On Fri, Apr 27, 2018 at 01:17:50PM +0100, Thomas Preudhomme wrote: > It's not the canari which is spilled in this case, but the address to the > canari. Which means an attacker could make it point to something else than > the real canari.
When the canary is in TLS area, it is usually small constant away from some
base register (or segment register) and there is no possibility of having
that spilled, the addition is done always in the instruction performing
memory read of the canary.
Jakub
