6

When I disassemble a function, I encounter from time to time an expression of the form %reg:value. Typically, I encounter this syntax when I activate the canaries in GCC (-fstack-protector), as in the following example:

(gdb) disas
Dump of assembler code for function foo:
   0x000000000040057c <+0>: push   %rbp
   0x000000000040057d <+1>: mov    %rsp,%rbp
   0x0000000000400580 <+4>: sub    $0x20,%rsp
   0x0000000000400584 <+8>: mov    %edi,-0x14(%rbp)
=> 0x0000000000400587 <+11>:    mov    %fs:0x28,%rax
   0x0000000000400590 <+20>:    mov    %rax,-0x8(%rbp)
   0x0000000000400594 <+24>:    xor    %eax,%eax
   0x0000000000400596 <+26>:    mov    $0x4006ac,%edi
   0x000000000040059b <+31>:    callq  0x400440 <puts@plt>
   0x00000000004005a0 <+36>:    mov    -0x8(%rbp),%rax
   0x00000000004005a4 <+40>:    xor    %fs:0x28,%rax
   0x00000000004005ad <+49>:    je     0x4005b4 <foo+56>
   0x00000000004005af <+51>:    callq  0x400450 <__stack_chk_fail@plt>
   0x00000000004005b4 <+56>:    leaveq 
   0x00000000004005b5 <+57>:    retq

What is the meaning of this kind of syntax?

Gilles 'SO- stop being evil'
  • 1,358
  • 13
  • 23
perror
  • 19,083
  • 29
  • 87
  • 150

1 Answers1

6

%fs:028h is actually using the form segment:offset, which means it is reaching the memory address at offset 28h in the segment selected by the Far Segment FS.

Any memory reference has an implicit segment (most of the time, CS for execution, DS for data read/write), which can be overriden by a segment prefix.

Ange
  • 6,694
  • 3
  • 28
  • 62
  • This is Linux, not Windows. – Igor Skochinsky May 03 '13 at 08:10
  • So, we could have write it: 0x28(%fs), why another syntax for the same thing ? – perror May 03 '13 at 08:48
  • @perror: please reread Ange's answer. FS is a segment register, so this syntax means an offset inside the segment pointed to by FS. There's no syntax for extracting bits from a register (x86 ISA does not support operands like that). 0x28(%fs) would mean value of FS plus 0x28 which is a different thing. – Igor Skochinsky May 03 '13 at 08:49
  • Okay, it means that the memory space addressed here is on the physical memory space and not the virtual one. Is it correct ? – perror May 03 '13 at 08:53
  • @perror: nope. The values may differ between KM and UM. In UM you never get to see physical memory directly, unless it's a gaping security hole. fs and friends are usually referred to as selectors in flat address mode, since they don't quite have the same meaning as they used to in real mode. – 0xC0000022L May 03 '13 at 11:10
  • I'm a bit confused. I think I need to understand what are these segment register to perfectly understand what is going on. But, the answer of Ange is perfectly fulfill my question (I admit that the rest is off-topic). Thanks! – perror May 03 '13 at 12:23
  • @perror: separate question. We're in dire need of more questions, so ask away :) – 0xC0000022L May 03 '13 at 21:24