关于StackSmashingDetected问题调查

关于StackSmashingDetected问题调查

■现象

密钥交换时报错: stack smashing detected ,产生CoreDump。

■再现步骤

1.密钥交换

■根本原因

使用解密函数写穿了局部变量的buffer,导致触发了stack protector机制。

代码分析:

1
2
3
4
5
6
7
8
9
10
int RootKeyCmdDown::procMsg(std::shared_ptr<ConnectionContext> conn)
{
logInfo("%s procMsg.", TAG.data());
vector<BYTE> dataVec;
dataVec.resize(32);
memset(&dataVec[0], 0, 32);
BYTE new_root_key[16] = {0};
get_new_rootkey(new_root_key);
.......
}

1
aes_decrypt((unsigned char*)new_root_key_aes,32,pMsgContainer->GetRootKeyVector(),aes_decrypt_buf);
1
2
3
4
5
6
7
8
9
10
int aes_decrypt(unsigned char* in, int len , unsigned char* key, unsigned char* out)
{
AES_KEY aes;
if(AES_set_decrypt_key(key, 128, &aes) < 0) return 0;
for(int i = 0;i<(len/16);i++) //循环调用两次,out处写了32个字节
{
AES_ecb_encrypt(in+i*16, out+i*16, &aes , AES_DECRYPT);
}
return 1;
}

■调查详细

由于密钥交换触发条件比较麻烦,本示例使用的是测试程序,并非项目代码

1.打开产生Core文件选项

1
2
3
root@mdm9607-perf:~/work/stack-protector# ulimit -c unlimited
root@mdm9607-perf:~/work/stack-protector# ulimit -c
unlimited

2.查看Core产生路径

1
2
root@mdm9607-perf:~/work/stack-protector# cat /proc/sys/kernel/core_pattern 
core

相对路径core,代表Core文件生成在执行命令的当前目录下。

3.gdb调试

3.1 打印堆栈回溯

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@mdm9607-perf:~/work/stack-protector# ./test_overflow_smash xxxxxxxxxxxxxxxx
xxxxx
*** stack smashing detected ***: ./test_overflow_smash terminated
Aborted (core dumped)
root@mdm9607-perf:~/work/stack-protector# gdb ./test_overflow_smash core
Reading symbols from ./test_overflow_smash...2502
done.

warning: core file may not match specified executable file.
[New LWP 5939]
Core was generated by `./test_overflow_smash xxxxxxxxxxxxxxxxxxxxx'.
Program terminated with signal SIGABRT, Aborted.
#0 0x4c93cb94 in raise () from /lib/libc.so.6
(gdb) bt
#0 0x4c93cb94 in raise () from /lib/libc.so.6
#1 0x4c940670 in abort () from /lib/libc.so.6
#2 0x4c974998 in ?? () from /lib/libc.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb)

libc.so以后的堆栈回溯只能看到?号。百度一下,可能是libc.so的版本不对。也就是说集成环境的libc.so与我们编译的SDK中libc.so版本不一致。

3.2 拷贝SDK中的libc.so到环境中,编译时指定该目录

1
2
3
root@mdm9607-perf:~/work/stack-protector# ls
core test_overflow_segv
libc.so.6

3.3 gdb中设置lib库的加载路径

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
(gdb)   set solib-absolute-prefix "./"
(gdb) set solib-search-path "./"
warning: .dynamic section for "/home/root/work/stack-protector/libc.so.6" is not at the expected address (wrong library or version mismatch?)
Reading symbols from /home/root/work/stack-protector/libc.so.6...done.
Loaded symbols for /home/root/work/stack-protector/libc.so.6
(gdb) bt
#0 0x4c93cb94 in raise () from /home/root/work/stack-protector/libc.so.6
#1 0x4c940670 in abort () from /home/root/work/stack-protector/libc.so.6
#2 0x4c974998 in __libc_message ()
from /home/root/work/stack-protector/libc.so.6
#3 0x4c9f042c in __fortify_fail ()
from /home/root/work/stack-protector/libc.so.6
#4 0x4c9f03e8 in __stack_chk_fail ()
from /home/root/work/stack-protector/libc.so.6
#5 0x0000862c in check_password (password=0xbebcfed8 'x' <repeats 21 times>)
at test_overflow.c:19
#6 0x00008674 in main (argc=2, argv=0xbebcfdc4) at test_overflow.c:23
(gdb)

3.4 关于编译参数stack-protector介绍见《经验分享:gcc编译参数stack-protector》

坚持原创技术分享,您的支持将鼓励我继续创作!