Skip to content

Instantly share code, notes, and snippets.

@shakna-israel

shakna-israel/Prose.md

Last active March 28, 2020 03:42
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save shakna-israel/81d32d39547fde95249b74522998bd17 to your computer and use it in GitHub Desktop.
Save shakna-israel/81d32d39547fde95249b74522998bd17 to your computer and use it in GitHub Desktop.
Download ZIP
SegFault
Raw
objdump
a.out: file format elf64-x86-64
Disassembly of section .init:
0000000000001000 <_init>:
1000: f3 0f 1e fa endbr64
1004: 48 83 ec 08 sub $0x8,%rsp
1008: 48 8b 05 d9 2f 00 00 mov 0x2fd9(%rip),%rax # 3fe8 <__gmon_start__>
100f: 48 85 c0 test %rax,%rax
1012: 74 02 je 1016 <_init+0x16>
1014: ff d0 callq *%rax
1016: 48 83 c4 08 add $0x8,%rsp
101a: c3 retq
Disassembly of section .text:
0000000000001020 <_start>:
1020: f3 0f 1e fa endbr64
1024: 31 ed xor %ebp,%ebp
1026: 49 89 d1 mov %rdx,%r9
1029: 5e pop %rsi
102a: 48 89 e2 mov %rsp,%rdx
102d: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
1031: 50 push %rax
1032: 54 push %rsp
1033: 4c 8d 05 a6 01 00 00 lea 0x1a6(%rip),%r8 # 11e0 <__libc_csu_fini>
103a: 48 8d 0d 2f 01 00 00 lea 0x12f(%rip),%rcx # 1170 <__libc_csu_init>
1041: 48 8d 3d d8 00 00 00 lea 0xd8(%rip),%rdi # 1120
1048: ff 15 92 2f 00 00 callq *0x2f92(%rip) # 3fe0 <__libc_start_main@GLIBC_2.2.5>
104e: f4 hlt
104f: 90 nop
0000000000001050 :
1050: 48 8d 3d d1 2f 00 00 lea 0x2fd1(%rip),%rdi # 4028 <__TMC_END__>
1057: 48 8d 05 ca 2f 00 00 lea 0x2fca(%rip),%rax # 4028 <__TMC_END__>
105e: 48 39 f8 cmp %rdi,%rax
1061: 74 15 je 1078
1063: 48 8b 05 6e 2f 00 00 mov 0x2f6e(%rip),%rax # 3fd8 <_ITM_deregisterTMCloneTable>
106a: 48 85 c0 test %rax,%rax
106d: 74 09 je 1078
106f: ff e0 jmpq *%rax
1071: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
1078: c3 retq
1079: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
0000000000001080 :
1080: 48 8d 3d a1 2f 00 00 lea 0x2fa1(%rip),%rdi # 4028 <__TMC_END__>
1087: 48 8d 35 9a 2f 00 00 lea 0x2f9a(%rip),%rsi # 4028 <__TMC_END__>
108e: 48 29 fe sub %rdi,%rsi
1091: 48 89 f0 mov %rsi,%rax
1094: 48 c1 ee 3f shr $0x3f,%rsi
1098: 48 c1 f8 03 sar $0x3,%rax
109c: 48 01 c6 add %rax,%rsi
109f: 48 d1 fe sar %rsi
10a2: 74 14 je 10b8
10a4: 48 8b 05 45 2f 00 00 mov 0x2f45(%rip),%rax # 3ff0 <_ITM_registerTMCloneTable>
10ab: 48 85 c0 test %rax,%rax
10ae: 74 08 je 10b8
10b0: ff e0 jmpq *%rax
10b2: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
10b8: c3 retq
10b9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
00000000000010c0 <__do_global_dtors_aux>:
10c0: f3 0f 1e fa endbr64
10c4: 80 3d 5d 2f 00 00 00 cmpb $0x0,0x2f5d(%rip) # 4028 <__TMC_END__>
10cb: 75 33 jne 1100 <__do_global_dtors_aux+0x40>
10cd: 55 push %rbp
10ce: 48 83 3d 22 2f 00 00 cmpq $0x0,0x2f22(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5>
10d5: 00
10d6: 48 89 e5 mov %rsp,%rbp
10d9: 74 0d je 10e8 <__do_global_dtors_aux+0x28>
10db: 48 8b 3d 3e 2f 00 00 mov 0x2f3e(%rip),%rdi # 4020 <__dso_handle>
10e2: ff 15 10 2f 00 00 callq *0x2f10(%rip) # 3ff8 <__cxa_finalize@GLIBC_2.2.5>
10e8: e8 63 ff ff ff callq 1050
10ed: c6 05 34 2f 00 00 01 movb $0x1,0x2f34(%rip) # 4028 <__TMC_END__>
10f4: 5d pop %rbp
10f5: c3 retq
10f6: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
10fd: 00 00 00
1100: c3 retq
1101: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1)
1108: 00 00 00 00
110c: 0f 1f 40 00 nopl 0x0(%rax)
0000000000001110 :
1110: f3 0f 1e fa endbr64
1114: e9 67 ff ff ff jmpq 1080
1119: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
0000000000001120 :
1120: 55 push %rbp
1121: 48 89 e5 mov %rsp,%rbp
1124: 48 83 ec 20 sub $0x20,%rsp
1128: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%rbp)
112f: 89 7d f8 mov %edi,-0x8(%rbp)
1132: 48 89 75 f0 mov %rsi,-0x10(%rbp)
1136: c7 45 ec 00 00 00 00 movl $0x0,-0x14(%rbp)
113d: 8b 45 ec mov -0x14(%rbp),%eax
1140: 3b 45 f8 cmp -0x8(%rbp),%eax
1143: 0f 8d 1a 00 00 00 jge 1163
1149: 31 c0 xor %eax,%eax
114b: 89 c6 mov %eax,%esi
114d: 8b 7d f8 mov -0x8(%rbp),%edi
1150: e8 cb ff ff ff callq 1120
1155: 8b 45 ec mov -0x14(%rbp),%eax
1158: 83 c0 01 add $0x1,%eax
115b: 89 45 ec mov %eax,-0x14(%rbp)
115e: e9 da ff ff ff jmpq 113d
1163: 8b 45 fc mov -0x4(%rbp),%eax
1166: 48 83 c4 20 add $0x20,%rsp
116a: 5d pop %rbp
116b: c3 retq
116c: 0f 1f 40 00 nopl 0x0(%rax)
0000000000001170 <__libc_csu_init>:
1170: f3 0f 1e fa endbr64
1174: 41 57 push %r15
1176: 4c 8d 3d 9b 2c 00 00 lea 0x2c9b(%rip),%r15 # 3e18 <__frame_dummy_init_array_entry>
117d: 41 56 push %r14
117f: 49 89 d6 mov %rdx,%r14
1182: 41 55 push %r13
1184: 49 89 f5 mov %rsi,%r13
1187: 41 54 push %r12
1189: 41 89 fc mov %edi,%r12d
118c: 55 push %rbp
118d: 48 8d 2d 8c 2c 00 00 lea 0x2c8c(%rip),%rbp # 3e20 <__init_array_end>
1194: 53 push %rbx
1195: 4c 29 fd sub %r15,%rbp
1198: 48 83 ec 08 sub $0x8,%rsp
119c: e8 5f fe ff ff callq 1000 <_init>
11a1: 48 c1 fd 03 sar $0x3,%rbp
11a5: 74 1f je 11c6 <__libc_csu_init+0x56>
11a7: 31 db xor %ebx,%ebx
11a9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
11b0: 4c 89 f2 mov %r14,%rdx
11b3: 4c 89 ee mov %r13,%rsi
11b6: 44 89 e7 mov %r12d,%edi
11b9: 41 ff 14 df callq *(%r15,%rbx,8)
11bd: 48 83 c3 01 add $0x1,%rbx
11c1: 48 39 dd cmp %rbx,%rbp
11c4: 75 ea jne 11b0 <__libc_csu_init+0x40>
11c6: 48 83 c4 08 add $0x8,%rsp
11ca: 5b pop %rbx
11cb: 5d pop %rbp
11cc: 41 5c pop %r12
11ce: 41 5d pop %r13
11d0: 41 5e pop %r14
11d2: 41 5f pop %r15
11d4: c3 retq
11d5: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1)
11dc: 00 00 00 00
00000000000011e0 <__libc_csu_fini>:
11e0: f3 0f 1e fa endbr64
11e4: c3 retq
Disassembly of section .fini:
00000000000011e8 <_fini>:
11e8: f3 0f 1e fa endbr64
11ec: 48 83 ec 08 sub $0x8,%rsp
11f0: 48 83 c4 08 add $0x8,%rsp
11f4: c3 retq
Raw
Prose.md

Expectation

We're basically just calling an infinite loop here, passing an int, that we never change, forward.

There shouldn't be any memory being allocated, and so this should just continue on forever.

Reality

Segmentation Fault.

Observations:

GCC's output managed to stay alive longer than Clang's.

The segfault seems to happen if argc manages to become 1 instead of 0. Which is probably shouldn't be able to.

Compiler output comes from this Godbolt.

GCC 9.3 Output

    main:
            push    rbp
            mov     rbp, rsp
            sub     rsp, 32
            mov     DWORD PTR [rbp-20], edi
            mov     QWORD PTR [rbp-32], rsi
            mov     DWORD PTR [rbp-4], 0
            jmp     .L2
    .L3:
            mov     eax, DWORD PTR [rbp-20]
            mov     esi, 0
            mov     edi, eax
            call    main
            add     DWORD PTR [rbp-4], 1
    .L2:
            mov     eax, DWORD PTR [rbp-4]
            cmp     eax, DWORD PTR [rbp-20]
            jl      .L3
            mov     eax, 0
            leave
            ret
Raw
test.c
#include <stddef.h>
int main(int argc, char* argv[]) {
for(int i = 0; i < argc; i++) {
main(argc, NULL);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment