C stack memory allocation

Question

(gdb) disass check_authentication
Dump of assembler code for function check_authentication:
0x08048414 <check_authentication+0>:  push  ebp
0x08048415 <check_authentication+1>:  mov   ebp,esp
0x08048417 <check_authentication+3>:  sub   esp,0x38
0x0804841a <check_authentication+6>:  mov   DWORD PTR [ebp-12],0x0
0x08048421 <check_authentication+13>: mov   eax,DWORD PTR [ebp+8]
0x08048424 <check_authentication+16>: mov   DWORD PTR [esp+4],eax
0x08048428 <check_authentication+20>: lea   eax,[ebp-40]
0x0804842b <check_authentication+23>: mov   DWORD PTR [esp],eax
0x0804842e <check_authentication+26>: call  0x804830c <strcpy@plt>
0x08048433 <check_authentication+31>: lea   eax,[ebp-40]
0x08048436 <check_authentication+34>: mov   DWORD PTR [esp+4],0x80485d4
0x0804843e <check_authentication+42>: mov   DWORD PTR [esp],eax
0x08048441 <check_authentication+45>: call  0x804832c <strcmp@plt>
0x08048446 <check_authentication+50>: test  eax,eax
0x08048448 <check_authentication+52>: jne   0x8048451 <check_authenticatlon+61>
0x0804844a <check_authentication+54>: mov   DWORD PTR [ebp-12],0x1
0x08048451 <check_authentication+61>: lea   eax,[ebp-40]
0x08048454 <check_authentication+64>: mov   DWORD PTR [esp+4],0x80485dc
0x0804845c <check authentication+72>: mov   DWORD PTR [esp],eax
0x0804845f <check authentication+75>: call  0x804832c <strcmp@plt>
0x08048464 <check authentication+80>: test  eax,eax
0x08048466 <check authentication+82>: jne   0x804846f <check authentication+91>
0x08048468 <check_authentication+84>: mov   DWORD PTR [ebp-12],0x1
0x0804846f <check_authentication+91>: mov   eax,DWORD PTR [ebp-12]
0x08048472 <check_authentication+94>: leave
0x08048473 <check authentication+95>: ret
End of assembler dump.

Refer to the code below, I can see that password_buffer takes out 16 bytes and auth_flag takes out 4 bytes but I notice from gdb that "sub espm 0x38", so my question is what is the remaining bytes (18 bytes) for?

int check_authentication(char *password) {
    int auth_flag = 0;
    char password_buffer[16];

    strcpy(password_buffer, password);

    if(strcmp(password_buffer, "brillig") == 0)
        auth_flag = 1;
    if(strcmp(password_buffer, "outgrabe") == 0)
        auth_flag = 1;

    return auth_flag;
}

It's internal compiler stuff. Post the assembly output, then we can probably tell you more. Also tell us what your platform ist. — Jabberwocky, May 05 '21 at 13:40
Maybe the compiler is aligning it for better access performance. Or many other possible reasons — Eugene Sh., May 05 '21 at 13:42
BTW why do you copy the password to `password_buffer` before the comparision? It's completely usless. Just remove `password_buffer` and the `strcpy` and write `if (strcmp(password, "brillig")...` — Jabberwocky, May 05 '21 at 13:42
@Jabberwocky Could be a useful thing against TOCTOU in case `password` is pointing to a different type of memory (controlled by an attacker or susceptible to race conditions) than the local stack. — Eugene Sh., May 05 '21 at 13:45
@Jabberwocky, the code from a book name hacking-the-art-of-exploitation, just reading the book and trying to understand the concept — gllow, May 05 '21 at 13:45
Could be stack protection getting in the way, try disabling it and also as other people said, try enabling optimisation. — , May 05 '21 at 13:52
This could be a partial explanation: https://stackoverflow.com/questions/49391001/why-does-the-x86-64-amd64-system-v-abi-mandate-a-16-byte-stack-alignment -- but it's not immediately obvious to me why that produced 0x38 — , May 05 '21 at 14:14
the code above will never be generated as no one uses -O0 in any production code. Analyzing it is rather pointless. https://godbolt.org/z/8qKhMrq9s — 0___________, May 05 '21 at 15:07

C stack memory allocation

0 Answers0