From: CICAP on
I know this program is buggy, but I was trying to understand why it
shows this behavior on linux kernel
2.6.32:

#include <stdio.h>
#include <stdlib.h>

int main (int argc, char **argv)
{
int a[10];
printf("%d\n", a[1000]);
return 0;
}

execution 1: 1668312366
execution 2: 0
execution 3: segmentation fault
execution 4: 0
etc...

After disabling ASLR on my kernel, the behavior isn't random anymore.
What is exacting happening on the stack address?
From: Nicolas George on
CICAP wrote in message
<de7ba55b-fe3f-4197-9c7d-cb8f87e98e6e(a)u26g2000yqu.googlegroups.com>:
> After disabling ASLR on my kernel, the behavior isn't random anymore.
> What is exacting happening on the stack address?

If you thought of disabling ASLR, I do not understand what you need.

You could try, in your program, to display the address of a[1000] and dump
/proc/self/maps to see exactly in which segment it falls.
From: Xavier Roche on
CICAP wrote:
> After disabling ASLR on my kernel, the behavior isn't random anymore.
> What is exacting happening on the stack address?

You are accessing memory beyond the stack (beyond the top of the stack
actually, as the stack pointer decreases as you allocate memory on it -
it means that a[1000] is outside the reserved stack address space),
hence the behaviour is undefined. On a fixed layout, the behavior will
be fixed (such as crash if the space is unreserved, or random garbage if
the space is part of some global variables space). On a random space
layout, I suppose the behavior is.. random.
From: CICAP on
On 19 Lug, 13:36, Xavier Roche <xro...(a)free.fr.NOSPAM.invalid> wrote:
> CICAP wrote:
> > After disabling ASLR on my kernel, the behavior isn't random anymore.
> > What is exacting happening on the stack address?
>
> You are accessing memory beyond the stack (beyond the top of the stack
> actually, as the stack pointer decreases as you allocate memory on it -
> it means that a[1000] is outside the reserved stack address space),
> hence the behaviour is undefined. On a fixed layout, the behavior will
> be fixed (such as crash if the space is unreserved, or random garbage if
> the space is part of some global variables space). On a random space
> layout, I suppose the behavior is.. random.

I have another question: running following program I get segm fault on
different value of "x" after every execution:

void f(int x) {
printf("%d", x);
f(x + 1);
}

int main(...) {
f(0);
return 0;
}

Then if I disable ASLR the segm fault happens always on the same value
of 'x'. Does this mean that ASLR implementation change stack size
randomly? I mean, it's normal that stack address change...but stack
size too?
From: Ersek, Laszlo on
On Wed, 21 Jul 2010, CICAP wrote:

> I have another question: running following program I get segm fault on
> different value of "x" after every execution:
>
> void f(int x) {
> printf("%d", x);
> f(x + 1);
> }
>
> int main(...) {
> f(0);
> return 0;
> }
>
> Then if I disable ASLR the segm fault happens always on the same value
> of 'x'. Does this mean that ASLR implementation change stack size
> randomly? I mean, it's normal that stack address change...but stack size
> too?

(Since nobody seems to have answered yet, I'll try to.)

If that "ASLR" thingy mapped N pages for the stack at a different page
boundary each time, but it also placed the user-visible base address of
the stack at a random offset into the first page, that might cause you to
see what you see.

(x_max - x_min) * frame_size <= page_size

could be an indicator of this happening.

lacos