Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 847148 - [Tracker] Failures with FORTIFY_SOURCE=3
Summary: [Tracker] Failures with FORTIFY_SOURCE=3
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Toolchain Maintainers
URL: https://developers.redhat.com/blog/20...
Whiteboard:
Keywords: PullRequest, Tracker
Depends on: 854327 873745 890275 890279 892900 892902 892906 892930 892960 892994 893004 893096 893108 893138 893140 893200 893270 893274 893276 893278 893280 893306 893348 893350 893352 893474 894304 894694 894696 895016 895018 895020 895078 895506 895532 895546 895672 895674 895800 895806 895892 898044 898054 898056 905605 916028 916029 917419 918934 922605 841770 847145 847280 847295 847892 849587 850157 852974 854315 854318 854321 854324 876625 882295 889394 890072 890271 890273 890276 890277 890278 890280 890985 891259 891995 892834 892928 892932 892958 892992 892996 893002 893372 893468 893592 893776 893824 894302 894648 895260 895356 895424 895522 895528 895530 895538 895548 895676 895678 895680 895798 895802 895804 895810 895872 895874 896176 896382 898046 898048 898050 898148 898166 898240 898526 899982 902823 903253 903860 906005 906346 906388 906715 907683 910071 911389 913420 915394 917517 924494 925158 925419 925560
Blocks:
  Show dependency tree
 
Reported: 2022-05-23 22:34 UTC by Sam James
Modified: 2024-03-03 22:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
fortify-source-3.patch (file_847148.txt,397 bytes, patch)
2022-05-29 06:05 UTC, Sam James
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-23 22:34:52 UTC
Needs GCC 12+ or Clang 9+.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-29 06:05:34 UTC
To reproduce bugs, you need at least -O2 (IIRC > -O0 might work, needs inlining at least, but use -O2 please or higher), GCC 12+, or Clang 9+ (but we're mostly using GCC here).

You also need (feel free to change -O2, as above):
CFLAGS="-O2 -D_FORTIFY_SOURCE=3"
CXXFLAGS="-O2 -D_FORTIFY_SOURCE=3"

I instead patch GCC because it's easier.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-29 06:05:45 UTC
Created attachment 781316 [details, diff]
fortify-source-3.patch
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-29 06:06:02 UTC
(In reply to Sam James from comment #2)
> Created attachment 781316 [details, diff] [details, diff]
> fortify-source-3.patch

Place at /etc/portage/patches/sys-devel/gcc:12/fortify-source-3.patch.
Comment 4 Larry the Git Cow gentoo-dev 2022-12-28 19:35:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/gcc-patches.git/commit/?id=224f6241ec785ccc386eb191df36d919e9b62351

commit 224f6241ec785ccc386eb191df36d919e9b62351
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-28 17:54:22 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-28 17:54:22 +0000

    12.2.0: add patches for FORTIFY_SOURCE=3, default GLIBCXX_ASSERTIONS
    
    Bug: https://bugs.gentoo.org/876895
    Bug: https://bugs.gentoo.org/884417
    Bug: https://bugs.gentoo.org/847148
    Bug: https://bugs.gentoo.org/876893
    Signed-off-by: Sam James <sam@gentoo.org>

 12.2.0/gentoo/01_all_default-fortify-source.patch        |  8 ++++++--
 12.2.0/gentoo/15_all_DEF_GENTOO_GLIBCXX_ASSERTIONS.patch | 14 ++++++++++++++
 12.2.0/gentoo/README.history                             |  4 ++++
 3 files changed, 24 insertions(+), 2 deletions(-)
Comment 5 Larry the Git Cow gentoo-dev 2022-12-31 23:49:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a40e388337e2fc6847c6cd48fc1b19eafc55b1c6

commit a40e388337e2fc6847c6cd48fc1b19eafc55b1c6
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-28 19:18:19 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-31 23:47:03 +0000

    sys-devel/gcc: add 12.2.1_p20221231, USE=hardened changes
    
    USE=hardened will now imply:
    - default -D_FORTIFY_SOURCE=3 (instead of 2 for normal profiles)
    - default -D_GLIBCXX_ASSERTIONS
    
    Bug: https://bugs.gentoo.org/876895
    Bug: https://bugs.gentoo.org/884417
    Bug: https://bugs.gentoo.org/847148
    Bug: https://bugs.gentoo.org/876893
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-devel/gcc/Manifest                    |  2 ++
 sys-devel/gcc/gcc-12.2.1_p20221231.ebuild | 52 +++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=288bc9aff2e91f6a443e8c09f080ffc9f633b07e

commit 288bc9aff2e91f6a443e8c09f080ffc9f633b07e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-28 19:17:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-31 23:30:45 +0000

    toolchain.eclass: prepare for USE=hardened => FORTIFY_SOURCE=3, assertions
    
    USE=hardened will now imply:
    - default -D_FORTIFY_SOURCE=3 (instead of 2 for normal profiles)
    - default -D_GLIBCXX_ASSERTIONS
    
    Bug: https://bugs.gentoo.org/876895
    Bug: https://bugs.gentoo.org/884417
    Bug: https://bugs.gentoo.org/847148
    Bug: https://bugs.gentoo.org/876893
    Signed-off-by: Sam James <sam@gentoo.org>

 eclass/toolchain.eclass | 4 ++++
 1 file changed, 4 insertions(+)
Comment 6 Larry the Git Cow gentoo-dev 2023-01-30 17:37:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f06cb39a5d25c754c01e96313f76dc802e361995

commit f06cb39a5d25c754c01e96313f76dc802e361995
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-01-30 01:05:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-01-30 17:37:03 +0000

    toolchain-funcs.eclass: add tc-enables-fortify-source for FORTIFY_SOURCE
    
    As Zero_Chaos reported on IRC, the check we had wasn't good enough in systemd*
    (before we were able to remove it), as it wouldn't fire for e.g. -Os. While we
    could've changed it to fail safe (always unset, then set a lower F_S if possible),
    let's add a proper helper instead to the eclass.
    
    Bug: https://bugs.gentoo.org/841770
    Bug: https://bugs.gentoo.org/847148
    Bug: https://bugs.gentoo.org/876893
    Signed-off-by: Sam James <sam@gentoo.org>

 eclass/toolchain-funcs.eclass | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)