Quiz Entry - updated: 2026.07.06
How do you recognize stack canaries (buffer overflow protection) in assembly?
Look for a secret value read from %fs:0x28 at entry, stashed on the stack, then re-checked (via xor %fs:0x28) before return — mismatch calls __stack_chk_fail.
* Canary from %fs:0x28 sits between locals and return addr; xor-checked before ret. *
Prologue (canary setup):
mov %fs:0x28, %rax
mov %rax, -0x8(%rbp)
xor %eax, %eax
Epilogue (canary check):
mov -0x8(%rbp), %rax
xor %fs:0x28, %rax
je .L_ok
call <__stack_chk_fail>
.L_ok:
leave
ret
What it does:
- Loads a random value from thread-local storage (
%fs:0x28) - Places it on the stack between local variables and the return address
- Before returning, checks if the value was overwritten
- If it changed → buffer overflow detected →
__stack_chk_failterminates the program
Forensic relevance: Seeing __stack_chk_fail in a crash log means a buffer overflow was detected. The canary value changes every run (ASLR), so it can't be predicted.
Go deeper: