solar@simple vuln $ /usr/i686-pc-linux-gnu/gcc-bin/3.4/gcc -V3.4.2 -v -fpie -fbounds-checking vuln.c -o vuln -pie -pipe Reading specs from /usr/lib/gcc/i686-pc-linux-gnu/3.4.2/specs Configured with: /space/portage-tmp//portage/gcc-3.4.2-r2/work/gcc-3.4.2/configure --enable-version-specific-runtime-libs --prefix=/usr --bindir=/usr/i686-pc-linux-gnu/gcc-bin/3.4 --includedir=/usr/lib/gcc/i686-pc-linux-gnu/3.4.2/include --datadir=/usr/share/gcc-data/i686-pc-linux-gnu/3.4 --mandir=/usr/share/gcc-data/i686-pc-linux-gnu/3.4/man --infodir=/usr/share/gcc-data/i686-pc-linux-gnu/3.4/info --with-gxx-include-dir=/usr/lib/gcc/i686-pc-linux-gnu/3.4.2/include/g++-v3 --host=i686-pc-linux-gnu --disable-nls --enable-__cxa_atexit --enable-clocale=gnu --enable-shared --with-system-zlib --disable-checking --disable-werror --disable-libunwind-exceptions --with-gnu-ld --enable-threads=posix --disable-multilib --disable-libgcj --enable-languages=c,c++ Thread model: posix gcc version 3.4.2 (Gentoo Linux 3.4.2-r2, HTB-1.00) /usr/libexec/gcc/i686-pc-linux-gnu/3.4.2/cc1 -quiet -v -D__BOUNDS_CHECKING_ON vuln.c -mno-sse2 -quiet -dumpbase vuln.c -mtune=pentiumpro -auxbase vuln -version -fpie -fbounds-checking -o - | /usr/lib/gcc/i686-pc-linux-gnu/3.4.2/../../../../i686-pc-linux-gnu/bin/as -V -Qy -o /tmp/ccXZ90ln.o - ignoring nonexistent directory "/usr/lib/gcc/i686-pc-linux-gnu/3.4.2/../../../../i686-pc-linux-gnu/include" #include "..." search starts here: #include <...> search starts here: /usr/local/include /usr/lib/gcc/i686-pc-linux-gnu/3.4.2/include /usr/include End of search list. GNU C version 3.4.2 (Gentoo Linux 3.4.2-r2, HTB-1.00) (i686-pc-linux-gnu) compiled by GNU C version 3.4.2 (Gentoo Hardened Linux 3.4.2-r2, ssp-3.4.1-1, pie-8.7.6.5). GGC heuristics: --param ggc-min-expand=90 --param ggc-min-heapsize=112945 GNU assembler version 2.15.92.0.2 (i686-pc-linux-gnu) using BFD version 2.15.92.0.2 20040927 /usr/libexec/gcc/i686-pc-linux-gnu/3.4.2/collect2 --eh-frame-hdr -m elf_i386 -dynamic-linker /lib/ld-linux.so.2 -pie -o vuln /usr/lib/gcc/i686-pc-linux-gnu/3.4.2/../../../Scrt1.o /usr/lib/gcc/i686-pc-linux-gnu/3.4.2/../../../crti.o /usr/lib/gcc/i686-pc-linux-gnu/3.4.2/crtbeginS.o -L/usr/lib/gcc/i686-pc-linux-gnu/3.4.2 -L/usr/lib/gcc/i686-pc-linux-gnu/3.4.2 -L/usr/lib/gcc/i686-pc-linux-gnu/3.4.2/../../../../i686-pc-linux-gnu/lib -L/usr/lib/gcc/i686-pc-linux-gnu/3.4.2/../../.. /tmp/ccXZ90ln.o /usr/lib/gcc/i686-pc-linux-gnu/3.4.2/libboundscheck.a -lgcc -lgcc_eh -lc -lgcc -lgcc_eh /usr/lib/gcc/i686-pc-linux-gnu/3.4.2/crtendS.o /usr/lib/gcc/i686-pc-linux-gnu/3.4.2/../../../crtn.o solar@simple vuln $ ./vuln AAAAAAAAA Bounds Checking GCC v gcc-3.4.2-3.2 Copyright (C) 1995 Richard W.M. Jones Bounds Checking comes with ABSOLUTELY NO WARRANTY. For details see file `COPYING' that should have come with the source to this program. Bounds Checking is free software, and you are welcome to redistribute it under certain conditions. See the file `COPYING' for details. For more information, set GCC_BOUNDS_OPTS to `-help' 0x17f461a8 main(argc=0x5b729780, argv=0x5b729784, envp=0x5b729788, auxv=0x5b72978c) Copying [9] of data into [10] of