Why only half of the stack canary is cleared?

Question

I disassembled a simple C program (compiled by gcc) and the instructions responsible for placing the stack canary are the following:

mov    %fs:0x28,%rax
mov    %rax,-0x8(%rbp)
xor    %eax,%eax

Note that the canary is eight bytes (rax), yet, only four bytes (xor eax eax) get cleared.

Is this intentional? It looks like the code just leaked a half of the stack canary.

zneak · Accepted Answer · 2016-07-15T06:42:23.110

3

With amd64, when you modify the lower 32 bits of a register, the upper 32 bits are cleared. This is different from when you modify any lower part of a register: for instance, xor al, al only clears the 8 low bits of rax.

Since xor eax, eax is one byte shorter than xor rax, rax, compilers will usually prefer the first one.

edited Jul 15 '16 at 06:42

answered Jul 15 '16 at 06:37

zneak

134,922
42
253
328

It turned out to be an embarrassingly simple question. Thanks! – 0x00 Jul 15 '16 at 06:41

Why only half of the stack canary is cleared?

1 Answers1