doudu3961 2018-10-04 16:38
浏览 242
已采纳

禁用Go编译程序的堆栈保护

I want to disable the stack protection for my Go program. I'm trying to simulate a vulnerable C library and want to pivot into the Go code from there. However, I can't seem to find the right flags to disable the stack smashing detection.

Here is my go code:

package main

import "os"
import "fmt"

/*
#include "test.h"
*/
import "C"

func main() {
    if (len(os.Args) >= 2){
    argsWithoutProg := os.Args[1:]
        if (argsWithoutProg[0] == "admin") {
            secret();
        }
    } else {
        regular()
    }
}

func regular() {
    fmt.Println("Go: BORING")
    C.hackme()
}

func secret() {
    fmt.Println("Go: SECRET FUNC")
}

and here is my c library code:

// #cgo CFLAGS: -g -O3 -fno-stack-protector
#include <stdint.h>
#include <stdio.h>

void hackme();

// this function is vulnerable and is used as an entrypoint to the go part
void hackme() {
    char buf[3];
    int r;
    r = read(0, buf, 300);
    printf("C: %d bytes read. Content: %s!
", r, buf);
    return;
}

I compile with go build -a poc.go.

As you can see, I already added some CFLAGS instructions at the beginning of my C library, but they don't seem to help. Previously I tried adding them via the -gcflags switch in my compilation command, but that was fruitless as well. Everytime I try to attack my program with a 300*A string, it is being detected:

Go: BORING
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
C: 300 bytes read. Content: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
*** stack smashing detected ***: <unknown> terminated
SIGABRT: abort
PC=0x7fd263dcee97 m=0 sigcode=18446744073709551610

goroutine 0 [idle]:
runtime: unknown pc 0x7fd263dcee97
stack: frame={sp:0x7ffda3507600, fp:0x0} stack=[0x7ffda2d08ad0,0x7ffda3507b00)
00007ffda3507500:  00007fd200000008  00007fd200000000
00007ffda3507510:  00007ffda3507610  0000000000000003 
[...]

Checking the file with GDB also tells me the option is still active.. Could you please point me to some hints as to what I'm doing wrong or what flags I should use to disable this feature?

Thanks so much!

  • 写回答

1条回答 默认 最新

  • dongxie2756 2018-10-04 23:18
    关注

    Start with the Go cgo command documentation.

    Command cgo

    Using cgo with the go command

    To use cgo write normal Go code that imports a pseudo-package "C". The Go code can then refer to types such as C.size_t, variables such as C.stdout, or functions such as C.putchar.

    If the import of "C" is immediately preceded by a comment, that comment, called the preamble, is used as a header when compiling the C parts of the package. For example:

    // #include <stdio.h>
// #include <errno.h>
import "C"

    The preamble may contain any C code, including function and variable declarations and definitions. These may then be referred to from Go code as though they were defined in the package "C". All names declared in the preamble may be used, even if they start with a lower-case letter. Exception: static variables in the preamble may not be referenced from Go code; static functions are permitted.

    See $GOROOT/misc/cgo/stdio and $GOROOT/misc/cgo/gmp for examples. See "C? Go? Cgo!" for an introduction to using cgo: https://golang.org/doc/articles/c_go_cgo.html.

    CFLAGS, CPPFLAGS, CXXFLAGS, FFLAGS and LDFLAGS may be defined with pseudo #cgo directives within these comments to tweak the behavior of the C, C++ or Fortran compiler. Values defined in multiple directives are concatenated together. The directive can include a list of build constraints limiting its effect to systems satisfying one of the constraints (see https://golang.org/pkg/go/build/#hdr-Build_Constraints for details about the constraint syntax). For example:

    // #cgo CFLAGS: -DPNG_DEBUG=1
// #cgo amd64 386 CFLAGS: -DX86=1
// #cgo LDFLAGS: -lpng
// #include <png.h>
import "C"

    In particular:

    To use cgo write normal Go code that imports a pseudo-package "C".

    If the import of "C" is immediately preceded by a comment, that comment, called the preamble, is used as a header when compiling the C parts of the package.

    CFLAGS may be defined with pseudo #cgo directives within these comments to tweak the behavior of the C compiler.

    For your example:

    /*
#cgo CFLAGS: -g -O3 -fno-stack-protector
#include "test.h"
*/
import "C"

    Output (no stack smashing detected):

    $ go build -a poc.go && ./poc
Go: BORING
AAAAAAAAAAAAAAA
C: 16 bytes read. Content: AAAAAAAAAAAAAAA
!
fatal error: unexpected signal during runtime execution
[signal SIGSEGV: segmentation violation code=0x1 addr=0xa41414141 pc=0xa41414141]

runtime stack:
runtime.throw(0x4bb802, 0x2a)
    /home/peter/go/src/runtime/panic.go:608 +0x72
runtime.sigpanic()
    /home/peter/go/src/runtime/signal_unix.go:374 +0x2ec

goroutine 1 [syscall]:
runtime.cgocall(0x484e90, 0xc000052f38, 0x0)
    /home/peter/go/src/runtime/cgocall.go:128 +0x5b fp=0xc000052f08 sp=0xc000052ed0 pc=0x403deb
main._Cfunc_hackme()
    _cgo_gotypes.go:41 +0x41 fp=0xc000052f38 sp=0xc000052f08 pc=0x484c51
main.regular()
    /home/peter/gopath/src/poc/poc.go:25 +0x62 fp=0xc000052f88 sp=0xc000052f38 pc=0x484d52
main.main()
    /home/peter/gopath/src/poc/poc.go:19 +0x65 fp=0xc000052f98 sp=0xc000052f88 pc=0x484cd5
runtime.main()
    /home/peter/go/src/runtime/proc.go:201 +0x1ec fp=0xc000052fe0 sp=0xc000052f98 pc=0x42928c
runtime.goexit()
    /home/peter/go/src/runtime/asm_amd64.s:1340 +0x1 fp=0xc000052fe8 sp=0xc000052fe0 pc=0x450cd1
$

    poc.go:

    package main

import "os"
import "fmt"