space Bounds library call frequency statistics: Calls to push, pop, param function: 1, 1, 4 Calls to add, delete stack: 6, 6 Calls to add, delete heap: 0, 0 Calls to check pointer +/- integer: 3 Calls to check array references: 0 Calls to check pointer differences: 0 Calls to check object references: 3 Calls to check component references: 0 Calls to check truth, falsity of pointers: 0, 0 Calls to check <, >, <=, >= of pointers: 0 Calls to check ==, != of pointers: 0 Calls to check p++, ++p, p--, --p: 0, 0, 0, 0 Calls to add, find, delete oob pointers: 0, 0, 0 References to unchecked static, stack: 0, 0 solar@simple vuln $ ./vuln AAAAAAAAAA Bounds Checking GCC v gcc-3.4.2-3.2 Copyright (C) 1995 Richard W.M. Jones Bounds Checking comes with ABSOLUTELY NO WARRANTY. For details see file `COPYING' that should have come with the source to this program. Bounds Checking is free software, and you are welcome to redistribute it under certain conditions. See the file `COPYING' for details. For more information, set GCC_BOUNDS_OPTS to `-help' 0x94d61a8 main(argc=0x5e405ae0, argv=0x5e405ae4, envp=0x5e405ae8, auxv=0x5e405aec) Copying [10] of data into [10] of space vuln.c:29:Bounds error: strcpy with this destination string and size 11 would overrun the end of the object's allocated memory. vuln.c:29: Pointer value: 0x5e405aa0 vuln.c:29: Object `buf': vuln.c:29: Address in memory: 0x5e405aa0 .. 0x5e405aa9 vuln.c:29: Size: 10 bytes vuln.c:29: Element size: 1 bytes vuln.c:29: Number of elements: 10 vuln.c:29: Created at: vuln.c, line 12 vuln.c:29: Storage class: stack Aborted solar@simple vuln $ GCC_BOUNDS_OPTS="-help" ./vuln AAAAAAAAAA You may supply a list of the following arguments to a bounds-checked program by listing them in the environment variable 'GCC_BOUNDS_OPTS' before running the program. Separate the arguments by spaces. General: -no-message Don't print introductory message. -no-statistics Don't print statistics. -?, -help Print this table of usage. Control runtime behaviour: -array-index-check *Check the index of all array references. -no-array-index-check Only check the pointer is within the array. -never-fatal Don't abort after a bounds error. -check-mmap *Check mmap calls. -no-check-mmap Switch off the above. -reuse-heap *Re-use the heap. -reuse-age= Set the age limit before freeing (default: 0). -no-reuse-heap Never really free old heap blocks. -warn-unchecked-statics Warn if unchecked static objects are referenced. -no-warn-unchecked-statics *Switch off the above. -warn-unchecked-stack Warn if unchecked stack objects are referenced. -no-warn-unchecked-stack *Switch off the above. -warn-free-null *Warn if free (0) is used. -no-warn-free-null Switch off the above. -warn-misc-strings *Warn for miscellaneous strings usage. -no-warn-misc-strings Switch off the above. -warn-illegal Warn when ILLEGAL pointers are created. -no-warn-illegal *Switch off the above. -warn-unaligned Warn when pointers are used unaligned. -no-warn-unaligned *Switch off the above. -warn-overlap *Warn if memcpy arguments overlap. -no-warn-overlap Switch off the above. -warn-compare-objects Warn if comparing pointers to different