为什么 arrays 在函数中用作局部变量时不会沿堆栈方向增长?
[英]Why do arrays not grow in stack direction when used in functions as local variables?
问题描述
This might be a stupid question but I was wondering what if the array was filled with values in a way of it grows in the direction of the stack (so in case of the array being the only one local variable such that the first element of the array is adressed one byte after the stackframe pointer/base pointer, the second element adressed two bytes after stackframe pointer/base pointer, ...), wouldn't it make stack overflow in C much safer since the return adress cannot be overwritten that easy (the array would have to fill nearly the entire RAM and thus the program would crash instead of execute some malicious code)?
这可能是一个愚蠢的问题,但我想知道如果数组填充的值以某种方式沿堆栈方向增长(因此,如果数组是唯一的一个局部变量,那么数组的第一个元素数组在堆栈帧指针/基指针后一个字节寻址,第二个元素在堆栈帧指针/基指针后两个字节寻址,...),它不会使 C 中的堆栈溢出更安全,因为返回地址不能被覆盖容易(数组必须填满几乎整个 RAM,因此程序会崩溃而不是执行一些恶意代码)?
2 个解决方案
解决方案1
5 2019-11-05 22:57:27
You can't do this with a stack that grows down without completely swapping the addressing model for all arrays.在没有完全交换所有 arrays 的寻址 model 的情况下,您不能使用向下增长的堆栈执行此操作。 That's a viable implementation choice, but not compatible with existing ABIs.这是一个可行的实施选择,但与现有的 ABI 不兼容。
What you have noticed is that, in some ways, having a stack that grows up (where up is the direction of positive array index) is in some ways safer than having a stack that grows down.您注意到的是,在某些方面,拥有一个向上增长的堆栈(向上是正数组索引的方向)在某些方面比拥有一个向下增长的堆栈更安全。 However, it's not all that much safer.然而,这并不是那么安全。 Consider what happens when you pass the address of an array with automatic storage to another function.考虑将具有自动存储功能的数组的地址传递给另一个 function 时会发生什么。 The callee will appear higher on the stack than the array, so any overflow of the array will overflow into the callee's stack frame, possibly including its return address.被调用者在堆栈上的位置将高于数组,因此数组的任何溢出都会溢出到被调用者的堆栈帧中,可能包括其返回地址。 For example:例如:
void foo()
{
char s[4];
strcpy(s, "hello world");
}
When strcpy returns, its return address may have been clobbered by storing past the end of the array whose address was passed to it.当strcpy返回时,它的返回地址可能已通过存储超过其地址传递给它的数组的末尾而被破坏。
解决方案2
2 2019-11-05 23:11:40
"The direction of the stack" is a function of the implementation, not the language - the language specification doesn't even assume the presence of a stack. “堆栈的方向”是实现的 function,而不是语言 - 语言规范甚至不假设存在堆栈。
Array indexing works by adding a non-negative offset to a base address and dereferencing the result - arrays must always grow "up" towards increasing addresses, irrespective of the stack growth direction.数组索引通过向基地址添加非负偏移量并取消引用结果来工作 - arrays 必须始终“向上”增长到地址增加,而不管堆栈增长方向如何。
The only thing that will truly make array operations safe (r) is for the C language specification to require bounds checking on all array accesses and to throw an exception on an out-of-bounds access.唯一真正使数组操作安全(r) 的是 C 语言规范要求对所有数组访问进行边界检查并在越界访问时抛出异常。 Of course, the C language specification would also have to add structured exception handling as well (the current signal-handling method would be woefully inadequate).当然,C 语言规范也必须添加结构化异常处理(当前的信号处理方法严重不足)。
Such an addition is... unlikely .这样的添加是……不太可能的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.