关于StackSmashingDetected问题调查

■现象

密钥交换时报错： stack smashing detected ，产生CoreDump。

■再现步骤

1.密钥交换

■根本原因

使用解密函数写穿了局部变量的buffer，导致触发了stack protector机制。

代码分析：

int RootKeyCmdDown::procMsg(std::shared_ptr<ConnectionContext> conn)
{
	logInfo("%s procMsg.", TAG.data());
	vector<BYTE> dataVec;
	dataVec.resize(32);
	memset(&dataVec[0], 0, 32);
	BYTE new_root_key[16] = {0};
	get_new_rootkey(new_root_key);
    .......
}

aes_decrypt((unsigned char*)new_root_key_aes,32,pMsgContainer->GetRootKeyVector(),aes_decrypt_buf);

int aes_decrypt(unsigned char* in, int len , unsigned char* key, unsigned char* out)
{
    AES_KEY aes;
    if(AES_set_decrypt_key(key, 128, &aes) < 0) return 0;
	for(int i = 0;i<(len/16);i++) //循环调用两次，out处写了32个字节
	{
		AES_ecb_encrypt(in+i*16, out+i*16, &aes , AES_DECRYPT);
	}
    return 1;
}

■调查详细

由于密钥交换触发条件比较麻烦，本示例使用的是测试程序，并非项目代码

1.打开产生Core文件选项

root@mdm9607-perf:~/work/stack-protector# ulimit -c unlimited
root@mdm9607-perf:~/work/stack-protector# ulimit -c
unlimited

2.查看Core产生路径

root@mdm9607-perf:~/work/stack-protector# cat /proc/sys/kernel/core_pattern 
core

相对路径core，代表Core文件生成在执行命令的当前目录下。

3.gdb调试

3.1 打印堆栈回溯

root@mdm9607-perf:~/work/stack-protector# ./test_overflow_smash xxxxxxxxxxxxxxxx
xxxxx
*** stack smashing detected ***: ./test_overflow_smash terminated
Aborted (core dumped)
root@mdm9607-perf:~/work/stack-protector# gdb ./test_overflow_smash core
Reading symbols from ./test_overflow_smash...2502
done.

warning: core file may not match specified executable file.
[New LWP 5939]
Core was generated by `./test_overflow_smash xxxxxxxxxxxxxxxxxxxxx'.
Program terminated with signal SIGABRT, Aborted.
#0  0x4c93cb94 in raise () from /lib/libc.so.6
(gdb) bt
#0  0x4c93cb94 in raise () from /lib/libc.so.6
#1  0x4c940670 in abort () from /lib/libc.so.6
#2  0x4c974998 in ?? () from /lib/libc.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb)

libc.so以后的堆栈回溯只能看到？号。百度一下，可能是libc.so的版本不对。也就是说集成环境的libc.so与我们编译的SDK中libc.so版本不一致。

3.2 拷贝SDK中的libc.so到环境中，编译时指定该目录

root@mdm9607-perf:~/work/stack-protector# ls
core                           test_overflow_segv
libc.so.6

3.3 gdb中设置lib库的加载路径

(gdb)   set solib-absolute-prefix "./"
(gdb)   set solib-search-path "./"
warning: .dynamic section for "/home/root/work/stack-protector/libc.so.6" is not at the expected address (wrong library or version mismatch?)
Reading symbols from /home/root/work/stack-protector/libc.so.6...done.
Loaded symbols for /home/root/work/stack-protector/libc.so.6
(gdb) bt
#0  0x4c93cb94 in raise () from /home/root/work/stack-protector/libc.so.6
#1  0x4c940670 in abort () from /home/root/work/stack-protector/libc.so.6
#2  0x4c974998 in __libc_message ()
   from /home/root/work/stack-protector/libc.so.6
#3  0x4c9f042c in __fortify_fail ()
   from /home/root/work/stack-protector/libc.so.6
#4  0x4c9f03e8 in __stack_chk_fail ()
   from /home/root/work/stack-protector/libc.so.6
#5  0x0000862c in check_password (password=0xbebcfed8 'x' <repeats 21 times>)
    at test_overflow.c:19
#6  0x00008674 in main (argc=2, argv=0xbebcfdc4) at test_overflow.c:23
(gdb)

3.4 关于编译参数stack-protector介绍见《经验分享：gcc编译参数stack-protector》