armgdbbuffer-overflowstack-smashprogram-counter

ARM PC overwritten with incorrect value in buffer overflow


I am working on stack smashing on ARM and I have a buffer declared as:

char buff[12];

in my code.

In order to find the location where the PC gets overwritten in gdb I write

AAAABBBBCCCCDDDDEEEEFFFF to buff

I expected DDDD to overwrite FP(r11) as 0x44444444 (and it execute correct) but the PC was overwitten with 0x45454544 (instead of 0x45454545)

Does anyone have an idea why the last byte is D(44) instead of E(45)? I have tried longer input but the value in the PC always drops by a few bits.

Screenshot of GDB output


Solution

  • The PC register cannot hold an odd value - the LSB are forced to 0 to ensure the address is aligned.