前置知识

_IO_FILE_plus 结构体

1
struct _IO_FILE_plus
2
{
3
  _IO_FILE file;
4
  const struct _IO_jump_t *vtable;
5
};

_IO_FILE结构体

先说_IO_FILE结构体，该结构体就是标准IO库中用来描述文件的结构，在程序执行fopen函数时会创建该结构，并分配在堆中。

1
struct _IO_FILE {
2
  int _flags;    /* High-order word is _IO_MAGIC; rest is flags. */
3
#define _IO_file_flags _flags
4

5
  /* The following pointers correspond to the C++ streambuf protocol. */
6
  /* Note:  Tk uses the _IO_read_ptr and _IO_read_end fields directly. */
7
  char* _IO_read_ptr;  /* Current read pointer */
8
  char* _IO_read_end;  /* End of get area. */
9
  char* _IO_read_base;  /* Start of putback+get area. */
10
  char* _IO_write_base;  /* Start of put area. */
11
  char* _IO_write_ptr;  /* Current put pointer. */
12
  char* _IO_write_end;  /* End of put area. */
13
  char* _IO_buf_base;  /* Start of reserve area. */
14
  char* _IO_buf_end;  /* End of reserve area. */
15
  /* The following fields are used to support backing up and undo. */
16
  char *_IO_save_base; /* Pointer to start of non-current get area. */
17
  char *_IO_backup_base;  /* Pointer to first valid character of backup area */
18
  char *_IO_save_end; /* Pointer to end of non-current get area. */
19

20
  struct _IO_marker *_markers;
21

22
  struct _IO_FILE *_chain;
23

24
  int _fileno;
25
#if 0
26
  int _blksize;
27
#else
28
  int _flags2;
29
#endif
30
  _IO_off_t _old_offset; /* This used to be _offset but it's too small.  */
31

32
#define __HAVE_COLUMN /* temporary */
33
  /* 1+column number of pbase(); 0 is unknown. */
34
  unsigned short _cur_column;
35
  signed char _vtable_offset;
36
  char _shortbuf[1];
37

38
  /*  char* _save_gptr;  char* _save_egptr; */
39

40
  _IO_lock_t *_lock;
41
#ifdef _IO_USE_OLD_IO_FILE
42
};

调试源码

1
#include <stdio.h>
2
#include <stdlib.h>
3

4
int main() {
5
  FILE *file = fopen("example.txt", "r");
6
  if (file == NULL) {
7
    perror("Error opening file");
8
    return EXIT_FAILURE;
9
  }
10

11
  fclose(file);
12
  return EXIT_SUCCESS;
13
}

总体概述

alt text

源码解析

打断点到fopen

fopen实际上进入的是_IO_new_fopen函数

1
FILE *
2
_IO_new_fopen (const char *filename, const char *mode)
3
{
4
  return __fopen_internal (filename, mode, 1);
5
}
6

7
strong_alias (_IO_new_fopen, __new_fopen)
8
versioned_symbol (libc, _IO_new_fopen, _IO_fopen, GLIBC_2_1);
9
versioned_symbol (libc, __new_fopen, fopen, GLIBC_2_1);
10

11
# if !defined O_LARGEFILE || O_LARGEFILE == 0
12
  weak_alias (_IO_new_fopen, _IO_fopen64)
13
  weak_alias (_IO_new_fopen, fopen64)
14
# endif

alt text 2. _IO_new_fopen函数进入了__fopen_internal 这个函数是对_IO_new_file_init_internal的封装，会在这里申请一个locked_FILE结构体

1
FILE *
2
__fopen_internal (const char *filename, const char *mode, int is32)
3
{
4
  struct locked_FILE
5
  {
6
    struct _IO_FILE_plus fp;
7
#ifdef _IO_MTSAFE_IO
8
    _IO_lock_t lock;
9
#endif
10
    struct _IO_wide_data wd;
11
  } *new_f = (struct locked_FILE *) malloc (sizeof (struct locked_FILE));
12

