Stack protector: leak of guard's address on stack
Jakub Jelinek
jakub@redhat.com
Fri Apr 27 13:31:00 GMT 2018
On Fri, Apr 27, 2018 at 01:17:50PM +0100, Thomas Preudhomme wrote:
> It's not the canari which is spilled in this case, but the address to the
> canari. Which means an attacker could make it point to something else than
> the real canari.
When the canary is in TLS area, it is usually small constant away from some
base register (or segment register) and there is no possibility of having
that spilled, the addition is done always in the instruction performing
memory read of the canary.
Jakub
More information about the Gcc
mailing list