Not only -fstack-check protects from this exploit, also the new clang -fcpi checker in levee https://github.com/cpi-llvm and of course the old -fsanitize=address.

-fcps does not catch it.

I haven't checked -fsanitize=safe-stack yet, as my old levee build didn't offer that.