I got binaries compiled with FORTIFY_SOURCE also with -U_FORTIFY_SOURCE
After dig a bit into the issue I discovered that -fsanitize=address adds FORTIFY_SOURCE (dunno which level) and there is no way to drop it.
Reproducer with an hello-world:
clang hello.c -fsanitize=address -U_FORTIFY_SOURCE && checksec --file=a.out
When you drop -fsanitize=address you don't get FORTIFY as active.
I don't get this behavior with gcc
I have clang-15.0.7-r1
What version of sys-devel/clang-common?
I see the same thing even when there's 0 fortifiable functions in there (just a simple return, no printf, etc). I suspect it's picking up fortified functions in libasan.
... also, there's no way that F_S can even do anything with -O0, and yet the tool thinks it's fortified, so I think this is just an issue in checksec.
We could maybe see if we can build libasan w/o fortificaiton if it is that though.
(In reply to Sam James from comment #1)
> What version of sys-devel/clang-common?
$ qlist -ICv | grep -E '(clang|llvm)'