Exercise an inter-stack-object buffer overflow
This exercise demonstrates an inter-object buffer overflow on baseline and CHERI-enabled architectures, and asks you to characterize and fix the bug detected by CHERI bounds enforcement. It also asks you to use GDB for debugging purposes.
By contrast to the globals-based example, this example uses two stack objects to demonstrate the overflow. We will be able to see the CHERI C compiler generate code to apply spatial bounds on the capability used for the buffer pointer we pass around.
-
Compile
buffer-overflow-stack.cfor the baseline architecture to the binarybuffer-overflow-stack-baselineand for the CHERI-aware architecture tobuffer-overflow-stack-cheri. -
Run both programs and observe their outputs.
-
Using GDB on the core dump (or run the CHERI program under
gdb): Why has the CHERI program failed? -
Compare and contrast the disassembly of the baseline and CHERI programs. In particular, focus on the
write_buffunction andmain's call to it and the information flow leading up to it.
Source
buffer-overflow-stack.c
/*
* SPDX-License-Identifier: BSD-2-Clause
* Copyright (c) 2022 Microsoft Corporation
*/
#include <assert.h>
#include <stddef.h>
#include <stdio.h>
#pragma weak write_buf
void
write_buf(char *buf, size_t ix)
{
buf[ix] = 'b';
}
int
main(void)
{
char upper[0x10];
char lower[0x10];
printf("upper = %p, lower = %p, diff = %zx\n",
upper, lower, (size_t)(upper - lower));
/* Assert that these get placed how we expect */
assert((ptraddr_t)upper == (ptraddr_t)&lower[sizeof(lower)]);
upper[0] = 'a';
printf("upper[0] = %c\n", upper[0]);
write_buf(lower, sizeof(lower));
printf("upper[0] = %c\n", upper[0]);
return 0;
}
Courseware
This exercise has presentation materials available.