13

14

15
  if (new_f == NULL)
16
    return NULL;
17
#ifdef _IO_MTSAFE_IO
18
  new_f->fp.file._lock = &new_f->lock;
19
#endif
20
  _IO_no_init (&new_f->fp.file, 0, 0, &new_f->wd, &_IO_wfile_jumps);
21
  _IO_JUMPS (&new_f->fp) = &_IO_file_jumps;
22
  _IO_new_file_init_internal (&new_f->fp);
23
  if (_IO_file_fopen ((FILE *) new_f, filename, mode, is32) != NULL)
24
    return __fopen_maybe_mmap (&new_f->fp.file);
25

26
  _IO_un_link (&new_f->fp);
27
  free (new_f);
28
  return NULL;
29
}

1
pwndbg> ptype struct locked_FILE
2
type = struct locked_FILE {
3
    struct _IO_FILE_plus fp;
4
    _IO_lock_t lock;
5
    struct _IO_wide_data wd;
6
}

__fopen_internal进入_IO_no_init

可以发现是初始化FILE结构体，分为两个部分_IO_old_init和wide_data的a初始化

1
void
2
_IO_no_init (FILE *fp, int flags, int orientation,
3
struct _IO_wide_data *wd, const struct _IO_jump_t *jmp)
4
{
5
  _IO_old_init (fp, flags);
6
  fp->_mode = orientation;
7
  if (orientation >= 0)
8
{
9

10
  fp->_wide_data = wd;
11
  fp->_wide_data->_IO_buf_base = NULL;
12
  fp->_wide_data->_IO_buf_end = NULL;
13
  fp->_wide_data->_IO_read_base = NULL;
14
  fp->_wide_data->_IO_read_ptr = NULL;
15
  fp->_wide_data->_IO_read_end = NULL;
16
  fp->_wide_data->_IO_write_base = NULL;
17
  fp->_wide_data->_IO_write_ptr = NULL;
18
  fp->_wide_data->_IO_write_end = NULL;
19
  fp->_wide_data->_IO_save_base = NULL;
20
  fp->_wide_data->_IO_backup_base = NULL;
21
  fp->_wide_data->_IO_save_end = NULL;
22

23
  fp->_wide_data->_wide_vtable = jmp;
24

25
}
26

27
else
28
  /* Cause predictable crash when a wide function is called on a byte
29
  stream. */
30
  fp->_wide_data = (struct _IO_wide_data *) -1L;
31
  fp->_freeres_list = NULL;
32
  fp->_total_written = 0;
33
}

alt text 初始化之前 4._IO_no_init 进入_IO_old_init

1
void
2
_IO_old_init (FILE *fp, int flags)
3
{
4
  fp->_flags = _IO_MAGIC|flags;  /*_IO_MAGIC是魔数标志位，表明这个FILE对象是有效的*/
5
  fp->_flags2 = 0;
6
  if (stdio_needs_locking)
7
  fp->_flags2 |= _IO_FLAGS2_NEED_LOCK;
8
  fp->_IO_buf_base = NULL;
9
  fp->_IO_buf_end = NULL;
10
  fp->_IO_read_base = NULL;
11
  fp->_IO_read_ptr = NULL;
12
  fp->_IO_read_end = NULL;
13
  fp->_IO_write_base = NULL;
14
  fp->_IO_write_ptr = NULL;
15
  fp->_IO_write_end = NULL;
16
  fp->_chain = NULL; /* Not necessary. */
17

18
  fp->_IO_save_base = NULL;
19
  fp->_IO_backup_base = NULL;
20
  fp->_IO_save_end = NULL;
21
  fp->_markers = NULL;
22
  fp->_cur_column = 0;
23
  #if _IO_JUMPS_OFFSET
24
  fp->_vtable_offset = 0;
25
#endif
26
#ifdef _IO_MTSAFE_IO
27
  if (fp->_lock != NULL)
28
  _IO_lock_init (*fp->_lock);
29
#endif
30
}

经过_IO_old_init初始化后 alt text 5. 设置_mode，这个字段代表的是流的字符方向/宽窄方向

1
void
2
   587 _IO_no_init (FILE *fp, int flags, int orientation,
3
   588              struct _IO_wide_data *wd, const struct _IO_jump_t *jmp)
4
   589 {
5
   590   _IO_old_init (fp, flags);
6
 ► 591   fp->_mode = orientation;

