ARM64 Stack Layout - Why 100x'A' Doesn't Crash?

Question

I'm trying to exploit a buffer overflow vulnerability in an ARM64 program from this blog. When I give as input 100*'A', and I compile the program for ARM 32 bit (without canaries), the program crashes (as the return address is overwritten). But, when I give as input 100*'A', and I compile the program for ARM 64 bit (without canaries), the program does not crash. Why does it happen? Can someone explain?

Here are some screenshots of the stack before and after the call for strcpy:

32 bit: 64 bit:

BTW I'm using QEMU to run the code on an Ubuntu VM 64 bit on an Intel CPU (also tried with Kali Linux 64 bit).

Thanks.

The code is:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
 
void vulnerable(char* ip) {
    char buffer[20];
    strcpy(buffer, ip);
}
 
void win(){
    printf("You successfully exploited the buffer overflow\n");
    system("/bin/sh");
}

int main(int argc, char** argv) {
    if (argc != 2) {
        printf("Argument <input>\n");
        exit(1);
    }
    vulnerable(argv[1]);
    exit(0);
}

Compiled with:

aarch64-linux-gnu-gcc -O0 -fno-stack-protector -z execstack -o vuln64 ./vuln.c

Answer 1

The return address has been placed below the buffer on the stack. I presume it's the 0x55000008e0 entry in your second screenshot. This means that you won't be able to overwrite the return address via the buffer overflow.

See https://stackoverflow.com/questions/68774522/arm64-buffer-overflow-cannot-overwrite-pc for a more detailed explanation.