Chapter 35 Quiz: Buffer Overflows and Memory Corruption

Instructions: Choose the best answer. All questions are framed for defensive understanding. ⭐ marks questions with answers in Appendix B.

Question 1 ⭐ A function has char buf[48] as a local variable with a standard x86-64 frame (push rbp; mov rbp, rsp). What is the byte offset from buf[0] to the saved return address?

A) 48 bytes B) 52 bytes C) 56 bytes D) 64 bytes

Question 2 What makes shellcode "position-independent"?

A) It uses only registers, never memory B) It computes all memory addresses relative to the instruction pointer at runtime, not as fixed absolute addresses C) It is stored in a position-independent segment of the binary D) It is shorter than 64 bytes

Question 3 ⭐ The strcpy function is vulnerable to buffer overflows because:

A) It is not thread-safe B) It copies the entire source string without checking whether the destination buffer is large enough C) It fails on strings longer than 255 bytes D) It does not handle UTF-8 correctly

Question 4 What happens to program execution after a successful return address overwrite, when the function executes ret?

A) The program segfaults immediately B) The stack canary is checked and the process aborts C) RIP is loaded with the attacker-controlled value from the stack, redirecting execution D) The saved RBP is checked for integrity

Question 5 ⭐ Why did shellcode historically need to be null-byte-free?

A) Null bytes cause undefined behavior in x86-64 B) Many overflow vectors use string functions like strcpy that stop copying at null bytes C) The operating system filters null bytes from system calls D) Null bytes confuse the CPU's branch predictor

Question 6 What is a NOP sled, and why was it useful before ASLR?

A) A sequence of NOP instructions before shellcode that allows imprecise landing within a range B) A technique to avoid stack canary detection C) A way to slide past security checks in the kernel D) A debugging technique for stepping through shellcode

Question 7 ⭐ In the context of format string vulnerabilities, what does %n do?

A) Reads the next argument as an integer and prints it B) Writes the count of characters printed so far to the memory location pointed to by the argument C) Skips to the next line in the format string D) Causes printf to stop processing

Question 8 What is a use-after-free vulnerability?

A) Using a pointer after its type has been changed with a cast B) Accessing memory through a pointer after that memory has been freed C) Using more heap memory than was allocated D) Calling free() on stack-allocated memory

Question 9 ⭐ In glibc's malloc implementation, when a heap chunk is freed, what data is stored in its (now unused) user data area?

A) Zeros (the memory is cleared) B) Forward and backward pointers for the allocator's free list C) The size of the allocation request D) A canary value for double-free detection

Question 10 The Morris Worm (1988) exploited gets() in the BSD fingerd daemon. What property of gets() made it vulnerable?

A) It uses non-atomic reads B) It reads from stdin with no limit on the number of bytes written to the buffer C) It does not handle signal interrupts correctly D) It is vulnerable to race conditions

Question 11 ⭐ Which safe alternative should replace strcpy(dst, src) in modern C code?

A) strncpy(dst, src, sizeof(dst)) B) strlcpy(dst, src, sizeof(dst)) C) memcpy(dst, src, strlen(src)) D) strdup(src) followed by assignment

Question 12 A stack frame has char buf[32], int count, and char *ptr as local variables (in that order from the top). What variable(s) would a 36-byte overflow into buf corrupt?

A) Only count B) Only ptr C) Both count and ptr, and potentially the saved RBP D) Nothing — the overflow stays within the padding

Question 13 ⭐ Which GCC compilation flag adds a random value between local variables and the return address, checked before function return?

A) -fno-stack-protector B) -fstack-protector-strong C) -fPIE D) -D_FORTIFY_SOURCE=2

Question 14 What does AddressSanitizer (-fsanitize=address) detect that is difficult to catch with GDB alone?

A) Logic errors and incorrect algorithm behavior B) Buffer overflows, use-after-free, and heap corruption at runtime, even within the same allocation C) Race conditions in multithreaded code D) Integer overflow leading to incorrect values

Question 15 ⭐ Why are heap-based vulnerabilities (use-after-free, heap overflows) more difficult to exploit than classic stack buffer overflows?

A) The heap is always non-executable B) Heap corruption requires controlling the allocator's data structures, which depends on heap layout that varies with allocation history C) Heap overflows always trigger immediate segfaults D) glibc malloc automatically detects and prevents heap corruption

Question 16 A vulnerable printf call allows format string exploitation. An attacker sends %p%p%p%p%p%p as input. What is the most likely defensive use of this information?

A) To execute arbitrary code immediately B) To read stack values including potentially the stack canary (information leakage for a staged attack) C) To corrupt the heap D) To cause a denial of service

Question 17 ⭐ The execve("/bin/sh", NULL, NULL) system call requires which register values on Linux x86-64?

A) RAX=1, RBX=pointer to "/bin/sh", RCX=0, RDX=0 B) RAX=59, RDI=pointer to "/bin/sh", RSI=0, RDX=0 C) RCX=59, RDI=pointer to "/bin/sh", RSI=NULL, RDX=NULL D) RAX=11, RBX=pointer to "/bin/sh", RCX=NULL, RDX=NULL

Question 18 What is a "double-free" vulnerability and what corrupts in glibc?

A) Allocating the same memory twice; corrupts the TLB B) Freeing the same pointer twice; corrupts the allocator's free list metadata C) Writing to memory after a realloc; corrupts adjacent objects D) Calling free on a stack pointer; corrupts the stack canary

Question 19 ⭐ The instruction mov al, 59 is used in shellcode instead of mov rax, 59. Why?

A) mov rax, 59 is not a valid instruction encoding B) mov rax, 59 produces null bytes (zero padding) in the upper bytes of the immediate, which would truncate a string-based overflow C) mov al, 59 is faster by 2 cycles D) mov al, 59 is position-independent; mov rax, 59 is not

Question 20 Which statement best describes the relationship between understanding buffer overflows and writing secure C code?

A) Understanding buffer overflows is unnecessary for writing secure code — just use safe functions B) Understanding buffer overflows at the assembly level makes you concretely aware of why bounds-checking matters, making you a better C programmer C) Secure C code never uses buffers, so buffer overflows are not relevant D) Understanding exploits is only useful for attackers, not defenders