How do canary words allow gcc to detect buffer overflows?

Question

I could test using strncpy() with larger source string then the destination:

int main() {
  char *ptr = malloc(12);
  strcpy(ptr,\"hello world!\");
         


        

Answer 1

Could someone explain to me how does this work ?

Canary word is read from fs:40 and store at top of frame here:

movq    %fs:40, %rax
movq    %rax, -8(%rbp)

It's below the return address so if your code happens to overflow the buffer (which will be below -8(%rbp)), it'll first overwrite the -8(%rbp) location. This will be detected by GCC prior to issuing ret here:

movq    -8(%rbp), %rcx
xorq    %fs:40, %rcx      ; Checks that %fs:40 == -8(%rbp)
je  .L3                   ; Ok, return
call    __stack_chk_fail  ; Die

as overwritten contents of -8(%rbp) will likely to be different from proper value (installed from fs:40).

And why is not the canary word also overwritten by the \0 of the hello world!?

Your code has heap overflow, not buffer overflow so SSP can't help...