1
`fp->_mode` 不是打开模式 `"r" / "w" / "a"`，而是 **流的字符方向/宽窄方向**：
2

3
- `0`：还没定向，未决定是字节流还是宽字符流
4
- `> 0`：宽字符流 wide-oriented
5
- `< 0`：字节流 byte-oriented

alt text 6. 初始化宽字符数据_wide_data 7. 返回__fopen_internal 8. 执行_IO_JUMPS (&new_f->fp) = &_IO_file_jumps;

1
#define _IO_JUMPS(THIS) (THIS)->vtable

也就是

1
new_f->fp.vtable = &_IO_file_jumps;

执行之前

1
pwndbg> p *new_f
2
$5 = {
3
  fp = {
4
    file = {
5
      _flags = -72548352,
6
      _IO_read_ptr = 0x0,
7
      _IO_read_end = 0x0,
8
      _IO_read_base = 0x0,
9
      _IO_write_base = 0x0,
10
      _IO_write_ptr = 0x0,
11
      _IO_write_end = 0x0,
12
      _IO_buf_base = 0x0,
13
      _IO_buf_end = 0x0,
14
      _IO_save_base = 0x0,
15
      _IO_backup_base = 0x0,
16
      _IO_save_end = 0x0,
17
      _markers = 0x0,
18
      _chain = 0x0,
19
      _fileno = 0,
20
      _flags2 = 0,
21
      _short_backupbuf = "",
22
      _old_offset = 0,
23
      _cur_column = 0,
24
      _vtable_offset = 0 '\000',
25
      _shortbuf = "",
26
      _lock = 0x5555555590f0,
27
      _offset = 0,
28
      _codecvt = 0x0,
29
      _wide_data = 0x555555559100,
30
      _freeres_list = 0x0,
31
      _freeres_buf = 0x0,
32
      _prevchain = 0x0,
33
      _mode = 0,
34
      _unused3 = 0,
35
      _total_written = 0,
36
      _unused2 = "\000\000\000\000\000\000\000"
37
    },
38
    vtable = 0x0    /*这里还没有*/
39
  },
40
  lock = {
41
    lock = 0,
42
    cnt = 0,
43
    owner = 0x0
44
  },
45
  wd = {
46
    _IO_read_ptr = 0x0,
47
    _IO_read_end = 0x0,
48
    _IO_read_base = 0x0,
49
    _IO_write_base = 0x0,
50
    _IO_write_ptr = 0x0,
51
    _IO_write_end = 0x0,
52
    _IO_buf_base = 0x0,
53
    _IO_buf_end = 0x0,
54
    _IO_save_base = 0x0,
55
    _IO_backup_base = 0x0,
56
    _IO_save_end = 0x0,
57
    _IO_state = {
58
      __count = 0,
59
      __value = {
60
        __wch = 0,
61
        __wchb = "\000\000\000"
62
      }
63
    },
64
    _IO_last_state = {
65
      __count = 0,
66
      __value = {
67
        __wch = 0,
68
        __wchb = "\000\000\000"
69
      }
70
    },
71
    _codecvt = {
72
      __cd_in = {
73
        step = 0x0,
74
        step_data = {
75
          __outbuf = 0x0,
76
          __outbufend = 0x0,
77
          __flags = 0,
78
          __invocation_counter = 0,
79
          __internal_use = 0,
80
          __statep = 0x0,
81
          __state = {
82
            __count = 0,
83
            __value = {
84
              __wch = 0,
85
              __wchb = "\000\000\000"
86
            }
87
          }
88
        }
89
      },
90
      __cd_out = {
91
        step = 0x0,
92
        step_data = {
93
          __outbuf = 0x0,
94
          __outbufend = 0x0,
95
          __flags = 0,
96
          __invocation_counter = 0,
97
          __internal_use = 0,
98
          __statep = 0x0,
99
          __state = {
100
            __count = 0,
101
            __value = {
102
              __wch = 0,
103
              __wchb = "\000\000\000"
104
            }
105
          }
106
        }
107
      }
108
    },
109
    _shortbuf = L"",
110
    _wide_vtable = 0x7ffff7f7c228 <_IO_wfile_jumps>
111
  }
112
}

执行后

1
 fp = {
2
    file = {
3
      _flags = -72548352,
4
      _IO_read_ptr = 0x0,
5
      _IO_read_end = 0x0,
6
      _IO_read_base = 0x0,
7
      _IO_write_base = 0x0,
8
      _IO_write_ptr = 0x0,
9
      _IO_write_end = 0x0,
10
      _IO_buf_base = 0x0,
11
      _IO_buf_end = 0x0,
12
      _IO_save_base = 0x0,
13
      _IO_backup_base = 0x0,
14
      _IO_save_end = 0x0,
15
      _markers = 0x0,
16
      _chain = 0x0,
17
      _fileno = 0,
18
      _flags2 = 0,
19
      _short_backupbuf = "",
20
      _old_offset = 0,
21
      _cur_column = 0,
22
      _vtable_offset = 0 '\000',
23
      _shortbuf = "",
24
      _lock = 0x5555555590f0,
25
      _offset = 0,
26
      _codecvt = 0x0,
27
      _wide_data = 0x555555559100,
28
      _freeres_list = 0x0,
29
      _freeres_buf = 0x0,
30
      _prevchain = 0x0,
31
      _mode = 0,
32
      _unused3 = 0,
33
      _total_written = 0,
34
      _unused2 = "\000\000\000\000\000\000\000"
35
    },
36
    vtable = 0x7ffff7f7c030 <_IO_file_jumps>
37
  },
38
  ...
39
  ...
40
}

进入_IO_new_file_init_internal

1
void
2
_IO_new_file_init_internal (struct _IO_FILE_plus *fp)
3
{
4
  /* POSIX.1 allows another file handle to be used to change the position
5
  of our file descriptor. Hence we actually don't know the actual
6
  position before we do the first fseek (and until a following fflush). */
7
  fp->file._offset = _IO_pos_BAD;
8
  fp->file._flags |= CLOSED_FILEBUF_FLAGS;
9
  _IO_link_in (fp);
10
  fp->file._fileno = -1;
11
}

进入 _IO_link_in 主要是把新的_IO_FILE_plus结构体加入_IO_list_all

1
 void
2
_IO_link_in (struct _IO_FILE_plus *fp)
3
{
4
  if ((fp->file._flags & _IO_LINKED) == 0)
5
  {
6
    fp->file._flags |= _IO_LINKED;
7
#ifdef _IO_MTSAFE_IO
8
    _IO_cleanup_region_start_noarg (flush_cleanup);
9
    _IO_lock_lock (list_all_lock);
10
    run_fp = (FILE *) fp;
11
    _IO_flockfile ((FILE *) fp);
12
#endif
13
    fp->file._chain = (FILE *) _IO_list_all;
14
    if (_IO_vtable_offset ((FILE *) fp) == 0)
15
    {
16
      fp->file._prevchain = (FILE **) &_IO_list_all;
17
      if (_IO_list_all != NULL)
18
      _IO_list_all->file._prevchain = &fp->file._chain;
19
    }
20
      _IO_list_all = fp;
21
#ifdef _IO_MTSAFE_IO
22
      _IO_funlockfile ((FILE *) fp);
23
      run_fp = NULL;
24
      _IO_lock_unlock (list_all_lock);
25
      _IO_cleanup_region_end (0);
26
#endif
27
    }
28
  }
29
libc_hidden_def (_IO_link_in)

执行_IO_file_fopen
基本是根据参数设置各种标志位

1
FILE *
2
_IO_new_file_fopen (FILE *fp, const char *filename, const char *mode,
3
int is32not64)
4
{
5
  int oflags = 0, omode;
6
  int read_write;
7
  int oprot = 0666;
8
  int i;
9
  FILE *result;
10
  const char *cs;
11
  const char *last_recognized;
12

