What do the CFI directives mean? (and some more questions)

Question

Ok, this is gonna be a long question. I\'m trying to understand how \"buffer overflow\" works. I am reading Smashing the stack for fun and profit by aleph1 and have just got

Answer 1

as per your request in reverse engineering i am putting the contents of my comments as answers here ( i dont know if this is going to remain as i see a severe competition to down-vote and up-vote your question there )

Lindy Dancer Answered what cfi and cfa means (call frame information ) and (call frame address )

.L<num> denotes labels as per various tidbits in Google in x64 GCC names all labels in the following format start with .L and end with a numeral so .L1 , .L2 , .L....infinity are labels

according to Google and some earlier SO answers BF<num> indicates Function-Begin and EF<num> indicates FUNCTION-END

so .LBF0 , .LBF1 . LBF.....infinity and .LFE0 ,......., .LFE....infinity

denotes function begins and function ends in each function which the compiler probably requires to take care of some internal needs so you should forget them at this moment unless there is a very grave need to dig into compiler internals

the other label .L2 exists to address the branching instruction je in your function

je  .L2

also every compiler aligns and pads the access to arguments and locals to certain boundary

i can't be sure but x64 default align is 16 bytes I think for GCC so if you request an odd reservation like

char foo[5] or
BYTE blah [10]

the indices 5 and 10 are not aligned even for x86

for 5 x86 compiler will assign 8 bytes and for 10 16 bytes

like wise x64 gcc might assign 16 bytes for each of your requests

you actually shouldn't be worrying about why compiler does what it does

when you are trying to understand logic of assembly just concentrate on addresses

if the compiler decided that it will put x at rbp +/- X it will also access it at the same location through out the scope or life of that variable

Answer 2

CFI stands for call frame information. It's the way the compiler describes what happens in a function. It can be used by the debugger to present a call stack, by the linker to synthesise exceptions tables, for stack depth analysis and other things like that.

Effectively, it describes where resources such as processor registers are stored and where the return address is.

CFA stands for call frame address, which mean the address the stack pointer location of the caller function. This is needed to pick up information about the next frame on the stack.

Answer 3

The 48 is to skip over both the arguments and the locals. The 5 byte array is aligned on an 8 byte boundary, and the 10 byte on a 16 byte boundary. The arguments take 8 bytes each, so 3*8 for arguments plus 8 + 16 for locals gives 24+24 or 48. You can see it in gdb just by asking for the address of each of those things.