Message ID | 20220918212144.427007-1-ju.o@free.fr |
---|---|
State | Accepted |
Headers | show |
Series | [1/1] security hardening: add support for glibc _FORTIFY_SOURCE=3 | expand |
Julien, All, On 2022-09-18 23:21 +0200, Julien Olivain spake thusly: > A new _FORTIFY_SOURCE=3 level was introduced in glibc, in commit: > https://sourceware.org/git/?p=glibc.git;a=commit;h=c43c5796121bc5bcc0867f02e5536874aa8196c1 > > This commit was first included glibc 2.33. At that time, it was only > supported by llvm/clang 9, and not by any released gcc version. > > To support _FORTIFY_SOURCE=3, the needed gcc features were introduced > in version 12. The gcc 12 support was added in glibc commit: > https://sourceware.org/git/?p=glibc.git;a=commit;h=86bf0feb0e3ec8e37872f72499d6ae33406561d7 > This commit was first included in glibc 2.35. > > Buildroot updated to glibc 2.35 in commit: > https://git.buildroot.org/buildroot/commit/?id=68d0aede597d32816c5b2ff32de0ce33cc14eb93 > > Buildroot introduced gcc 12 support in commit: > https://git.buildroot.org/buildroot/commit/?id=0f1ad4fc93286adaba852c99d6e1c2565b5c4258 > > Support for _FORTIFY_SOURCE=3 can now be added. > > Signed-off-by: Julien Olivain <ju.o@free.fr> Applied to master, thanks. Regards, Yann E. MORIN. > --- > Config.in | 9 +++++++++ > package/Makefile.in | 2 ++ > 2 files changed, 11 insertions(+) > > diff --git a/Config.in b/Config.in > index 3c57c591a8..cd26c9f102 100644 > --- a/Config.in > +++ b/Config.in > @@ -929,6 +929,15 @@ config BR2_FORTIFY_SOURCE_2 > Also adds checks at run-time (detected buffer overflow > terminates the program) > > +config BR2_FORTIFY_SOURCE_3 > + bool "Extended" > + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_12 > + help > + This option sets _FORTIFY_SOURCES to 3 and even more > + checking is added compared to level 2. Extends checks at > + run-time that can introduce an additional performance > + overhead. > + > endchoice > > comment "Fortify Source needs a glibc toolchain and optimization" > diff --git a/package/Makefile.in b/package/Makefile.in > index 43d214bcbe..7f1b00ba24 100644 > --- a/package/Makefile.in > +++ b/package/Makefile.in > @@ -160,6 +160,8 @@ ifeq ($(BR2_FORTIFY_SOURCE_1),y) > TARGET_HARDENED += -D_FORTIFY_SOURCE=1 > else ifeq ($(BR2_FORTIFY_SOURCE_2),y) > TARGET_HARDENED += -D_FORTIFY_SOURCE=2 > +else ifeq ($(BR2_FORTIFY_SOURCE_3),y) > +TARGET_HARDENED += -D_FORTIFY_SOURCE=3 > endif > > TARGET_CPPFLAGS += -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 > -- > 2.37.3 > > _______________________________________________ > buildroot mailing list > buildroot@buildroot.org > https://lists.buildroot.org/mailman/listinfo/buildroot
diff --git a/Config.in b/Config.in index 3c57c591a8..cd26c9f102 100644 --- a/Config.in +++ b/Config.in @@ -929,6 +929,15 @@ config BR2_FORTIFY_SOURCE_2 Also adds checks at run-time (detected buffer overflow terminates the program) +config BR2_FORTIFY_SOURCE_3 + bool "Extended" + depends on BR2_TOOLCHAIN_GCC_AT_LEAST_12 + help + This option sets _FORTIFY_SOURCES to 3 and even more + checking is added compared to level 2. Extends checks at + run-time that can introduce an additional performance + overhead. + endchoice comment "Fortify Source needs a glibc toolchain and optimization" diff --git a/package/Makefile.in b/package/Makefile.in index 43d214bcbe..7f1b00ba24 100644 --- a/package/Makefile.in +++ b/package/Makefile.in @@ -160,6 +160,8 @@ ifeq ($(BR2_FORTIFY_SOURCE_1),y) TARGET_HARDENED += -D_FORTIFY_SOURCE=1 else ifeq ($(BR2_FORTIFY_SOURCE_2),y) TARGET_HARDENED += -D_FORTIFY_SOURCE=2 +else ifeq ($(BR2_FORTIFY_SOURCE_3),y) +TARGET_HARDENED += -D_FORTIFY_SOURCE=3 endif TARGET_CPPFLAGS += -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
A new _FORTIFY_SOURCE=3 level was introduced in glibc, in commit: https://sourceware.org/git/?p=glibc.git;a=commit;h=c43c5796121bc5bcc0867f02e5536874aa8196c1 This commit was first included glibc 2.33. At that time, it was only supported by llvm/clang 9, and not by any released gcc version. To support _FORTIFY_SOURCE=3, the needed gcc features were introduced in version 12. The gcc 12 support was added in glibc commit: https://sourceware.org/git/?p=glibc.git;a=commit;h=86bf0feb0e3ec8e37872f72499d6ae33406561d7 This commit was first included in glibc 2.35. Buildroot updated to glibc 2.35 in commit: https://git.buildroot.org/buildroot/commit/?id=68d0aede597d32816c5b2ff32de0ce33cc14eb93 Buildroot introduced gcc 12 support in commit: https://git.buildroot.org/buildroot/commit/?id=0f1ad4fc93286adaba852c99d6e1c2565b5c4258 Support for _FORTIFY_SOURCE=3 can now be added. Signed-off-by: Julien Olivain <ju.o@free.fr> --- Config.in | 9 +++++++++ package/Makefile.in | 2 ++ 2 files changed, 11 insertions(+)