Skip to content

Commit a0e9336

Browse files
committed
ASan is incompatible with -D_FORTIFY_SOURCE
Signed-off-by: Thomas Nyman <[email protected]>
1 parent 516ef69 commit a0e9336

File tree

1 file changed

+9
-3
lines changed

1 file changed

+9
-3
lines changed

docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -631,6 +631,8 @@ Internally `-D_FORTIFY_SOURCE` relies on the built-in functions for object size
631631

632632
Applications that incorrectly use `malloc_usable_size`[^malloc_usable_size] to use the additional size reported by the function may abort at runtime. This is a bug in the application because the additional size reported by `malloc_usable_size` is not generally safe to dereference and is for diagnostic uses only. The correct fix for such issues is to avoid using `malloc_usable_size` as the glibc manual specifically states that it is for diagnostic purposes *only* [^malloc_usable_size]. On many Linux systems these incorrect uses can be detected by running `readelf -Ws <path>` on the ELF binaries and searching for `malloc_usable_size@GLIBC`[^kpyrd23]. If avoiding `malloc_usable_size` is not possible, one may call `realloc` to resize the block to its usable size and to benefit from `_FORTIFY_SOURCE=3`.
633633

634+
Additionally, `_FORTIFY_SOURCE` is currently incompatible with [AddressSanitizer](#-fsanitize=address) (and other sanitizers[^Ostapenko16]) as they do not support source fortification. As a result, sanitizers can misbehave on binaries with source fortification enabled (they either produces false negatives or false positives). Consequently we do not recommend enabling `_FORTIFY_SOURCE` for instrumented test builds where sanitizers are used. Since most Linux distributions enable `_FORTIFY_SOURCE` by default[^compiler-flags-distro], it may need to be explicitly disabled for such sanitizer-instrumented test builds.
635+
634636
[^glibc-fortification]: GNU C Library team, [Source Fortification in the GNU C Library](https://www.gnu.org/software/libc/manual/html_node/Source-Fortification.html), GNU C Library (glibc) manual, 2023-02-01.
635637

636638
[^Poyarekar23]: Poyarekar, Siddhesh, [How to improve application security using _FORTIFY_SOURCE=3](https://developers.redhat.com/articles/2023/02/06/how-improve-application-security-using-fortifysource3), Red Hat Developer, 2023-02-06.
@@ -645,6 +647,8 @@ Applications that incorrectly use `malloc_usable_size`[^malloc_usable_size] to u
645647

646648
[^kpyrd23]: kpcyrd, [Task Todo List Prepare packages for -D_FORTIFY_SOURCE=3](https://archlinux.org/todo/prepare-packages-for-d_fortify_source3/), Arch Linux Task Todo List, 2023-09-05.
647649

650+
[^Ostapenko16]: Ostapenko, Maxim, [Do not allow asan/msan/tsan and fortify at the same time.](https://inbox.sourceware.org/libc-alpha/[email protected]/), GNU C Library mailing list, 2016-09-05.
651+
648652
---
649653

650654
### Precondition checks for C++ standard library calls
@@ -1298,9 +1302,9 @@ Table 4: Sanitizer options in GCC and Clang.
12981302
12991303
### AddressSanitizer
13001304
1301-
| Compiler Flag | Supported since | Description |
1302-
|:---------------------- |:---------------------:|:--------------------------------------------------------------------------- |
1303-
| `-fsanitize=address` | GCC 4.8.0<br/>Clang 3.1.0 | Enables AddressSanitizer to detect memory errors at run-time |
1305+
| Compiler Flag | Supported since | Description |
1306+
|:---------------------------------------------------------- |:-------------------------:|:--------------------------------------------------------------------------- |
1307+
| <span id="-fsanitize=address">`-fsanitize=address`</span> | GCC 4.8.0<br/>Clang 3.1.0 | Enables AddressSanitizer to detect memory errors at run-time |
13041308
13051309
AddressSanitizer (ASan) is a memory error detector that can identify memory defects that involve:
13061310
@@ -1330,6 +1334,8 @@ When ASan encounters a memory error it (by default) terminates the application a
13301334
13311335
ASan cannot be used simultaneously with ThreadSanitizer. It is not possible to mix ASan-instrumented code produced by GCC with ASan-instrumented code produced Clang as the ASan implementations in GCC and Clang are mutually incompatible.
13321336
1337+
Additionally, ASan is known to report false negatives if combined with [`-D_FORTIFY_SOURCE`](#-D_FORTIFY_SOURCE=3) [^Ostapenko16].
1338+
13331339
[^asan-flags]: LLVM Sanitizers team, [AddressSanitizerFlags](https://github.com/google/sanitizers/wiki/AddressSanitizerFlags), GitHub google/sanitizers Wiki, 2019-05-15.
13341340
13351341
[^asan]: LLVM Sanitizers team, [AddressSanitizer](https://github.com/google/sanitizers/wiki/AddressSanitizer), GitHub google/sanitizers Wiki, 2019-05-15.

0 commit comments

Comments
 (0)