objects. -no-warn-compare-objects *Switch off the above. -warn-all Turn on all warnings. -no-print-heap *Don't print heap data at exit. -print-heap Print all heap data at exit. -print-heap-long Print all heap data at exit (long version). -oob-pointers *Enable out of bound pointer checks. -no-oob-pointers Switch off the above. -output-file= Redirect all output to file . Use '%p' in to insert process number. -output-file-append= Same as above but file is opened in append mode. Debugging: -print-calls Print calls to the bounds-checking library. -no-print-calls *Don't print calls. -print-oob-pointers Warn when oob pointers added to hashtable -no-print-oob-pointers *Switch off the above. -print-functions Print info at function start/end. -no-print-functions *Switch off the above. Note: `*' means this is the default behaviour. solar@simple vuln $ strip vuln ; ls -l vuln -rwxr-xr-x 1 solar solar 143044 Oct 24 14:31 vuln solar@simple vuln $ ls -l vuln -lh -rwxr-xr-x 1 solar solar 140K Oct 24 14:31 vuln solar@simple vuln $ sstrip vuln solar@simple vuln $ ldd vuln libc.so.6 => /lib/libc.so.6 (0x2286b000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x22841000) solar@simple vuln $ ls -lh vuln -rwxr-xr-x 1 solar solar 137K Oct 24 14:32 vuln solar@simple vuln $ file vuln vuln: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), corrupted section header size solar@simple vuln $ GCC_BOUNDS_OPTS="-warn-all -print-calls" ./vuln AAAAAAAAAA Bounds Checking GCC v gcc-3.4.2-3.2 Copyright (C) 1995 Richard W.M. Jones Bounds Checking comes with ABSOLUTELY NO WARRANTY. For details see file `COPYING' that should have come with the source to this program. Bounds Checking is free software, and you are welcome to redistribute it under certain conditions. See the file `COPYING' for details. For more information, set GCC_BOUNDS_OPTS to `-help' __bounds_note_constructed_object(p=0x29c88998, sz=4, align=1, file="(null)", ln=0, name="__ctype_b_loc") __bounds_note_constructed_object(p=0x29c6e760, sz=768, align=1, file="(null)", ln=0, name="__ctype_b") __bounds_note_constructed_object(p=0x29c88994, sz=4, align=1, file="(null)", ln=0, name="__ctype_tolower_loc") __bounds_note_constructed_object(p=0x29c6d760, sz=1536, align=1, file="(null)", ln=0, name="__ctype_tolower") __bounds_note_constructed_object(p=0x29c8899c, sz=4, align=1, file="(null)", ln=0, name="__ctype_toupper_loc") __bounds_note_constructed_object(p=0x29c6dd60, sz=1536, align=1, file="(null)", ln=0, name="__ctype_toupper") __bounds_note_constructed_object(p=0x29c85a80, sz=4, align=1, file="(null)", ln=0, name="stdout") __bounds_note_constructed_object(p=0xc2ddc1c, sz=67, align=1, file="(null)", ln=0, name="(unnamed static)") __bounds_note_constructed_object(p=0xc2ddbd0, sz=41, align=1, file="(null)", ln=0, name="(unnamed static)") __bounds_note_constructed_object(p=0xc2ddbad, sz=2, align=1, file="(null)", ln=0, name="(unnamed static)") __bounds_note_constructed_object(p=0xc2ddb3c, sz=81, align=1, file="(null)", ln=0, name="(unnamed static)") __bounds_note_constructed_object(p=0xc2ddb19, sz=3, align=1, file="(null)", ln=0, name="(unnamed