Fortify_source and stack-protector-strong

Fortify_source and stack-protector-strong

[Reinoud Koornstra]

Hello Everyone,

Is it possible to compile with -stack-protector-strong and FORTIFY_SOURCE=1
or =2?
Or should both be used exclusively from another? Both check for similar
things.
Thanks,

Reinoud.

Re: Fortify_source and stack-protector-strong

[Florian Weimer]

* Reinoud Koornstra via Gcc-help:

> Is it possible to compile with -stack-protector-strong and
> FORTIFY_SOURCE=1 or =2?  Or should both be used exclusively from
> another? Both check for similar things.

They complement each other.  I think most distributions use both these
days (-fstack-protector-strong and -D_FORTIFY_SOURCE=2).

Thanks,
Florian

Re: Fortify_source and stack-protector-strong

[Reinoud Koornstra]

Hi Florian,

Thanks very much for your reply.
-D_FORTIFY_SOURCE=1 is just during compile time and -D_FORTIFY_SOURCE=2
also has runtime checks for variable length?
Thanks,

Reinoud

On Wed, Mar 2, 2022, 2:22 AM Florian Weimer <fweimer@redhat.com> wrote:

> * Reinoud Koornstra via Gcc-help:
>
> > Is it possible to compile with -stack-protector-strong and
> > FORTIFY_SOURCE=1 or =2?  Or should both be used exclusively from
> > another? Both check for similar things.
>
> They complement each other.  I think most distributions use both these
> days (-fstack-protector-strong and -D_FORTIFY_SOURCE=2).
>
> Thanks,
> Florian
>
>

Re: Fortify_source and stack-protector-strong

[Xi Ruoyao]

On Wed, 2022-03-02 at 11:09 -0800, Reinoud Koornstra via Gcc-help wrote:
> Hi Florian,
> 
> Thanks very much for your reply.
> -D_FORTIFY_SOURCE=1 is just during compile time and -D_FORTIFY_SOURCE=2
> also has runtime checks for variable length?

Both -D_FORTIFY_SOURCE=1 and -D_FORTIFY_SOURCE=2 determine buffer size
at compile time.  But they are runtime checks: the input size is
compared with the buffer size at runtime.  They are not a pure compile-
time checking like -Wstringop-overflow.

-D_FORTIFY_SOURCE=3 supports runtime calculation of variable-length
buffer, but it needs Glibc >= 2.35 and GCC >= 12.0 (not released yet).
-- 
Xi Ruoyao <xry111@mengyan1223.wang>
School of Aerospace Science and Technology, Xidian University

Re: Fortify_source and stack-protector-strong

[Reinoud Koornstra]

Hi Xi,

Thanks for your reply.
Then what is the difference between -D_FORTIFY_SOURCE=1 and
-D_FORTIFY_SOURCE=2 exactly?
The resulting binary size doesn't seem to differ much?
Thanks,

Reinoud.


On Wed, Mar 2, 2022, 11:46 AM Xi Ruoyao <xry111@mengyan1223.wang> wrote:

> On Wed, 2022-03-02 at 11:09 -0800, Reinoud Koornstra via Gcc-help wrote:
> > Hi Florian,
> >
> > Thanks very much for your reply.
> > -D_FORTIFY_SOURCE=1 is just during compile time and -D_FORTIFY_SOURCE=2
> > also has runtime checks for variable length?
>
> Both -D_FORTIFY_SOURCE=1 and -D_FORTIFY_SOURCE=2 determine buffer size
> at compile time.  But they are runtime checks: the input size is
> compared with the buffer size at runtime.  They are not a pure compile-
> time checking like -Wstringop-overflow.
>
> -D_FORTIFY_SOURCE=3 supports runtime calculation of variable-length
> buffer, but it needs Glibc >= 2.35 and GCC >= 12.0 (not released yet).
> --
> Xi Ruoyao <xry111@mengyan1223.wang>
> School of Aerospace Science and Technology, Xidian University
>

Re: Fortify_source and stack-protector-strong

[Xi Ruoyao]

On Wed, 2022-03-02 at 12:05 -0800, Reinoud Koornstra wrote:
> Hi Xi,
> 
> Thanks for your reply.
> Then what is the difference between -D_FORTIFY_SOURCE=1 and -D_FORTIFY_SOURCE=2 exactly?

-D_FORTIFY_SOURCE=1 uses __builtin_object_size(..., 0) as the buffer
size, but -D_FORTIFY_SOURCE=2 uses __builtin_object_size(..., 1).  Read
https://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html for the
details.

