It's not the canari which is spilled in this case, but the address to the canari. Which means an attacker could make it point to something else than the real canari.
On 27 April 2018 at 13:16, Jakub Jelinek <ja...@redhat.com> wrote: > On Thu, Apr 19, 2018 at 06:17:26PM +0100, Thomas Preudhomme wrote: > > For stack protector to be robust, at no point in time the guard against > > which the canari is compared must be spilled to the stack. This is > achieved > > by having dedicated insn pattern for setting the canari and comparing it > > against the guard which doesn't reflect at RTL what is happening. However > > computing the address of the guard is done using standard movsi pattern > and > > can thus be spilled (see PR85434). I'm reaching out to the community for > > ideas on how to avoid this. > > Usually targets just put the canary into TLS area, then there is nothing to > spill. > > Jakub >