static)") __bounds_note_constructed_object(p=0xc2ddacc, sz=45, align=1, file="(null)", ln=0, name="(unnamed static)") __bounds_note_constructed_object(p=0xc2dda97, sz=21, align=1, file="(null)", ln=0, name="(unnamed static)") __bounds_note_constructed_object(p=0xc2dda72, sz=5, align=1, file="(null)", ln=0, name="(unnamed static)") __bounds_note_constructed_object(p=0xc2dda48, sz=10, align=1, file="(null)", ln=0, name="(unnamed static)") __bounds_note_constructed_object(p=0xc2dda24, sz=4, align=1, file="(null)", ln=0, name="(unnamed static)") __bounds_note_constructed_object(p=0xc2dd9ff, sz=5, align=1, file="(null)", ln=0, name="(unnamed static)") __bounds_note_constructed_object(p=0xc2dd9da, sz=5, align=1, file="(null)", ln=0, name="(unnamed static)") __bounds_note_constructed_object(p=0xc2dd9b5, sz=5, align=1, file="(null)", ln=0, name="(unnamed static)") __bounds_note_constructed_object(p=0xc2dd990, sz=5, align=1, file="(null)", ln=0, name="(unnamed static)") __bounds_note_constructed_object(p=0xc2dd96b, sz=5, align=1, file="(null)", ln=0, name="(unnamed static)") __bounds_note_constructed_object(p=0xc2dd944, sz=7, align=1, file="(null)", ln=0, name="(unnamed static)") __bounds_push_function(thread=0, name="main", main=1, file="vuln.c", ln=11), nesting_nr=0 __bounds_add_param_object(p=0x5ab21700, sz=4, align=4, file="vuln.c", ln=11, name="argc" nesting_nr=0) __bounds_add_param_object(p=0x5ab21704, sz=4, align=4, file="vuln.c", ln=11, name="argv" nesting_nr=0) __bounds_note_main_args (arg 0, "./vuln") __bounds_note_main_args (arg 1, "AAAAAAAAAA") __bounds_add_param_object(p=0x5ab21708, sz=4, align=4, file="vuln.c", ln=11, name="envp" nesting_nr=0) __bounds_add_param_object(p=0x5ab2170c, sz=4, align=4, file="vuln.c", ln=11, name="auxv" nesting_nr=0) __bounds_add_stack_object(p=0x5ab216c0, sz=10, align=1, file="vuln.c", ln=12, name="buf" nesting_nr=0) __bounds_add_stack_object(p=0x5ab21680, sz=21, align=1, file="vuln.c", ln=13, name="buf1" nesting_nr=0) 0xc2c51a8 main(argc=0x5ab21700, argv=0x5ab21704, envp=0x5ab21708, auxv=0x5ab2170c) __bounds_check_ptr_plus_int (p=0x5ab21754, off=1, sz=4, file="vuln.c", ln=18) __bounds_check_reference (p=0x5ab21758, sz=4, file="vuln.c", ln=18) __bounds_check_ptr_plus_int (p=0x5ab21754, off=1, sz=4, file="vuln.c", ln=28) __bounds_check_reference (p=0x5ab21758, sz=4, file="vuln.c", ln=28) Copying [10] of data into [10] of space __bounds_check_ptr_plus_int (p=0x5ab21754, off=1, sz=4, file="vuln.c", ln=29) __bounds_check_reference (p=0x5ab21758, sz=4, file="vuln.c", ln=29) vuln.c:29:Bounds error: strcpy with this destination string and size 11 would overrun the end of the object's allocated memory. vuln.c:29: Pointer value: 0x5ab216c0 vuln.c:29: Object `buf': vuln.c:29: Address in memory: 0x5ab216c0 .. 0x5ab216c9 vuln.c:29: Size: 10 bytes vuln.c:29: Element size: 1 bytes vuln.c:29: Number of elements: 10 vuln.c:29: Created at: vuln.c, line 12 vuln.c:29: Storage class: stack Aborted solar@simple vuln $ rm vuln solar@simple vuln $ make vuln cc vuln.c -o vuln solar@simple vuln $ sstrip vuln solar@simple vuln $ ls -lh vuln -rwxr-xr-x 1 solar solar 4.1K Oct 24 14:32 vuln solar@simple vuln $