[Bug] $_stack() calculate error

[jylsec]

GEF+GDB version

GEF: (Standalone)
Blob Hash(/home/jylsec/.gef-2b72f5d0d9f0f218a91cd1ca5148e45923b950d5.py): 8dc57b700e3c1c85822449033a01c94dfae9e4a6
SHA256(/home/jylsec/.gef-2b72f5d0d9f0f218a91cd1ca5148e45923b950d5.py): 63d3e10d38a367c3e4d37de8e0701bcdff2a4e7c9a0a4ec5d83ccb8b2fe6188d
GDB: 12.1
GDB-Python: 3.10

Operating System

Ubuntu22.04

Describe the issue you encountered

context shows

$rax   : 0x007fffffffe810  →  "1234567890\n"
$rbx   : 0x0               
$rcx   : 0x005555555592ab  →  0x0000000000000000
$rdx   : 0xfbad2288        
$rsp   : 0x007fffffffe7b0  →  0x007ffff7ffd040  →  0x007ffff7ffe2e0  →  0x00555555554000  →   jg 0x555555554047
$rbp   : 0x007fffffffe7e0  →  0x007fffffffe840  →  0x0000000000000001
$rsi   : 0x3938373635343332 ("23456789"?)
$rdi   : 0x007fffffffe810  →  "1234567890\n"
$rip   : 0x005555555552f5  →  <encrypt+24> jmp 0x55555555535e <encrypt+129>
$r8    : 0x0               
$r9    : 0x005555555592a0  →  "1234567890\n"
$r10   : 0x77              
$r11   : 0x246             
$r12   : 0x007fffffffe958  →  0x007fffffffec17  →  "/home/jylsec/sora"
$r13   : 0x00555555555229  →  <main+0> endbr64 
$r14   : 0x0               
$r15   : 0x007ffff7ffd040  →  0x007ffff7ffe2e0  →  0x00555555554000  →   jg 0x555555554047
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00

However
print $_stack() command show

gef➤  print $_stack()
$5 = 0x7ffffffde000

I think $_stack() should equal $rbp

Do you read the docs and look at previously closed issues/PRs for similar cases?

yes

Architecture impacted

• X86
• X64
• ARM
• ARM64
• MIPS
• MIPS64
• PPC
• PPC64
• RISCV

Describe your issue. Without a proper reproduction step-by-step, your issue will be ignored.

context shows

$rax   : 0x007fffffffe810  →  "1234567890\n"
$rbx   : 0x0               
$rcx   : 0x005555555592ab  →  0x0000000000000000
$rdx   : 0xfbad2288        
$rsp   : 0x007fffffffe7b0  →  0x007ffff7ffd040  →  0x007ffff7ffe2e0  →  0x00555555554000  →   jg 0x555555554047
$rbp   : 0x007fffffffe7e0  →  0x007fffffffe840  →  0x0000000000000001
$rsi   : 0x3938373635343332 ("23456789"?)
$rdi   : 0x007fffffffe810  →  "1234567890\n"
$rip   : 0x005555555552f5  →  <encrypt+24> jmp 0x55555555535e <encrypt+129>
$r8    : 0x0               
$r9    : 0x005555555592a0  →  "1234567890\n"
$r10   : 0x77              
$r11   : 0x246             
$r12   : 0x007fffffffe958  →  0x007fffffffec17  →  "/home/jylsec/sora"
$r13   : 0x00555555555229  →  <main+0> endbr64 
$r14   : 0x0               
$r15   : 0x007ffff7ffd040  →  0x007ffff7ffe2e0  →  0x00555555554000  →   jg 0x555555554047
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00

However
print $_stack() command show

gef➤  print $_stack()
$5 = 0x7ffffffde000

I think $_stack() should equal $rbp

[hugsy]

From the docs

Return the current stack base address plus the given offset.

It points to the base address of the stack memory region, not $rsp or $rbp

[jylsec]

@hugsy
$_stack() which returns 0x7ffffffde000 is lower than $RSP whose value is 0x007fffffffe7b0. I’m now confused about what the base address of the stack memory region mean. I search its concept in chatgpt and stackoverflow.They all tell me that it means the highest memory location of call stack belonging to the program or stack frame belonging to each subroutine .

[hugsy]

Just open /proc/<pid>/maps and you'll see that $_stack() has the same value as the base address showing on the [stack] line.
Closing this issue, as it is not gef related (also it's not an issue). If you have questions to understand how memory layout works just drop by the Discord.

Cheers