在哪些平台上,libc将堆栈cookie值存储在除__stack_chk_guard以外的其他位置?

例如,Linux / i386上的glibc将cookie存储在%gs:0x14 。 除了__stack_chk_guard符号之外,是否还有其他需要查找的平台来查找Cookie?

(这是gcc -fstack-protector生成的代码在函数序言堆栈中存储的值,并在返回防垛堆栈之前检查)。

做一个TARGET_THREAD_SSP_OFFSET grep -B1定义从grep -B1委员会来源(或做这个grep在线与谷歌代码搜索http://www.google.com/codesearch?q=TARGET_THREAD_SSP_OFFSET&exact_package=http%3A%2F%2Fmosync.googlecode.com%2Fsvn&hl= en )

 gcc4/trunk/gcc-4.4.3/gcc/config/sparc/linux.h 168: /* sparc glibc provides __stack_chk_guard in [%g7 + 0x14]. */ 169: #define TARGET_THREAD_SSP_OFFSET 0x14 gcc4/trunk/gcc-4.4.3/gcc/config/sparc/linux64.h 302: sparc64 glibc provides it at [%g7 + 0x28]. */ 303: #define TARGET_THREAD_SSP_OFFSET (TARGET_ARCH64 ? 0x28 : 0x14) gcc4/trunk/gcc-4.4.3/gcc/config/s390/linux.h 98: s390x glibc provides it at 0x28(tp). */ 99: #define TARGET_THREAD_SSP_OFFSET (TARGET_64BIT ? 0x28 : 0x14) gcc4/trunk/gcc-4.4.3/gcc/config/i386/linux.h 214: /* i386 glibc provides __stack_chk_guard in %gs:0x14. */ 215: #define TARGET_THREAD_SSP_OFFSET 0x14 gcc4/trunk/gcc-4.4.3/gcc/config/rs6000/linux.h 121: /* ppc32 glibc provides __stack_chk_guard in -0x7008(2). */ 122: #define TARGET_THREAD_SSP_OFFSET -0x7008 gcc4/trunk/gcc-4.4.3/gcc/config/rs6000/linux64.h 525: ppc64 glibc provides it at -0x7010(13). */ 526: #define TARGET_THREAD_SSP_OFFSET (TARGET_64BIT ? -0x7010 : -0x7008) gcc4/trunk/gcc-4.4.3/gcc/config/i386/linux64.h 118: x86_64 glibc provides it in %fs:0x28. */ 119: #define TARGET_THREAD_SSP_OFFSET (TARGET_64BIT ? 0x28 : 0x14) 

对于glibc: http : //www.google.com/codesearch/p?hl= zh-CN#xy1xtVWIKOQ/pub/glibc/snapshots/glibc-latest.tar.bz2%7CXP6Z3zoy3dk/glibc-20090518/elf/stackguard-macros 。 H&q = stack_chk_guard&exact_package = FTP://sources.redhat.com/pub/glibc/snapshots/glibc-latest.tar.bz2&l=8

 #ifdef __i386__ # define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("movl %%gs:0x14, %0" : "=r" (x)); x; }) #elif defined __x86_64__ # define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("movq %%fs:0x28, %0" : "=r" (x)); x; }) #elif defined __powerpc64__ # define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; }) #elif defined __powerpc__ # define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; }) #elif defined __sparc__ && defined __arch64__ # define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("ldx [%%g7+0x28], %0" : "=r" (x)); x; }) #elif defined __sparc__ # define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("ld [%%g7+0x14], %0" : "=r" (x)); x; }) #elif defined __s390x__ # define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; }) #elif defined __s390__ # define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; }) #elif defined __ia64__ # define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("adds %0 = -8, r13;; ld8 %0 = [%0]" : "=r" (x)); x; }) #else extern uintptr_t __stack_chk_guard; # define STACK_CHK_GUARD __stack_chk_guard #endif 

所以,似乎gcc和glibc总是使用相同的地方主要platrofms,可以通过STACK_CHK_GUARD宏访问