One case is:

struct frame
{
  int size;
  char buf[0];
};

union
{
  struct frame f;
  char padding[100 + sizeof(struct frame)];
} u;

u.frame.size = strlen(s) + 1;
strcpy(u.frame.buf, s);

-D_FORTIFY_SOURCE=2 will abort this, but -D_FORTIFY_SOURCE=1 won't. 
(Yes, I know "char buf[0]" should be changed to a flexible array member
"char buf[]" to fix this, but it is just an example.)
-- 
Xi Ruoyao <xry111@mengyan1223.wang>
School of Aerospace Science and Technology, Xidian University

Re: Fortify_source and stack-protector-strong

[Reinoud Koornstra]

Thanks for the explanation!
Better to use =2 then.
But Strack protector and FORTIFY can be active as compiler arguments at the
same time as I understand. Just the binary size will grow. Thanks,

Reinoud.

On Wed, Mar 2, 2022, 12:23 PM Xi Ruoyao <xry111@mengyan1223.wang> wrote:

> On Wed, 2022-03-02 at 12:05 -0800, Reinoud Koornstra wrote:
> > Hi Xi,
> >
> > Thanks for your reply.
> > Then what is the difference between -D_FORTIFY_SOURCE=1 and
> -D_FORTIFY_SOURCE=2 exactly?
>
> -D_FORTIFY_SOURCE=1 uses __builtin_object_size(..., 0) as the buffer
> size, but -D_FORTIFY_SOURCE=2 uses __builtin_object_size(..., 1).  Read
> https://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html for the
> details.
>
> One case is:
>
> struct frame
> {
>   int size;
>   char buf[0];
> };
>
> union
> {
>   struct frame f;
>   char padding[100 + sizeof(struct frame)];
> } u;
>
> u.frame.size = strlen(s) + 1;
> strcpy(u.frame.buf, s);
>
> -D_FORTIFY_SOURCE=2 will abort this, but -D_FORTIFY_SOURCE=1 won't.
> (Yes, I know "char buf[0]" should be changed to a flexible array member
> "char buf[]" to fix this, but it is just an example.)
> --
> Xi Ruoyao <xry111@mengyan1223.wang>
> School of Aerospace Science and Technology, Xidian University
>

Re: Fortify_source and stack-protector-strong

[Reinoud Koornstra]

One more question, for FORTIFY_SOURCE=2, can I use either -O1 or -O2
optimization flags?
I noticed it doesn't like -Os. Thanks,

Reinoud.

On Wed, Mar 2, 2022, 12:45 PM Reinoud Koornstra <reinoudkoornstra@gmail.com>
wrote:

> Thanks for the explanation!
> Better to use =2 then.
> But Strack protector and FORTIFY can be active as compiler arguments at
> the same time as I understand. Just the binary size will grow. Thanks,
>
> Reinoud.
>
> On Wed, Mar 2, 2022, 12:23 PM Xi Ruoyao <xry111@mengyan1223.wang> wrote:
>
>> On Wed, 2022-03-02 at 12:05 -0800, Reinoud Koornstra wrote:
>> > Hi Xi,
>> >
>> > Thanks for your reply.
>> > Then what is the difference between -D_FORTIFY_SOURCE=1 and
>> -D_FORTIFY_SOURCE=2 exactly?
>>
>> -D_FORTIFY_SOURCE=1 uses __builtin_object_size(..., 0) as the buffer
>> size, but -D_FORTIFY_SOURCE=2 uses __builtin_object_size(..., 1).  Read
>> https://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html for the
>> details.
>>
>> One case is:
>>
>> struct frame
>> {
>>   int size;
>>   char buf[0];
>> };
>>
>> union
>> {
>>   struct frame f;
>>   char padding[100 + sizeof(struct frame)];
>> } u;
>>
>> u.frame.size = strlen(s) + 1;
>> strcpy(u.frame.buf, s);
>>
>> -D_FORTIFY_SOURCE=2 will abort this, but -D_FORTIFY_SOURCE=1 won't.
>> (Yes, I know "char buf[0]" should be changed to a flexible array member
>> "char buf[]" to fix this, but it is just an example.)
>> --
>> Xi Ruoyao <xry111@mengyan1223.wang>
>> School of Aerospace Science and Technology, Xidian University
>>
>

Re: Fortify_source and stack-protector-strong

[Xi Ruoyao]

On Fri, 2022-03-11 at 11:01 -0800, Reinoud Koornstra wrote:
> One more question, for FORTIFY_SOURCE=2, can I use either -O1 or -O2
> optimization flags?
> I noticed it doesn't like -Os. Thanks,

Anything other than -O0 will work.  But you should have asked this
question in a Glibc mail list because _FORTIFY_SOURCE is a feature of
Glibc, not GCC.
-- 
Xi Ruoyao <xry111@mengyan1223.wang>
School of Aerospace Science and Technology, Xidian University

Re: Fortify_source and stack-protector-strong

[Florian Weimer]

* Reinoud Koornstra:

> One more question, for FORTIFY_SOURCE=2, can I use either -O1 or -O2
> optimization flags?  I noticed it doesn't like -Os. Thanks,

Historically, I think the expectation was that 1 should be used with -O1
and 2 with -O2.  But I think the required passes run at -O1 as well.

Thanks,
Florian