MIPS (32-bit)
https://www.dsi.unive.it/~gasparetto/materials/MIPS_Instruction_Set.pdf
Registers
https://tams.informatik.uni-hamburg.de/applets/hades/webdemos/mips.html
Memory layout
At the start of each function, a stack portion will be allocated by decrementing the value of the sp (stack pointer) register:
Subsequently, the register values s0 to s7 , gp and ra will be saved in the stack:
Note that the relative offsets may vary
The MIPS assembly displayed above are from Ghidra
Consider the following instruction:
local_8 refers to
Stack[-0x8](as shown in Ghidra)This is equivalent to stack frame size - 0x8
Thus,
local_8(sp)= SP + stack frame size - 0x8The ra register will be stored in the calculated memory address
The following displays how it would look like normally:
When the function is returned, the following happens:
Restore ra and s0 to s7 registers
Jump to address stored in ra (saved in stack previously)
Restore stack pointer value (increment back to original before function call)
Example
Given a function func1, which calls another function func2. Suppose the variables func1_var2, func1_var2 and func2_var1, func2_var2 are created in func1 and func2 respectively
The memory layout diagram below displays how the saved return address (ra register) and local variables will look like:
Notice the following:
New variables will be written starting from lower memory addresses, and towards higher memory addresses
Without bounds checking, an attacker may be able to overwrite saved return address values at higher memory address
Last updated