13
  if (_IO_file_is_open (fp))
14
  return NULL;
15
  switch (*mode)
16
  {
17
    case 'r':
18
    omode = O_RDONLY;
19
    read_write = _IO_NO_WRITES;
20
    break;
21
    case 'w':
22
    omode = O_WRONLY;
23
    oflags = O_CREAT|O_TRUNC;
24
    read_write = _IO_NO_READS;
25
    break;
26
    case 'a':
27
    omode = O_WRONLY;
28
    oflags = O_CREAT|O_APPEND;
29
    read_write = _IO_NO_READS|_IO_IS_APPENDING;
30
    break;
31
    default:
32
    __set_errno (EINVAL);
33
    return NULL;
34
  }
35
last_recognized = mode;
36
for (i = 1; i < 7; ++i)
37
{
38
  switch (*++mode)
39
  {
40
  case '\0':
41
  case ',':
42
    break;
43
  case '+':
44
    omode = O_RDWR;
45
    read_write &= _IO_IS_APPENDING;
46
    last_recognized = mode;
47
    continue;
48
  case 'x':
49
    oflags |= O_EXCL;
50
    last_recognized = mode;
51
    continue;
52
  case 'b':
53
    last_recognized = mode;
54
    continue;
55
  case 'm':
56
    fp->_flags2 |= _IO_FLAGS2_MMAP;
57
    continue;
58
  case 'c':
59
    fp->_flags2 |= _IO_FLAGS2_NOTCANCEL;
60
    continue;
61
  case 'e':
62
    oflags |= O_CLOEXEC;
63
    fp->_flags2 |= _IO_FLAGS2_CLOEXEC;
64
    continue;
65
  default:
66
  /* Ignore. */
67
    continue;
68
  }
69
  break;
70
  }
71

72
result = _IO_file_open (fp, filename, omode|oflags, oprot, read_write,
73
is32not64);
74

75
  if (result != NULL)
76
  {
77
    /* Test whether the mode string specifies the conversion. */
78
    cs = strstr (last_recognized + 1, ",ccs=");
79
    if (cs != NULL)
80
    {
81

82
        /* Yep. Load the appropriate conversions and set the orientation
83
        to wide. */
84
        struct gconv_fcts fcts;
85
        struct _IO_codecvt *cc;
86
        char *endp = __strchrnul (cs + 5, ',');
87
        char *ccs = malloc (endp - (cs + 5) + 3);
88

89
      if (ccs == NULL)
90
      {
91
        int malloc_err = errno; /* Whatever malloc failed with. */
92
        (void) _IO_file_close_it (fp);
93
        __set_errno (malloc_err);
94
        return NULL;
95
      }
96

97

98

99
      *((char *) __mempcpy (ccs, cs + 5, endp - (cs + 5))) = '\0';
100
      strip (ccs, ccs);
101

102
      if (__wcsmbs_named_conv (&fcts, ccs[2] == '\0'
103
      ? upstr (ccs, cs + 5) : ccs) != 0)
104
      {
105
        /* Something went wrong, we cannot load the conversion modules.
106
        This means we cannot proceed since the user explicitly asked
107
        for these. */
108
        (void) _IO_file_close_it (fp);
109
        free (ccs);
110
        __set_errno (EINVAL);
111
        return NULL;
112
      }
113

114
      free (ccs);
115
      assert (fcts.towc_nsteps == 1);
116
      assert (fcts.tomb_nsteps == 1);
117

118
      fp->_wide_data->_IO_read_ptr = fp->_wide_data->_IO_read_end;
119
      fp->_wide_data->_IO_write_ptr = fp->_wide_data->_IO_write_base;
120

121
      /* Clear the state. We start all over again. */
122
      memset (&fp->_wide_data->_IO_state, '\0', sizeof (__mbstate_t));
123
      memset (&fp->_wide_data->_IO_last_state, '\0', sizeof (__mbstate_t));
124

125
      cc = fp->_codecvt = &fp->_wide_data->_codecvt;
126
      cc->__cd_in.step = fcts.towc;
127

