I got binaries compiled with FORTIFY_SOURCE also with -U_FORTIFY_SOURCE After dig a bit into the issue I discovered that -fsanitize=address adds FORTIFY_SOURCE (dunno which level) and there is no way to drop it. Reproducer with an hello-world: clang hello.c -fsanitize=address -U_FORTIFY_SOURCE && checksec --file=a.out When you drop -fsanitize=address you don't get FORTIFY as active. I don't get this behavior with gcc I have clang-15.0.7-r1
What version of sys-devel/clang-common?
I see the same thing even when there's 0 fortifiable functions in there (just a simple return, no printf, etc). I suspect it's picking up fortified functions in libasan.
... also, there's no way that F_S can even do anything with -O0, and yet the tool thinks it's fortified, so I think this is just an issue in checksec. We could maybe see if we can build libasan w/o fortificaiton if it is that though.
(In reply to Sam James from comment #1) > What version of sys-devel/clang-common? $ qlist -ICv | grep -E '(clang|llvm)' sys-devel/clang-15.0.7-r1 sys-devel/clang-common-15.0.7-r4 sys-devel/clang-runtime-15.0.7 sys-devel/clang-toolchain-symlinks-15-r2 sys-devel/llvm-15.0.7 sys-devel/llvm-common-15.0.7 sys-devel/llvm-toolchain-symlinks-15-r1 sys-devel/llvmgold-15
commit 162b52d8795d5eead77376c37c23d91001373258 Author: Sam James <sam@gentoo.org> Date: Mon Mar 13 21:46:59 2023 +0000 sys-devel/clang-common: don't default-enable _FORTIFY_SOURCE w/ ASAN and MSAN This can cause either false positives in warnings from the compiler or false negatives where the sanitizer misses something. Bug: https://github.com/google/sanitizers/issues/247 Signed-off-by: Sam James <sam@gentoo.org>
(I don't think removing the fortification from LLVM's libraries is really in scope/a problem. Take it up with checksec if desired.)
