ESP32 Forum

Posted: **Wed Nov 15, 2023 1:31 pm**

Hi, I'm learing to check how bufferoverflow happen what kind of mistake the developers do. and for that my supervisor told me to write the code and he helped me. As we know first we have to perform windowoverflow and then bufferoverflow. and for that i worte below code:

Code: [Select all] [Expand/Collapse]

#include <stdio.h>
#include <stdbool.h>
#include <unistd.h>
#include <string.h>
 
 
void function_A(){
 
    asm("");
 
}
 
void function_B(){
    function_A();
}
 
 
char myNumbers[] = {1, 2, 3, 4,5, 6, 7, 8,9, 10, 11, 12,13, 14, 15, 16,17, 18, 19, 20,21, 22, 23, 24,25, 26, 27, 28,29, 30, 31, 32,33, 34, 35, 36,
        1, 2, 3, 4,5, 6, 7, 8,9, 10, 11, 12,13, 14, 15, 16,17, 18, 19, 20,21, 22, 23, 24,25, 26, 27, 28,29, 30, 31, 32,33, 34, 35, 36,
        1, 2, 3, 4,5, 6, 7, 8,9, 10, 11, 12,13, 14, 15, 16,17, 18, 19, 20,21, 22, 23, 24,25, 26, 27, 28,29, 30, 31, 32,33, 34, 35, 36,
        };
 
void function_C(){
    function_B();
 
    char small_array[] = {'a','b','c','d'};
    strcpy(small_array, myNumbers);
 
}
 
void function_D(){
    function_C();
}
 
 
void app_main(void)
{
    function_D();
 
}

GeSHi © Codebox Plus Extension

error::

Assertion failed!

Program: C:\Espressif\tools\openocd-esp32\v0.11.0-esp32-20221026\openocd-esp32\bin\openocd.exe
File: ../src/flash/nor/esp_flash.c, Line 1129

Expression: sw_bp->insn_sz <= sizeof(sw_bp->insn)

Note::

Addresses are calculated correctly.

Posted: **Thu Nov 16, 2023 3:00 pm**

I'm not sure what your question is.

The example code will overwrite the stack and cause undefined behaviour.

Posted: **Thu Nov 16, 2023 3:08 pm**

so basically I want to learn how bufferoverflow attack works. and for that i worte the mention code. this code first create windowoverflow and then come to underflow and then to doubleexception so that i know that overflow happend and this is what i want. but my code while debugging and when debugger comes to function_c

Code: [Select all] [Expand/Collapse]

void function_C(){
    function_B();
 
    char small_array[] = {'a','b','c','d'};
    strcpy(small_array, myNumbers);
 
}

GeSHi © Codebox Plus Extension

it has to go to function_B so that windowoverflow happed first and then the rest. but it directly comes to thee strcpy so the other steps missed and then it give me the Assertion failed

Posted: **Fri Nov 17, 2023 1:15 am**

That's because the compiler sees a bunch of your functions do nothing or very little and inlines them or skips them alltogether. proof.

Posted: **Fri Nov 17, 2023 8:17 pm**

ESP_Sprite wrote: ↑
Fri Nov 17, 2023 1:15 am
That's because the compiler sees a bunch of your functions do nothing or very little and inlines them or skips them alltogether. proof.

Is there a compiler option the OP can set which turns off all the optimizations?

Posted: **Fri Nov 17, 2023 8:34 pm**

That's what I'm looking for. that somehow I can turns off all the optimizations. then maybe it can work.

Posted: **Sat Nov 18, 2023 1:22 pm**

asm volatile (""); makes a function look "not empty" to the compiler, and __attribute__((noinline)) reduces the chances of a function being inlined.

Posted: **Sat Nov 18, 2023 1:31 pm**

OsamaBillah wrote: ↑
Thu Nov 16, 2023 3:08 pm
this code first create windowoverflow and then ...

The ESP32's LX6 has 64 registers and gcc uses the CALL8 ABI, so each nested function call 'uses up' only 8 of the 64 registers.

ESP32 Forum

Assertion failed! esp32

Assertion failed! esp32

Re: Assertion failed! esp32

Re: Assertion failed! esp32

Re: Assertion failed! esp32

Re: Assertion failed! esp32

Re: Assertion failed! esp32

Re: Assertion failed! esp32

Re: Assertion failed! esp32