LOGBOOK

HELP

Quiz Entry - updated: 2026.07.06

How do you recognize stack canaries (buffer overflow protection) in assembly?

Look for a secret value read from %fs:0x28 at entry, stashed on the stack, then re-checked (via xor %fs:0x28) before return — mismatch calls __stack_chk_fail.

Prologue loads %fs:0x28 into a stack slot between the local buffer and the return address; the epilogue xors it against %fs:0x28 and either returns (je) or calls __stack_chk_fail if the canary was overwritten.

* Canary from %fs:0x28 sits between locals and return addr; xor-checked before ret. *

Prologue (canary setup):

mov  %fs:0x28, %rax
mov  %rax, -0x8(%rbp)
xor  %eax, %eax

Epilogue (canary check):

mov  -0x8(%rbp), %rax
xor  %fs:0x28, %rax
je   .L_ok
call <__stack_chk_fail>
.L_ok:
    leave
    ret

What it does:

  1. Loads a random value from thread-local storage (%fs:0x28)
  2. Places it on the stack between local variables and the return address
  3. Before returning, checks if the value was overwritten
  4. If it changed → buffer overflow detected → __stack_chk_fail terminates the program

Forensic relevance: Seeing __stack_chk_fail in a crash log means a buffer overflow was detected. The canary value changes every run (ASLR), so it can't be predicted.

Go deeper:

From Quiz: REVE1 / Assembly Patterns & GDB | Updated: Jul 06, 2026