* [Buildroot] [PATCH 1/1] security hardening: add support for glibc _FORTIFY_SOURCE=3
@ 2022-09-18 21:21 Julien Olivain
2022-12-31 17:43 ` Yann E. MORIN
0 siblings, 1 reply; 2+ messages in thread
From: Julien Olivain @ 2022-09-18 21:21 UTC (permalink / raw)
To: buildroot; +Cc: Julien Olivain
A new _FORTIFY_SOURCE=3 level was introduced in glibc, in commit:
https://sourceware.org/git/?p=glibc.git;a=commit;h=c43c5796121bc5bcc0867f02e5536874aa8196c1
This commit was first included glibc 2.33. At that time, it was only
supported by llvm/clang 9, and not by any released gcc version.
To support _FORTIFY_SOURCE=3, the needed gcc features were introduced
in version 12. The gcc 12 support was added in glibc commit:
https://sourceware.org/git/?p=glibc.git;a=commit;h=86bf0feb0e3ec8e37872f72499d6ae33406561d7
This commit was first included in glibc 2.35.
Buildroot updated to glibc 2.35 in commit:
https://git.buildroot.org/buildroot/commit/?id=68d0aede597d32816c5b2ff32de0ce33cc14eb93
Buildroot introduced gcc 12 support in commit:
https://git.buildroot.org/buildroot/commit/?id=0f1ad4fc93286adaba852c99d6e1c2565b5c4258
Support for _FORTIFY_SOURCE=3 can now be added.
Signed-off-by: Julien Olivain <ju.o@free.fr>
---
Config.in | 9 +++++++++
package/Makefile.in | 2 ++
2 files changed, 11 insertions(+)
diff --git a/Config.in b/Config.in
index 3c57c591a8..cd26c9f102 100644
--- a/Config.in
+++ b/Config.in
@@ -929,6 +929,15 @@ config BR2_FORTIFY_SOURCE_2
Also adds checks at run-time (detected buffer overflow
terminates the program)
+config BR2_FORTIFY_SOURCE_3
+ bool "Extended"
+ depends on BR2_TOOLCHAIN_GCC_AT_LEAST_12
+ help
+ This option sets _FORTIFY_SOURCES to 3 and even more
+ checking is added compared to level 2. Extends checks at
+ run-time that can introduce an additional performance
+ overhead.
+
endchoice
comment "Fortify Source needs a glibc toolchain and optimization"
diff --git a/package/Makefile.in b/package/Makefile.in
index 43d214bcbe..7f1b00ba24 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -160,6 +160,8 @@ ifeq ($(BR2_FORTIFY_SOURCE_1),y)
TARGET_HARDENED += -D_FORTIFY_SOURCE=1
else ifeq ($(BR2_FORTIFY_SOURCE_2),y)
TARGET_HARDENED += -D_FORTIFY_SOURCE=2
+else ifeq ($(BR2_FORTIFY_SOURCE_3),y)
+TARGET_HARDENED += -D_FORTIFY_SOURCE=3
endif
TARGET_CPPFLAGS += -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
--
2.37.3
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Buildroot] [PATCH 1/1] security hardening: add support for glibc _FORTIFY_SOURCE=3
2022-09-18 21:21 [Buildroot] [PATCH 1/1] security hardening: add support for glibc _FORTIFY_SOURCE=3 Julien Olivain
@ 2022-12-31 17:43 ` Yann E. MORIN
0 siblings, 0 replies; 2+ messages in thread
From: Yann E. MORIN @ 2022-12-31 17:43 UTC (permalink / raw)
To: Julien Olivain; +Cc: buildroot
Julien, All,
On 2022-09-18 23:21 +0200, Julien Olivain spake thusly:
> A new _FORTIFY_SOURCE=3 level was introduced in glibc, in commit:
> https://sourceware.org/git/?p=glibc.git;a=commit;h=c43c5796121bc5bcc0867f02e5536874aa8196c1
>
> This commit was first included glibc 2.33. At that time, it was only
> supported by llvm/clang 9, and not by any released gcc version.
>
> To support _FORTIFY_SOURCE=3, the needed gcc features were introduced
> in version 12. The gcc 12 support was added in glibc commit:
> https://sourceware.org/git/?p=glibc.git;a=commit;h=86bf0feb0e3ec8e37872f72499d6ae33406561d7
> This commit was first included in glibc 2.35.
>
> Buildroot updated to glibc 2.35 in commit:
> https://git.buildroot.org/buildroot/commit/?id=68d0aede597d32816c5b2ff32de0ce33cc14eb93
>
> Buildroot introduced gcc 12 support in commit:
> https://git.buildroot.org/buildroot/commit/?id=0f1ad4fc93286adaba852c99d6e1c2565b5c4258
>
> Support for _FORTIFY_SOURCE=3 can now be added.
>
> Signed-off-by: Julien Olivain <ju.o@free.fr>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> Config.in | 9 +++++++++
> package/Makefile.in | 2 ++
> 2 files changed, 11 insertions(+)
>
> diff --git a/Config.in b/Config.in
> index 3c57c591a8..cd26c9f102 100644
> --- a/Config.in
> +++ b/Config.in
> @@ -929,6 +929,15 @@ config BR2_FORTIFY_SOURCE_2
> Also adds checks at run-time (detected buffer overflow
> terminates the program)
>
> +config BR2_FORTIFY_SOURCE_3
> + bool "Extended"
> + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_12
> + help
> + This option sets _FORTIFY_SOURCES to 3 and even more
> + checking is added compared to level 2. Extends checks at
> + run-time that can introduce an additional performance
> + overhead.
> +
> endchoice
>
> comment "Fortify Source needs a glibc toolchain and optimization"
> diff --git a/package/Makefile.in b/package/Makefile.in
> index 43d214bcbe..7f1b00ba24 100644
> --- a/package/Makefile.in
> +++ b/package/Makefile.in
> @@ -160,6 +160,8 @@ ifeq ($(BR2_FORTIFY_SOURCE_1),y)
> TARGET_HARDENED += -D_FORTIFY_SOURCE=1
> else ifeq ($(BR2_FORTIFY_SOURCE_2),y)
> TARGET_HARDENED += -D_FORTIFY_SOURCE=2
> +else ifeq ($(BR2_FORTIFY_SOURCE_3),y)
> +TARGET_HARDENED += -D_FORTIFY_SOURCE=3
> endif
>
> TARGET_CPPFLAGS += -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
> --
> 2.37.3
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-12-31 17:43 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-18 21:21 [Buildroot] [PATCH 1/1] security hardening: add support for glibc _FORTIFY_SOURCE=3 Julien Olivain
2022-12-31 17:43 ` Yann E. MORIN
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.