You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md
+9-3Lines changed: 9 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -631,6 +631,8 @@ Internally `-D_FORTIFY_SOURCE` relies on the built-in functions for object size
631
631
632
632
Applications that incorrectly use `malloc_usable_size`[^malloc_usable_size] to use the additional size reported by the function may abort at runtime. This is a bug in the application because the additional size reported by `malloc_usable_size` is not generally safe to dereference and is for diagnostic uses only. The correct fix for such issues is to avoid using `malloc_usable_size` as the glibc manual specifically states that it is for diagnostic purposes *only*[^malloc_usable_size]. On many Linux systems these incorrect uses can be detected by running `readelf -Ws <path>` on the ELF binaries and searching for `malloc_usable_size@GLIBC`[^kpyrd23]. If avoiding `malloc_usable_size` is not possible, one may call `realloc` to resize the block to its usable size and to benefit from `_FORTIFY_SOURCE=3`.
633
633
634
+
Additionally, `_FORTIFY_SOURCE` is currently incompatible with [AddressSanitizer](#-fsanitize=address) (and other sanitizers[^Ostapenko16]) as they do not support source fortification. As a result, sanitizers can misbehave on binaries with source fortification enabled (they either produces false negatives or false positives). Consequently we do not recommend enabling `_FORTIFY_SOURCE` for instrumented test builds where sanitizers are used. Since most Linux distributions enable `_FORTIFY_SOURCE` by default[^compiler-flags-distro], it may need to be explicitly disabled for such sanitizer-instrumented test builds.
635
+
634
636
[^glibc-fortification]: GNU C Library team, [Source Fortification in the GNU C Library](https://www.gnu.org/software/libc/manual/html_node/Source-Fortification.html), GNU C Library (glibc) manual, 2023-02-01.
635
637
636
638
[^Poyarekar23]: Poyarekar, Siddhesh, [How to improve application security using _FORTIFY_SOURCE=3](https://developers.redhat.com/articles/2023/02/06/how-improve-application-security-using-fortifysource3), Red Hat Developer, 2023-02-06.
@@ -645,6 +647,8 @@ Applications that incorrectly use `malloc_usable_size`[^malloc_usable_size] to u
645
647
646
648
[^kpyrd23]: kpcyrd, [Task Todo List Prepare packages for -D_FORTIFY_SOURCE=3](https://archlinux.org/todo/prepare-packages-for-d_fortify_source3/), Arch Linux Task Todo List, 2023-09-05.
647
649
650
+
[^Ostapenko16]: Ostapenko, Maxim, [Do not allow asan/msan/tsan and fortify at the same time.](https://inbox.sourceware.org/libc-alpha/[email protected]/), GNU C Library mailing list, 2016-09-05.
651
+
648
652
---
649
653
650
654
### Precondition checks for C++ standard library calls
@@ -1298,9 +1302,9 @@ Table 4: Sanitizer options in GCC and Clang.
|<span id="-fsanitize=address">`-fsanitize=address`</span>| GCC 4.8.0<br/>Clang 3.1.0 | Enables AddressSanitizer to detect memory errors at run-time |
1304
1308
1305
1309
AddressSanitizer (ASan) is a memory error detector that can identify memory defects that involve:
1306
1310
@@ -1330,6 +1334,8 @@ When ASan encounters a memory error it (by default) terminates the application a
1330
1334
1331
1335
ASan cannot be used simultaneously with ThreadSanitizer. It is not possible to mix ASan-instrumented code produced by GCC with ASan-instrumented code produced Clang as the ASan implementations in GCC and Clang are mutually incompatible.
1332
1336
1337
+
Additionally, ASan is known to report false negatives if combined with [`-D_FORTIFY_SOURCE`](#-D_FORTIFY_SOURCE=3) [^Ostapenko16].
0 commit comments