Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Compiler guide: Add note about redefining default of FORTIFY_SOURCE #273

Merged
merged 2 commits into from
Nov 7, 2023
Merged

Compiler guide: Add note about redefining default of FORTIFY_SOURCE #273

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d70f2cc
Compiler guide: Add note about redefining default of FORTIFY_SOURCE
gkunz Nov 1, 2023
d6d8d23
Compiler guide: Update notes on redefining FORTIFY_SOURCE
gkunz Nov 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ When compiling C or C++ code on compilers such as GCC and clang, turn on these f

~~~~sh
-O2 -Wall -Wformat=2 -Wconversion -Wtrampolines -Wimplicit-fallthrough \
-D_FORTIFY_SOURCE=3 \
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 \
-D_GLIBCXX_ASSERTIONS \
-fstack-clash-protection -fstack-protector-strong \
-Wl,-z,nodlopen -Wl,-z,noexecstack \
Expand Down Expand Up @@ -137,7 +137,7 @@ Table 2: Recommended compiler options that enable run-time protection mechanisms

| Compiler Flag | Supported since | Description |
|:----------------------------------------------------------------------------------------- |:----------------------------------:|:-------------------------------------------------------------------------------------------- |
| [`-D_FORTIFY_SOURCE=3`](#-D_FORTIFY_SOURCE=3) <br/>(requires `-O1` or higher) | GCC 12.0<br/>Clang 9.0.0[^Guelton20] | Fortify sources with compile- and run-time checks for unsafe libc usage and buffer overflows. Some fortification levels can impact performance. |
| [`-D_FORTIFY_SOURCE=3`](#-D_FORTIFY_SOURCE=3) <br/>(requires `-O1` or higher, <br/> may require prepending -U_FORTIFY_SOURCE) | GCC 12.0<br/>Clang 9.0.0[^Guelton20] | Fortify sources with compile- and run-time checks for unsafe libc usage and buffer overflows. Some fortification levels can impact performance. |
| [`-D_GLIBCXX_ASSERTIONS`](#-D_GLIBCXX_ASSERTIONS)<br>[`-D_LIBCPP_ASSERT`](#-D_LIBCPP_ASSERT) | libstdc++ 6.0<br/>libc++ 3.3.0 | Precondition checks for C++ standard library calls. Can impact performance. |
| [`-fstack-clash-protection`](#-fstack-clash-protection) | GCC 8<br/>Clang 11.0.0 | Enable run-time checks for variable-size stack allocation validity. Can impact performance. |
| [`-fstack-protector-strong`](#-fstack-protector-strong) | GCC 4.9.0<br/>Clang 5.0.0 | Enable run-time checks for stack-based buffer overflows. Can impact performance. |
Expand Down Expand Up @@ -322,6 +322,8 @@ To benefit from `_FORTIFY_SOURCE` checks the following requirements must be met:

If checks added by `_FORTIFY_SOURCE` detect unsafe behavior at run-time they will print an error message and terminate the application.

A default mode for FORTIFY_SOURCE may be predefined for a given compiler, for instance GCC shipped with Ubuntu 22.04 uses FORTIFY_SOURCE=2 by default. If a mode of FORTIFY_SOURCE is set on the command line which differs from the default, the compiler warns about redefining the FORTIFY_SOURCE macro. To avoid this, the predefined mode can be unset with -U_FORTIFY_SOURCE before setting the desired value.

#### Performance implications

Both `_FORTIFY_SOURCE=1` and `_FORTIFY_SOURCE=2` are expected to have a negligible run-time performance impact (~0.1% ).
Expand Down