Skip to content
Snippets Groups Projects
Verified Commit 39934d91 authored by Levente Polyak's avatar Levente Polyak :rocket:
Browse files

Merge remote-tracking branch 'allan/fortify'

parents affa7b35 a175f9db
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
rfcs/0017-increase-fortification-level.rst 0 → 100644
+ 59
0
View file @ 39934d91
===================================
Increase _FORTIFY_SOURCE level to 3
===================================
- Date proposed: 2023-01-05
- RFC MR: https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/0017
Summary
-------
Adjust packaging CFLAGS from -D_FORTIFY_SOURCE=2 to -D_FORTIFY_SOURCE=3 for
better fortification coverage
Motivation
----------
For a long time, we have been using `-D_FORTIFY_SOURCE=2` in our build flags
to detect C memory management problems at build time. Recently, glibc (2.34)
added `_FORTIFY_SOURCE=3` to add extra checking. This has been supported in clang
for some time, and is now available in GCC with the release of version 12.
The gains are enhanced buffer size detection and better fortification coverage.
A study [1] showed level 3 improved fortification coverage by nearly 4 times on
average. Extreme examples include the Bash shell going from roughly 3.4% coverage
with level 2 to 47% with level 3. Similarly, sudo went from 1.3% to 49.57%.
[1] https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level#2__better_fortification_coverage
Specification
-------------
CFLAGS in the distribtion packaging makepkg.conf would change from
`-D_FORTIFY_SOURCE=2` to `-D_FORTIFY_SOURCE=3`.
Some applications use `malloc_usable_size` (despite the glibc manual stating
it is for diagnostic purposes only). This is currently incompatible with
`_FORTIFY_SOURCE=3`, so these packages will need to continue using level 2 by
modifying `C{,XX}FLAGS` in the PKGBUILD. A TODO list will be created for all
such packages on adoption of this proposal.
Drawbacks
---------
Some claims of performance overhead have been made, but these are likely
overblown [2]. Most of the checks are at compile time, and this change is being
adopted by OpenSUSE, Fedora and Gentoo (in their hardened profile).
[2] https://siddhesh.in/posts/fortify-source-3-performance.html
Unresolved Questions
--------------------
None.
Alternatives Considered
-----------------------
None.
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment