[Buildroot] [PATCH 1/1] security hardening: add support for glibc _FORTIFY_SOURCE=3

[Buildroot] [PATCH 1/1] security hardening: add support for glibc _FORTIFY_SOURCE=3

[Julien Olivain]

A new _FORTIFY_SOURCE=3 level was introduced in glibc, in commit:
https://sourceware.org/git/?p=glibc.git;a=commit;h=c43c5796121bc5bcc0867f02e5536874aa8196c1

This commit was first included glibc 2.33. At that time, it was only
supported by llvm/clang 9, and not by any released gcc version.

To support _FORTIFY_SOURCE=3, the needed gcc features were introduced
in version 12. The gcc 12 support was added in glibc commit:
https://sourceware.org/git/?p=glibc.git;a=commit;h=86bf0feb0e3ec8e37872f72499d6ae33406561d7
This commit was first included in glibc 2.35.

Buildroot updated to glibc 2.35 in commit:
https://git.buildroot.org/buildroot/commit/?id=68d0aede597d32816c5b2ff32de0ce33cc14eb93

Buildroot introduced gcc 12 support in commit:
https://git.buildroot.org/buildroot/commit/?id=0f1ad4fc93286adaba852c99d6e1c2565b5c4258

Support for _FORTIFY_SOURCE=3 can now be added.

Signed-off-by: Julien Olivain <ju.o@free.fr>
---
 Config.in           | 9 +++++++++
 package/Makefile.in | 2 ++
 2 files changed, 11 insertions(+)

diff --git a/Config.in b/Config.in
index 3c57c591a8..cd26c9f102 100644
--- a/Config.in
+++ b/Config.in
@@ -929,6 +929,15 @@ config BR2_FORTIFY_SOURCE_2
 	  Also adds checks at run-time (detected buffer overflow
 	  terminates the program)
 
+config BR2_FORTIFY_SOURCE_3
+	bool "Extended"
+	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_12
+	help
+	  This option sets _FORTIFY_SOURCES to 3 and even more
+	  checking is added compared to level 2. Extends checks at
+	  run-time that can introduce an additional performance
+	  overhead.
+
 endchoice
 
 comment "Fortify Source needs a glibc toolchain and optimization"
diff --git a/package/Makefile.in b/package/Makefile.in
index 43d214bcbe..7f1b00ba24 100644
--- a/package/Makefile.in
+++ b/package/Makefile.in
@@ -160,6 +160,8 @@ ifeq ($(BR2_FORTIFY_SOURCE_1),y)
 TARGET_HARDENED += -D_FORTIFY_SOURCE=1
 else ifeq ($(BR2_FORTIFY_SOURCE_2),y)
 TARGET_HARDENED += -D_FORTIFY_SOURCE=2
+else ifeq ($(BR2_FORTIFY_SOURCE_3),y)
+TARGET_HARDENED += -D_FORTIFY_SOURCE=3
 endif
 
 TARGET_CPPFLAGS += -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
-- 
2.37.3

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] security hardening: add support for glibc _FORTIFY_SOURCE=3

[Yann E. MORIN]

Julien, All,

On 2022-09-18 23:21 +0200, Julien Olivain spake thusly:
> A new _FORTIFY_SOURCE=3 level was introduced in glibc, in commit:
> https://sourceware.org/git/?p=glibc.git;a=commit;h=c43c5796121bc5bcc0867f02e5536874aa8196c1
> 
> This commit was first included glibc 2.33. At that time, it was only
> supported by llvm/clang 9, and not by any released gcc version.
> 
> To support _FORTIFY_SOURCE=3, the needed gcc features were introduced
> in version 12. The gcc 12 support was added in glibc commit:
> https://sourceware.org/git/?p=glibc.git;a=commit;h=86bf0feb0e3ec8e37872f72499d6ae33406561d7
> This commit was first included in glibc 2.35.
> 
> Buildroot updated to glibc 2.35 in commit:
> https://git.buildroot.org/buildroot/commit/?id=68d0aede597d32816c5b2ff32de0ce33cc14eb93
> 
> Buildroot introduced gcc 12 support in commit:
> https://git.buildroot.org/buildroot/commit/?id=0f1ad4fc93286adaba852c99d6e1c2565b5c4258
> 
> Support for _FORTIFY_SOURCE=3 can now be added.
> 
> Signed-off-by: Julien Olivain <ju.o@free.fr>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  Config.in           | 9 +++++++++
>  package/Makefile.in | 2 ++
>  2 files changed, 11 insertions(+)
> 
> diff --git a/Config.in b/Config.in
> index 3c57c591a8..cd26c9f102 100644
> --- a/Config.in
> +++ b/Config.in
> @@ -929,6 +929,15 @@ config BR2_FORTIFY_SOURCE_2
>  	  Also adds checks at run-time (detected buffer overflow
>  	  terminates the program)
>  
> +config BR2_FORTIFY_SOURCE_3
> +	bool "Extended"
> +	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_12
> +	help
> +	  This option sets _FORTIFY_SOURCES to 3 and even more
> +	  checking is added compared to level 2. Extends checks at
> +	  run-time that can introduce an additional performance
> +	  overhead.
> +
>  endchoice
>  
>  comment "Fortify Source needs a glibc toolchain and optimization"
> diff --git a/package/Makefile.in b/package/Makefile.in
> index 43d214bcbe..7f1b00ba24 100644
> --- a/package/Makefile.in
> +++ b/package/Makefile.in
> @@ -160,6 +160,8 @@ ifeq ($(BR2_FORTIFY_SOURCE_1),y)
>  TARGET_HARDENED += -D_FORTIFY_SOURCE=1
>  else ifeq ($(BR2_FORTIFY_SOURCE_2),y)
>  TARGET_HARDENED += -D_FORTIFY_SOURCE=2
> +else ifeq ($(BR2_FORTIFY_SOURCE_3),y)
> +TARGET_HARDENED += -D_FORTIFY_SOURCE=3
>  endif
>  
>  TARGET_CPPFLAGS += -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
> -- 
> 2.37.3
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot