Skip to content

Commit 4faa4e3

Browse files
fanquakefanquake
committed
build: use _FORTIFY_SOURCE=3
glibc 2.33 introduced a new fortification level, _FORTIFY_SOURCE=3. Which improves the coverage of cases where _FORTIFY_SOURCE can use _chk functions. For example, using GCC 13 and glibc 2.36 (Fedora Rawhide), compiling master: ```bash nm -C src/bitcoind | grep _chk U __fprintf_chk@GLIBC_2.17 U __memcpy_chk@GLIBC_2.17 U __snprintf_chk@GLIBC_2.17 U __sprintf_chk@GLIBC_2.17 U __stack_chk_fail@GLIBC_2.17 U __stack_chk_guard@GLIBC_2.17 U __vsnprintf_chk@GLIBC_2.17 objdump -d src/bitcoind | grep "_chk@plt" | wc -l 33 ``` vs this branch: ```bash nm -C src/bitcoind | grep _chk U __fprintf_chk@GLIBC_2.17 U __memcpy_chk@GLIBC_2.17 U __memset_chk@GLIBC_2.17 U __snprintf_chk@GLIBC_2.17 U __sprintf_chk@GLIBC_2.17 U __stack_chk_fail@GLIBC_2.17 U __stack_chk_guard@GLIBC_2.17 U __vsnprintf_chk@GLIBC_2.17 objdump -d src/bitcoind | grep "_chk@plt" | wc -l 61 ``` Usage of level 3 requires LLVM/Clang 9+, or GCC 12+. Older compilers/glibc will still use _FORTIFY_SOURCE=2. For example, in the glibc we currently use for Linux release builds (2.24), FORTIFY_LEVEL is determined using the following: ```c ``` so any value > 1 will turn on _FORTIFY_SOURCE=2. https://sourceware.org/pipermail/libc-alpha/2021-February/122207.html https://developers.redhat.com/blog/2021/04/16/broadening-compiler-checks-for-buffer-overflows-in-_fortify_source
1 parent fe1b325 commit 4faa4e3

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

configure.ac

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -963,11 +963,11 @@ if test "$use_hardening" != "no"; then
963963
dnl However, FORTIFY_SOURCE requires that there is some level of optimization, otherwise it does nothing and just creates a compiler warning.
964964
dnl Since FORTIFY_SOURCE is a no-op without optimizations, do not enable it when enable_debug is yes.
965965
if test "$enable_debug" != "yes"; then
966-
AX_CHECK_PREPROC_FLAG([-D_FORTIFY_SOURCE=2],[
966+
AX_CHECK_PREPROC_FLAG([-D_FORTIFY_SOURCE=3],[
967967
AX_CHECK_PREPROC_FLAG([-U_FORTIFY_SOURCE],[
968968
HARDENED_CPPFLAGS="$HARDENED_CPPFLAGS -U_FORTIFY_SOURCE"
969969
])
970-
HARDENED_CPPFLAGS="$HARDENED_CPPFLAGS -D_FORTIFY_SOURCE=2"
970+
HARDENED_CPPFLAGS="$HARDENED_CPPFLAGS -D_FORTIFY_SOURCE=3"
971971
])
972972
fi
973973

0 commit comments

Comments
 (0)