This is due to the implementation of NX emulation in 32-bit kernels without PAE Ubuntu and when a CPU exception occurs. For memory areas below the NX emulation line (that is, "inside" the emulated NX area: from address 0 to the end of the program text segment - less than the final address 0x08049000 of this binary in /proc/$pid/maps ), segfault - after of how the EIP landed on the actual invalid address. For addresses above the line, the error starts in a different way, which reports the error, without moving the EIP forward to the failure address, remaining instead in the "ret" command, which leads to the error.
You can see this in gdb:
(gdb) x/1i $pc => 0x8048454 <main+64>: ret (gdb) info reg esp esp 0xbffff54c 0xbffff54c (gdb) x/wx $esp 0xbffff54c: 0x41414141
You can also see the difference in the way error messages are displayed in dmesg . This is the result associated with attempting "508":
[ 585.913896] a.out[1528] general protection ip:8048454 sp:bff1e8ec error:0 in a.out[8048000+1000]
And this is for "507":
[ 598.999760] a.out[1531]: segfault at 414141 ip 00414141 sp bfcac2c0 error 4 in libc-2.13.so[5e7000+178000]
If you booted with the PAE kernel installed, sudo apt-get install linux-image-$(uname -r)-pae , and you have a processor with PAE support, you will see the behavior that you expect (since NX emulation will be disabled in favor of hardware NX), and all 4 attempts will be segfault with the expected EIP.
Kees cook
source share