QUESTION
The following series of problems concerns the following
low-quality code.
void foo(int x)
{
int a[3];
char buf[4];
a[0] = 0xF0F1F2F3;
a[1] = x;
gets(buf);
printf("a[0] = 0x%x, a[1] = 0x%x, buf = %s\n", a[0], a[1],
buf);
}
In a program containing this code, procedure foo has the
following disassembled form on an x86-64 machine:
0000000000400586 <foo>:
400586: 48 83 ec 18 sub $0x18,%rsp
40058a: c7 44 24 04 f3 f2 f1 movl $0xf0f1f2f3,0x4(%rsp)
400591: f0
400592: 89 7c 24 08 mov %edi,0x8(%rsp)
400596: 48 89 e7 mov %rsp,%rdi
400599: b8 00 00 00 00 mov $0x0,%eax
40059e: e8 bd fe ff ff callq 400460 <gets@plt>
4005a3: 8b 4c 24 08 mov 0x8(%rsp),%ecx
4005a7: 8b 54 24 04 mov 0x4(%rsp),%edx
4005ab: 49 89 e0 mov %rsp,%r8
4005ae: be 68 06 40 00 mov $0x400668,%esi
4005b3: bf 01 00 00 00 mov $0x1,%edi
4005b8: b8 00 00 00 00 mov $0x0,%eax
4005bd: e8 ae fe ff ff callq 400470 <__printf_chk@plt>
4005c2: 48 83 c4 18 add $0x18,%rsp
4005c6: c3 retq
For the following questions, recall that:
• gets is a standard C library routine.
• x86-64 machines are little-endian.
• C strings are null-terminated (i.e., terminated by a character
with value 0x00).
• Characters '0' through '9' have ASCII codes 0x30 through
0x39.
Consider the case where procedure foo is called with argument x equal to 0xE3E2E1E0, and we type "123456789" in response to gets.
A. Fill in the following table indicating where on the stack the following program values are located. Express these as decimal offsets (positive or negative) relative to register %rsp:
Program Value-------Decimal Offset
a
a[2]
buf
buf[3]
B. Fill in the following table indicating which program values are/are not corrupted by the response from gets, i.e., their values were altered by some action within the call to gets.
Program Value-------Corrupted? (Y/N)
a[0]
a[1]
a[2]
C. What will the printf function print for the following:
a[0] (hexadecimal): ________________________
a[1] (hexadecimal): ________________________
buf (ASCII characters): ________________________