https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96191

--- Comment #3 from Jim Wilson <wilson at gcc dot gnu.org> ---
The location of the canary is not known to the attacker.  You are not supposed
to leak the address of the canary or the value of the canary.  If you leak
either, then an attacker has a chance to restore the canary after clobbering
it.

See the descriptions of the stack_protect_set and stack_protect_test patterns
in gcc/doc/md.texi which make clear that no intermediate values should be
allowed to survive past the end of the pattern.

Reply via email to