Does function stack save the return address?

Question

I'm learning things about function stack based on assembly using the system Linux x86.

I've read some article, which told me that a function stack (callee) would save the return address where it is called by the caller so that the computer could know the point where to continue when the function returns.

This is why there is a kind of attack: stack smashing. The stack smashing means that if we can overflow a function stack, especially overflow the return address with a designed address, the program will execute the codes of hackers.

However, today I'm trying to use gdb to check a simple c++ program as below but I can't find any saved return address in any function stack. Here is the code:

void func(int x)
{
    int a = x;
    int b = 0;  // set a breakpoint
}

int main()
{
    func(10);  // set a breakpoint
    return 0;
}

Then I use gdb to get its assembly:

main:

func:

Now we can see that there is no return address being saved in the two function stacks (at least this is my view).

If a hacker wants to hack this program with stack smashing, which address in the function stack will be edited illegally by him?

Answer 1

Yes there is. Examine the stack immediately before the callq and immediately after it. You will find that the address of the instruction following the callq now appears on the top of the stack and RSP has decremented by 8.

The callq instruction causes the address of the following instruction to be pushed onto the stack. Inversely, the retq instruction at the end of the function causes the address on the stack to be popped into the RIP.