Re: Calling a "procedure of object" routine w/variable parameters
      ... > Which calling convention are you using for your routines? ... > due to the way cdecl functions put parameters on the stack. ... Basically a Delphi routine is called from C, ...
      (borland.public.delphi.language.basm)
    • Re: Parameter Overflow Attack?
      ... :pushed on to the stack in reverse order, ... :normally responsible for removing the parameters from the stack. ... the stack pointer is copied *before* any arguments are pushed, ... This only works if the calling convention is that the ...
      (comp.security.misc)
    • Re: Making C better (by borrowing from C++)
      ... All API functions under win32 use the _stdcall calling convention. ... This means that the called function cleans up the stack, ... stuff from C++ like operator overloading, generic functions, ...
      (comp.lang.c)