From: Julien Olivain <ju.o@free.fr>
To: buildroot@buildroot.org
Cc: Julien Olivain <ju.o@free.fr>
Subject: [Buildroot] [PATCH 1/1] security hardening: add support for glibc _FORTIFY_SOURCE=3
Date: Sun, 18 Sep 2022 23:21:44 +0200 [thread overview]
Message-ID: <20220918212144.427007-1-ju.o@free.fr> (raw)
A new _FORTIFY_SOURCE=3 level was introduced in glibc, in commit:
https://sourceware.org/git/?p=glibc.git;a=commit;h=c43c5796121bc5bcc0867f02e5536874aa8196c1
This commit was first included glibc 2.33. At that time, it was only
supported by llvm/clang 9, and not by any released gcc version.
To support _FORTIFY_SOURCE=3, the needed gcc features were introduced
in version 12. The gcc 12 support was added in glibc commit:
https://sourceware.org/git/?p=glibc.git;a=commit;h=86bf0feb0e3ec8e37872f72499d6ae33406561d7
This commit was first included in glibc 2.35.
Buildroot updated to glibc 2.35 in commit:
https://git.buildroot.org/buildroot/commit/?id=68d0aede597d32816c5b2ff32de0ce33cc14eb93
Buildroot introduced gcc 12 support in commit:
https://git.buildroot.org/buildroot/commit/?id=0f1ad4fc93286adaba852c99d6e1c2565b5c4258
Support for _FORTIFY_SOURCE=3 can now be added.
Signed-off-by: Julien Olivain <ju.o@free.fr>
---
Config.in | 9 +++++++++
package/Makefile.in | 2 ++
2 files changed, 11 insertions(+)
diff --git a/Config.in b/Config.in
index 3c57c591a8..cd26c9f102 100644
--- a/Config.in
+++ b/Config.in
@@ -929,6 +929,15 @@ config BR2_FORTIFY_SOURCE_2
Also adds checks at run-time (detected buffer overflow
terminates the program)
+config BR2_FORTIFY_SOURCE_3
+ bool "Extended"
+ depends on BR2_TOOLCHAIN_GCC_AT_LEAST_12
+ help
+ This option sets _FORTIFY_SOURCES to 3 and even more
+ checking is added compared to level 2. Extends checks at
+ run-time that can introduce an additional performance
+ overhead.
+
endchoice
comment "Fortify Source needs a glibc toolchain and optimization"
diff --git a/package/Makefile.in b/package/Makefile.in
index 43d214bcbe..7f1b00ba24 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -160,6 +160,8 @@ ifeq ($(BR2_FORTIFY_SOURCE_1),y)
TARGET_HARDENED += -D_FORTIFY_SOURCE=1
else ifeq ($(BR2_FORTIFY_SOURCE_2),y)
TARGET_HARDENED += -D_FORTIFY_SOURCE=2
+else ifeq ($(BR2_FORTIFY_SOURCE_3),y)
+TARGET_HARDENED += -D_FORTIFY_SOURCE=3
endif
TARGET_CPPFLAGS += -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
--
2.37.3
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next reply other threads:[~2022-09-18 21:22 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-18 21:21 Julien Olivain [this message]
2022-12-31 17:43 ` [Buildroot] [PATCH 1/1] security hardening: add support for glibc _FORTIFY_SOURCE=3 Yann E. MORIN
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220918212144.427007-1-ju.o@free.fr \
--to=ju.o@free.fr \
--cc=buildroot@buildroot.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.