https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85434
Bug ID: 85434 Summary: Address of stack protector guard spilled to stack on ARM Product: gcc Version: 8.0.1 Status: UNCONFIRMED Keywords: diagnostic Severity: normal Priority: P3 Component: target Assignee: thopre01 at gcc dot gnu.org Reporter: thopre01 at gcc dot gnu.org Target Milestone: --- Target: arm-linux-gnueabihf Created attachment 43962 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=43962&action=edit Testcase for stack protector spilling guard address When compiling the attached file with -mcpu=cortex-a57 -std=c99 -Os -fpic -fstack-protector-strong the address to the stack gets spilled on the stack where an attacker using buffer overflow could overwrite it and thus control what is the canari checked against: ldr r3, [sp] <--- accessing spilled address of guard from stack mov r0, r4 ldr r2, [sp, #228] ldr r3, [r3] cmp r2, r3 beq .L18 bl __stack_chk_fail(PLT) I can reproduce this on GCC 7 and trunk at least.