128
      cc->__cd_in.step_data.__invocation_counter = 0;
129
      cc->__cd_in.step_data.__internal_use = 1;
130
      cc->__cd_in.step_data.__flags = __GCONV_IS_LAST;
131
      cc->__cd_in.step_data.__statep = &result->_wide_data->_IO_state;
132

133
      cc->__cd_out.step = fcts.tomb;
134

135
      cc->__cd_out.step_data.__invocation_counter = 0;
136
      cc->__cd_out.step_data.__internal_use = 1;
137
      cc->__cd_out.step_data.__flags = __GCONV_IS_LAST | __GCONV_TRANSLIT;
138
      cc->__cd_out.step_data.__statep = &result->_wide_data->_IO_state;
139

140
      /* From now on use the wide character callback functions. */
141
      _IO_JUMPS_FILE_plus (fp) = fp->_wide_data->_wide_vtable;
142

143
      /* Set the mode now. */
144
      result->_mode = 1;
145
    }
146

147
  }
148
  return result;
149
}
150
libc_hidden_ver (_IO_new_file_fopen, _IO_file_fopen)

alt text

_IO_file_fopen 进入 _IO_file_open

1
FILE *
2
_IO_file_open (FILE *fp, const char *filename, int posix_mode, int prot,
3
int read_write, int is32not64)
4
{
5
  int fdesc;
6
  if (__glibc_unlikely (fp->_flags2 & _IO_FLAGS2_NOTCANCEL))
7
    fdesc = __open_nocancel (filename,
8
    posix_mode | (is32not64 ? 0 : O_LARGEFILE), prot);
9
  else
10
    fdesc = __open (filename, posix_mode | (is32not64 ? 0 : O_LARGEFILE), prot);
11
  if (fdesc < 0)
12
    return NULL;
13
  fp->_fileno = fdesc;     /*文件标识符fd保存在此*/
14
  _IO_mask_flags (fp, read_write,_IO_NO_READS+_IO_NO_WRITES+_IO_IS_APPENDING);
15
  /* For append mode, send the file offset to the end of the file. Don't
16
  update the offset cache though, since the file handle is not active. */
17
  if ((read_write & (_IO_IS_APPENDING | _IO_NO_READS))
18
  == (_IO_IS_APPENDING | _IO_NO_READS))
19
  {
20
    off64_t new_pos = _IO_SYSSEEK (fp, 0, _IO_seek_end);
21
    if (new_pos == _IO_pos_BAD && errno != ESPIPE)
22
    {
23
      __close_nocancel (fdesc);
24
      return NULL;
25
    }
26
  }
27
  _IO_link_in ((struct _IO_FILE_plus *) fp);
28
  return fp;
29
}
30
libc_hidden_def (_IO_file_open)

1
#define _IO_mask_flags(fp, f, mask) \
2
       ((fp)->_flags = ((fp)->_flags & ~(mask)) | ((f) & (mask)))

等价于

1
fp->_flags = (fp->_flags & ~(_IO_NO_READS|_IO_NO_WRITES|_IO_IS_APPENDING))
2
           | (read_write & (_IO_NO_READS|_IO_NO_WRITES|_IO_IS_APPENDING));

实际效果

模式	`read_write` 值	结果
”r”	`_IO_NO_WRITES`	可读，不可写
”w”	`_IO_NO_READS`	不可读，可写
”a”	`_IO_NO_READS\|_IO_IS_APPENDING`	不可读，可写，追加
”r+“	`0`	可读可写
”w+“	`0`	可读可写
”a+“	`_IO_IS_APPENDING`	可读可写，追加
11._IO_file_open进入open64

内部调用了openat alt text 12. 返回._IO_file_open 13. _IO_file_open进入 _IO_link_in,再次确保FILE对象已经链入_IO_list_all 14. _IO_link_in返回 15. _IO_file_open返回__fopen_internal 16. 如果成功直接返回，如果失败fp脱离_IO_list_all，并free掉 17. fopen执行完成

Thanks for reading!

fopen源码解析

周六 4月 04 2026

2162 字 · 22 分钟

Pwn IO