From owner-freebsd-chat Thu Feb 13 16:09:17 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id QAA20537 for chat-outgoing; Thu, 13 Feb 1997 16:09:17 -0800 (PST) Received: from darkstar (ras519.srv.net [205.180.127.19]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id QAA20510 for ; Thu, 13 Feb 1997 16:08:55 -0800 (PST) Received: (from cmott@localhost) by darkstar (8.6.12/8.6.12) id RAA06491; Thu, 13 Feb 1997 17:07:26 -0700 Date: Thu, 13 Feb 1997 17:07:25 -0700 (MST) From: Charles Mott X-Sender: cmott@darkstar To: Robin Melville cc: freebsd-chat@freebsd.org Subject: Re: Trying to understand stack overflow In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-chat@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > >If it does, then it would be interesting to have a version of gcc which > >adds some "noise" as to where exactly in the stack an automatic variable > >is located. > > Yes, I wondered about this too. I don't believe the actual location of > an auto makes any difference, because the desired effect is to overwrite > the return address. How does control flow fall through to the overflow part of the stack? If an absolute return address is given, I don't see how this can be done. There is something about the stack mechanism I need to understand. > >Would it also be possible to have separate data and control flow > >stacks? > > Yes that would also make more sense. Any advice here on how to do this would be appreciated. If there is a conceptual reason it won't work -- no spare registers, or possibly interference with custom assembler code -- I would appreciate knowing. I just need to find a lousy x386 reference (either online or printed). Charles Mott