I’m testing a simple buffer overflow on Ubuntu 22.04 (kernel 6.8.0-52-generic) and encountering this issue:

I can overwrite RIP with only 6 bytes. If I try to overwrite all 8 bytes, RIP resets to a valid address instead of the corrupted address.

vuln.c

#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  char name[64];

  strcpy(name, argv[1]);  // No bounds checking = buffer overflow
  printf("Arg[1] is :%s\n", name);

  return 0;
}

gdb outputs

Tried both GCC 11 and GCC 9. Compiled with -fno-stack-protector -no-pie -z execstack -fcf-protection=none -Wl,-z,norelro. Haven't changed anything. Checked with checksec and dmesg. Protections look closed.

checksec and other stuff

What security mitigation could be preventing me from overwriting the last 2 bytes of RIP?