/*
#cgo CFLAGS: -g -O3 -fno-stack-protector
#include "test.h"
*/
import "C"

func main() {
    if (len(os.Args) >= 2){
    argsWithoutProg := os.Args[1:]
        if (argsWithoutProg[0] == "admin") {
            secret();
        }
    } else {
        regular()
    }
}

func regular() {
    fmt.Println("Go: BORING")
    C.hackme()
}

func secret() {
    fmt.Println("Go: SECRET FUNC")
}

    test.h:

    #include <stdint.h>
#include <stdio.h>

void hackme();

// this function is vulnerable and is used as an entrypoint to the go part
void hackme() {
    char buf[3];
    int r;
    r = read(0, buf, 300);
    printf("C: %d bytes read. Content: %s!
", r, buf);
    return;
}

    Without -fno-stack-protector:

    /*
#cgo CFLAGS: -g -O3
#include "test.h"
*/
import "C"

    Output (stack smashing detected):

    $ go build -a poc.go && ./poc
Go: BORING
AAAAAAAAAAAAAAA
C: 16 bytes read. Content: AAAAAAAAAAAAAAA
!
*** stack smashing detected ***: <unknown> terminated
SIGABRT: abort
PC=0x7f1c5323ee97 m=0 sigcode=18446744073709551610
$
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

  • GCC 中的编译器堆栈保护技术
    2017-04-21 09:21
    淡泊的猪的博客 堆栈溢出为代表的缓冲区溢出已成为最为普遍的安全漏洞。...早在 1988 年,美国康奈尔大学的计算机科学系研究生莫里斯 (Morris) 利用 UNIX fingered 程序的溢出漏洞,写了一段恶意程序并传播到其他机
  • golang堆栈信息
    2022-06-08 09:44
    Madison001的博客 golang堆栈分析 (1.)修改unlimit配置 ulimit -c unlimited (2.) 设置环境变量,运行程序,发生panic会生成core文件 env GOTRACEBACK=crash ./test # 设置cordump 输出格式和输出路径 echo "/root/core_dump/core-%e-...
  • [译]使用 LLDB 调试 Go 程序
    2020-12-19 00:00
    Golang语言社区的博客 原文作者:大道至简我一般调试Go程序都是通过log日志,性能调试的话通过 pprof 、trace、flamegraph等,主要是Go没有一个很好的集成的debugger,前两年虽然关注...
  • Hello Go(八)、Go语言程序测试与性能调优
    2022-02-28 00:08
    天山老妖的博客 一、Go语言自动化测试框架简介 1、自动化测试框架简介 go语言标准包的testing提供了单元测试(功能性测试)和性能测试(压力测试)常用方法的框架,可以非常方便地利用其进行自动化测试。 go语言测试代码只需要放...
  • Go新项目-编译项目的细节(4)
    2022-07-31 00:56
    ifanatic的博客 Go语言是一门需要编译才能运行的编程语言,也就是说代码在运行之前需要通过编译器生成二进制机器码,包含二进制机器码的文件才能在目标机器上运行,下边就展开讲解下Go语言的编译的细节。......
  • Go语言内存管理深度解析:堆栈分配与逃逸分析的艺术
    2025-08-24 22:14
    小羊斩肖恩的博客 本文深入探讨了Go语言的内存管理机制,重点分析了堆栈分配原理和逃逸分析技术。文章首先介绍了栈内存和堆内存的特性差异,包括分配速度、生命周期和管理方式。随后详细讲解了Go编译器的内存分配策略和逃逸分析决策...
  • GOLANG空指针崩溃时堆栈消失和解决方案
    2017-06-07 17:06
    winlinvip的博客 原文:https://gocn.io/article/351在错误处理这个文章中,tkk提出了空指针时堆栈消失的问题,看下面的例子:package mainfunc main() { run() // line 4 } func run() { causedPanic() } func causedPanic() { /...
  • go语言反汇编linux,Go语言函数的底层实现
    2021-05-16 19:01
    硴錵的博客 基于堆栈式的程序执行模型决定了函数是语言的一个核心元素。分析Go函数的内部实现,...首先介绍Go语言的函数调用规约,接着介绍Go语言使用的汇编语言的基本概念,然后通过反汇编技术来剖析Go的函数某些特性的底层实...
  • [持续更新ING]Go语言历史版本演进和新特性
    2022-11-03 10:27
    哇噻爸的博客 Go(又称 Golang)是 Google 的 Robert Griesemer,Rob Pike 及 Ken Thompson 开发的一种静态强类型、编译型语言。Go 语言语法与 C 相近,但功能上有:内存安全,GC(垃圾回收),结构形态及 CSP-style 并发计算。在...
  • 【Go编译优化终极指南】:揭秘提升程序性能的10个关键选项
    2025-10-24 11:27
    FuncTide的博客 掌握Go编译优化选项,显著提升程序性能。本文详解10个关键编译参数,涵盖减小体积、加速启动、优化内存等场景,适用于高并发与微服务架构。深入解析GC调优、内联优化等核心技术,助你最大化执行效率,值得收藏。
  • 没有解决我的问题, 去提问