I got binaries compiled with FORTIFY_SOURCE also with -U_FORTIFY_SOURCE After dig a bit into the issue I discovered that -fsanitize=address adds FORTIFY_SOURCE (dunno which level) and there is no way to drop it. Reproducer with an hello-world: clang hello.c -fsanitize=address -U_FORTIFY_SOURCE && checksec --file=a.out When you drop -fsanitize=address you don't get FORTIFY as active. I don't get this behavior with gcc I have clang-15.0.7-r1
What version of sys-devel/clang-common?
I see the same thing even when there's 0 fortifiable functions in there (just a simple return, no printf, etc). I suspect it's picking up fortified functions in libasan.
... also, there's no way that F_S can even do anything with -O0, and yet the tool thinks it's fortified, so I think this is just an issue in checksec. We could maybe see if we can build libasan w/o fortificaiton if it is that though.
(In reply to Sam James from comment #1) > What version of sys-devel/clang-common? $ qlist -ICv | grep -E '(clang|llvm)' sys-devel/clang-15.0.7-r1 sys-devel/clang-common-15.0.7-r4 sys-devel/clang-runtime-15.0.7 sys-devel/clang-toolchain-symlinks-15-r2 sys-devel/llvm-15.0.7 sys-devel/llvm-common-15.0.7 sys-devel/llvm-toolchain-symlinks-15-r1 sys-devel/llvmgold-15