-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
_FORTIFY_SOURCE recommendation is a timebomb #659
Comments
@thesamesam: Thanks for reporting this. AX_ADD_FORTIFY_SOURCE is a useful addition and I am definitely in favor of covering that, but it is specific to Autotools. Do I understand the concern with the current I'm wondering are there any good solutions for this that are build system agnostic? Ideally you'd want to be able to request a minimum fortification level from the compiler directly, which isn't currently possible. For GCC specifically |
Exactly. It's problematic also if wanting to do testing with =2 or =1 for coverage but that matters far less and someone doing that could workaround that with a patch to the compiler. We unfortunately hit precisely that scenario you describe when going from level 2 to 3 and are still mopping up such cases. I think the only options we have here are for:
|
Looking at AX_ADD_FORTIFY_SOURCE more closely it also doesn't give the desired behavior from the perspective of a developer who wants to ensure the maximum fortification level supported by the compiler is used since in its current form |
FYI, autotools (specifically automake) has multiple flag variables: https://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html |
Thomas will try to see if |
@06kellyjac beat me to it but the conclusion was that specifying a
We discussed this issue at length during the C/C++ Compiler BP Guide call 2023-10-17 and came to the conclusion that we should try and suggest approaches for setting flags, including the Not all distributions set their default flags in the same way though, @06kellyjac noted the approach in NIX OS, with a wrapper around the compiler and bintools that injects hardening flags may be more robust to differences in upstream build configurations. We shouldn't of course tell Linux distributions what do do, but we can aim describe how the major ones set their default flags and strive for recommendations that are are compatible with as many as possible. That said, there wasn't a clear consensus on what the best option for the build-system agnostic TL;DR; would be. Recommending |
Getting back to this, should we, instead of providing the tl;dr; as a list of options, provide the tl;dr, as suitable snippets or macros for common build systems? Thinking more about AX_ADD_FORTIFY_SOURCE, it might be better to have a Automake macro that adds the correct set of flags, including conditional flags, automatically. Thoughts? |
I think we should not replace the existing tl;dr. There are too many different build systems, including bespoke makefiles & scripts. However, I think we could add a section on "how to do this in common build systems" and do what you suggested. That section will probably get long as we add build systems, so wouldn't be a tl;dr anyway, but it'd be good to provide. |
The pattern that the documentation for
_FORTIFY_SOURCE
encourages is problematic.We had this for years with
_FORTIFY_SOURCE=2
and it caused unnecessary hassle when_FORTIFY_SOURCE=3
became available, as software would either clobber3
or provoke warnings by setting its own.We should encourage the use of AX_ADD_FORTIFY_SOURCE-like macros which first check the default fortification level and only override if it would improve protection. Not unconditionally setting it and blasting over defaults. I plan to handle this in Meson by addressing mesonbuild/meson#12341.
Note that many of the remaining blockers on our tracker bug in Gentoo at https://bugs.gentoo.org/847148 are issues of this nature.
The text was updated successfully, but these errors were encountered: