Stack Alignment - Buffer Overflow Testing

Question

I've done a lot of research trying to understand this topic but still have some confusion. Currently I'm investigating buffer overflow. Here's an example of the function I'm looking at:

int testFunction(char* sourceBuffer)
{
    unsigned char result = 0;
    char destinationBuffer[512];

    //do some insecure stuff with strcpy()
}

I'm compiling with these settings:

gcc -g -z execstack -fno-stack-protector -o test test.c

From what I can tell ASLR, stack protection, canary values, and compiler guards should be disabled with these settings. However upon inspecting memory in GDB this is how my stack looks:

HIGH

sourceBuffer...temp...etc...
RET address [4 bytes]
EBP address [4 bytes]

(8 bytes of mystery memory)

result [1 byte]
destinationBuffer[512 bytes]

LOW

I've tried reading about stack alignment / padding, this article was particularly helpful: Stack allocation, padding, and alignment

The default alignment is 16-bytes. According to that answer, if I change n = 2 it looks like it works. result is just 1 byte before where EBP pointer starts. This will allow me to exploit the buffer overflow into the return address like I want.

I'm really having a hard time how this works. If by default it's 16, is the stack initially setup with 16 bytes, then the RET and EBP pointers take up 4 bytes each, so there's just 8 bytes left over? I'm just pretty lost on understanding this.

Answer 1

Your stack seems to be 16 byte aligned. If there are 4 bytes RET and 4 bytes EBP, then you will of course need another 8 bytes padding to uphold that 16 bytes alignment, otherwise your local function storage would not start at a multiple of 16 byte and then your stack wasn't 16 byte aligned.