_IO_FILE

hctf2017的babyprintf解法是house of orange,深入学习了一下，牵扯出许多知识，这里先进行第一步：_IO_FILE结构

0x00 _IO_FILE

glibc-2.2.1\libio\libio.h

struct _IO_FILE {
int _flags;	/* High-order word is _IO_MAGIC; rest is flags. */
#define _IO_file_flags _flags

/* The following pointers correspond to the C++ streambuf protocol. */
/* Note: Tk uses the _IO_read_ptr and _IO_read_end fields directly. */
char* _IO_read_ptr;	/* Current read pointer */
char* _IO_read_end;	/* End of get area. */
char* _IO_read_base;	/* Start of putback+get area. */
char* _IO_write_base;	/* Start of put area. */
char* _IO_write_ptr;	/* Current put pointer. */
char* _IO_write_end;	/* End of put area. */
char* _IO_buf_base;	/* Start of reserve area. */
char* _IO_buf_end;	/* End of reserve area. */
/* The following fields are used to support backing up and undo. */
char *_IO_save_base; /* Pointer to start of non-current get area. */
char *_IO_backup_base; /* Pointer to first valid character of backup area */
char *_IO_save_end; /* Pointer to end of non-current get area. */

struct _IO_marker *_markers;

struct _IO_FILE *_chain;

int _fileno;
int _blksize;
_IO_off_t _old_offset; /* This used to be _offset but it's too small. */

#define __HAVE_COLUMN /* temporary */
/* 1+column number of pbase(); 0 is unknown. */
unsigned short _cur_column;
signed char _vtable_offset;
char _shortbuf[1];

/* char* _save_gptr; char* _save_egptr; */

_IO_lock_t *_lock;
#ifdef _IO_USE_OLD_IO_FILE
};

　0x01 _IO_FILE_complete

_IO_FILE结构的完全版

struct _IO_FILE_complete
{
  struct _IO_FILE _file;
#endif
#if defined _G_IO_IO_FILE_VERSION && _G_IO_IO_FILE_VERSION == 0x20001
  _IO_off64_t _offset;
# if defined _LIBC || defined _GLIBCPP_USE_WCHAR_T
  /* Wide character stream stuff.  */
  struct _IO_codecvt *_codecvt;
  struct _IO_wide_data *_wide_data;
  struct _IO_FILE *_freeres_list;
  void *_freeres_buf;
# else
  void *__pad1;
  void *__pad2;
  void *__pad3;
  void *__pad4;
# endif
  size_t __pad5;
  int _mode;
  /* Make sure we don't get into trouble again.  */
  char _unused2[15 * sizeof (int) - 4 * sizeof (void *) - sizeof (size_t)];
#endif
};

　0x02 _IO_FILE_plus

_IO_FILE_plus是_IO_FILE的加强版，linux程序中每创建一个文件对象，都会为这个对象生成一个_IO_FILE_plus结构体，所有文件共享一个函数表，_IO_jump_t *vtable指向这个函数表

glibc-2.2.1\libio\libioP.h
struct _IO_FILE_plus
{
   _IO_FILE file;
   const struct _IO_jump_t *vtable;
};

　0x03 _IO_jump_t

glibc-2.2.1\libio\libioP.h

struct _IO_jump_t
{
JUMP_FIELD(_G_size_t, __dummy);
#ifdef _G_USING_THUNKS
JUMP_FIELD(_G_size_t, __dummy2);
#endif
JUMP_FIELD(_IO_finish_t, __finish);
JUMP_FIELD(_IO_overflow_t, __overflow);
JUMP_FIELD(_IO_underflow_t, __underflow);
JUMP_FIELD(_IO_underflow_t, __uflow);
JUMP_FIELD(_IO_pbackfail_t, __pbackfail);
/* showmany */
JUMP_FIELD(_IO_xsputn_t, __xsputn);
JUMP_FIELD(_IO_xsgetn_t, __xsgetn);
JUMP_FIELD(_IO_seekoff_t, __seekoff);
JUMP_FIELD(_IO_seekpos_t, __seekpos);
JUMP_FIELD(_IO_setbuf_t, __setbuf);
JUMP_FIELD(_IO_sync_t, __sync);
JUMP_FIELD(_IO_doallocate_t, __doallocate);
JUMP_FIELD(_IO_read_t, __read);
JUMP_FIELD(_IO_write_t, __write);
JUMP_FIELD(_IO_seek_t, __seek);
JUMP_FIELD(_IO_close_t, __close);
JUMP_FIELD(_IO_stat_t, __stat);
JUMP_FIELD(_IO_showmanyc_t, __showmanyc);
JUMP_FIELD(_IO_imbue_t, __imbue);
#if 0
get_column;
set_column;
#endif
};

　0x04 调用fclose()

假设现在有一个文件对象fp要调用fclose()函数，它的调用流程如下：

假如我们能覆盖fp指针，并且自己构造一个假的_IO_FILE结构和一个假的_IO_jump_t结构，就可以控制程序流了。　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　.