libc

If I run this in Docker's ubuntu:latest : root@4304dfbfa661:/# ls lib/x86_64-linux-gnu/libc* -l -rwxr-xr-x 1 root root 1868984 Jan 15 02:51 lib/x86_64-linux-gnu/libc-2.23.so lrwxrwxrwx 1 root root 12 Jan 15 02:51 lib/x86_64-linux-gnu/libc.so.6 -> libc-2.23.so It seems that libc is numbered as both 6 and 2-23. Why are there two version numbers? NB libc is (idiosyncratically) executable and running it gives root@4304dfbfa661:/# ./lib/x86_64-linux-gnu/libc.so.6 GNU C Library (Ubuntu GLIBC 2.23-0ubuntu10) stable release version 2.23, by Roland McGrath et al. So it's the libc.so.6 that's surprising

For educational purpose I try to access the FILE struct in Rust: unsafe { let passwd = libc::fopen("/etc/passwd".to_ptr(), &('r' as libc::c_char)); let fp = &mut *(passwd as *mut MY_FILE); println!("flags={}, file={}", fp._flags, fp._file); } the MY_FILE struct I obtained by running bindgen on stdio.h (I'm on OS X): bindgen /usr/include/stdio.h Somehow _flags is always 8 for files open in write mode (4 in read mode), so this flags seems off (I tested with a C code to verify that it indeed is not 4 or 8). The file pointer however seems to be right. What could cause this? Am I extracting the

I dissects the syscall call in the last libc: git clone git://sourceware.org/git/glibc.git And I have this code in sysdeps/unix/sysv/linux/i386/sysdep.h: # define INTERNAL_SYSCALL_MAIN_INLINE(name, err, nr, args...) \ LOADREGS_##nr(args) \ asm volatile ( \ "call *%%gs:%P2" \ : "=a" (resultvar) \ : "a" (__NR_##name), "i" (offsetof (tcbhead_t, sysinfo)) \ ASMARGS_##nr(args) : "memory", "cc") If I understand well this code, the LOADREGS_##nr(args) macro loads the argument in the registers ebx, ecx, edx, esi, edx and ebp. sysdeps/unix/sysv/linux/i386/sysdep.h # define LOADREGS_0() # define ASMARGS

I wanted to debug printf function, so when I step inside the printf function (gdb debugger) it showed me this: __printf (format=0x80484d0 " my name is Adam") at printf.c:28 28 printf.c: No such file or directory. What is the meaning of this? And when I again started step then there are a lot more statements like this. Please help me to understand this. I think it's pretty clear. There is a place where the gdb expects the source code to be, so download glibc 's source code and put it there. I think the error message contains the full path. If it's a linux distro it's fairly simple in fact

Will the gets() function from C language (e.g. from glibc) stop, if it reads a zero byte ( '\0' ) from the file ? Quick test: echo -ne 'AB\0CDE' Thanks. PS this question arises from comments in this question: return to libc - problem PPS the gets function is dangerous, but it is a question about this function itself, not about should anybody use it or not. The behavior of gets() is that it stops when a newline character is encountered or if EOF is encountered. It does not care if it reads \0 bytes. C99 Standard, 7.19.7.7 Synopsis #include <stdio.h> char *gets(char *s); Description The gets

I'm writing a return to libc attack for my systems security class. First, the vulnerable code: //vuln.c #include <stdio.h> #include <stdlib.h> int loadconfig(void){ char buf[1024]; sprintf(buf, "%s/.config", getenv("HOME")); return 0; } int main(int argc, char **argv){ loadconfig(); return 0; } I want to use a return to libc attack. Compiling and debugging the program: $ gcc -g -fno-stack-protector -o vuln vuln.c $ gdb vuln (gdb) break loadconfig (gdb) run Reached breakpoint blah blah blah. (gdb) p $ebp $1 = (void *) 0xbfffefb0 (gdb) p system $2 = {<text variable, no debug info>} 0x0016db20

I'm studying the code of the function strtok from bsd's libc, when I ran it in my machine, the program received signal SIGSEGV in s[-1] = 0 . Here's the link to the code. Is s[-1] = 0 right? This is my code: #include <stdio.h> #include <stdlib.h> #include "strtok.c" int main(int argc, char* argv[]) { char* str = "xxxx xxxyy fdffd"; const char* s = " "; char* token = strtok(str, s); while (token != NULL) { printf("%s\n", token); token = strtok(NULL, s); } return 0; } s[-1] Is expanded to: *( s - 1 ) Therefore, if the result points to valid memory, the code is defined. This is okay because s is