http://gcc.gnu.org/bugzilla/show_bug.cgi?id=51467
Bug #: 51467
Summary: Stack Smashing Protector: Canary is destroyed in RAX
partially only on x86_64
Classification: Unclassified
Product: gcc
Version: 4.4.4
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: other
AssignedTo: unassig...@gcc.gnu.org
ReportedBy: ogm256-fo...@yahoo.de
Created attachment 26023
--> http://gcc.gnu.org/bugzilla/attachment.cgi?id=26023
Sample code vuln.c and its corresponding assembly code vuln-with-ssp.s
I compiled the attached vuln.c to assembly code with the following command on
CentOS 6.0 on a x86_64:
gcc -fstack-protector -S -o vuln-with-ssp.s vuln.c
In the assembly code the canary is put on the stack as follows:
...
movq %fs:40, %rax
movq %rax, -8(%rbp)
xorl %eax, %eax
...
The canary is a 64 bit value as %rax indicates.
Unfortunately only the lower 32 bit of the canary in %rax are destroyed because
the xor operation takes effect on %eax only.
In my opinion to leave no hint on the canary to an attacker the whole canary
should be destroyed in %rax.
