Local Buffer Overflow (User Space) and Stack Overflow Patterns

Learn about the patterns to detect local buffer overflow and stack overflow.

Local buffer overflow pattern (user space)

This pattern is observed on x86 platforms when a local variable and a function return address and/or saved frame pointer ebp are overwritten with some data. As a result, the instruction pointer eip becomes a wild pointer and we have a process crash in user mode. Sometimes, this pattern is diagnosed by looking at mismatched ebp and esp values. In the case of ASCII or UNICODE buffer overflow, the eip register may contain a 4-char or 2-wchar_t value, and esp or ebp or both registers might point at some string fragment.

Most of the time, simple mistakes in using memory and string manipulation functions are easily detected by the runtime. The more sophisticated example that overwrites stack trace without being detected involves overwriting indirectly via a pointer to a local buffer passed to the called function. In such cases, we might see incorrect and truncated stack traces:

Get hands-on with 1200+ tech skills courses.