What Registers You Need To Allocate Space For The The Stack

So in my terminal piece on buffer overflows and stack smashing, I didn't actually hash out why the return pointer'south of import. I'm going to attempt to fix that today.

Get-go, let's pull up that image of a typical stack again:

Image title

Above, we accept the stack in a typical program (again!). Original epitome By R. S. Shaw (own work, Public Domain, https://eatables.wikimedia.org/due west/index.php?curid=1956587)

So what is this "return address" and why exercise I care?

Calling Conventions

Remember from the first piece that the stack is prepare this way by convention; there'due south no reason to ready the stack upward this manner other than somebody, at some fourth dimension, decided this is how they wanted to do it. That's information technology. When whoever information technology was came upwardly with this particular design (or convention, as nosotros call information technology today), they knew they needed to do a couple of things.

First, they needed to shop a couple of things. Second, they needed to shop the arguments passed to a given function. We laissez passer arguments to functions—information technology's what we do—and we demand to store the information somewhere. All those nifty statement lists nosotros're accustomed to, with various data types, are really merely shoved into allocated stack memory as ones and zeros. Those verbal ones and zeros are based on the data type, but at the finish of the day, information technology's all just a mess of binary.

We too need to store local variables. And we need some way to return to the caller when nosotros're finished—that's where the return address comes in. Keep in mind, it doesn't really affair that much where nosotros store that render address. If I can allocate a buffer on the stack, I tin overwrite that return pointer.

(Or, at least, a return pointer. I don't need to get command of the arrow associated with my current office; a pointer associated with the calling part is okay too).

And then why is this address important?

Read the Instructions!

Computers have a specific register that holds the address of the adjacent instruction. On x86, this is the EIP register. This is how the processor keeps track of where information technology is and what it's doing. And programs can write and read to that register via various assembly commands. And so what happens when you telephone call a function? Well, you need to fix the stack, and and then yous branch out to the office'southward address. This is what really happens behind the scenes, and the compiler will take care of all this left over junk for you. Basically, yous reserve space for the parameters to a function—in this example, DrawLine(.)—and then you salve the accost y'all'll outset executing from when the function is completed. And so you lot allocate stack space for local variables. In normal functioning, you lot save the return address, execute the role, and return to the render accost.

In a buffer overflow situation though, yous inject lawmaking into the locally variable space on the stack and overwrite the return address with whatsoever address yous want. That's correct, you're the boss! employ whatever address you want to. Then, when the office completes, information technology'll kickoff executing from wherever you've told it to.

In a classic buffer overflow exploit, we'll insert and address that points at the next word (or the give-and-take just after that) equally we've been able to write our own lawmaking there. So now, nosotros've told the processor to begin to execute our injected lawmaking.

This is why that return address is important, and why it exists in the first identify.

Buffer overflow

Opinions expressed by DZone contributors are their own.