This is the mail archive of the
mailing list for the GCC project.
Re: Stack protector: leak of guard's address on stack
- From: Jakub Jelinek <jakub at redhat dot com>
- To: Thomas Preudhomme <thomas dot preudhomme at linaro dot org>
- Cc: gcc at gcc dot gnu dot org
- Date: Fri, 27 Apr 2018 14:22:04 +0200
- Subject: Re: Stack protector: leak of guard's address on stack
- References: <CAKnkMGsEPiRoKBHEJVrnHbGLNx-7gZk0Kt7uqJRMZgQD1Uh=Wg@mail.gmail.com> <20180427121601.GT8577@tucnak> <CAKnkMGsgfApCWmLfsGfFrHejR4xLotx4B1wUX8XAAo=ceh+EoQ@mail.gmail.com>
- Reply-to: Jakub Jelinek <jakub at redhat dot com>
On Fri, Apr 27, 2018 at 01:17:50PM +0100, Thomas Preudhomme wrote:
> It's not the canari which is spilled in this case, but the address to the
> canari. Which means an attacker could make it point to something else than
> the real canari.
When the canary is in TLS area, it is usually small constant away from some
base register (or segment register) and there is no possibility of having
that spilled, the addition is done always in the instruction performing
memory read of the canary.