Should we disable FORTIFY_SOURCE for packages where it is not default?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Should we disable FORTIFY_SOURCE for packages where it is not default?

Jorge Morais-3
From the info page of GCC 4.3.3
NOTE: In Gentoo, `-D_FORTIFY_SOURCE=2' is set by default, and is
     activated when `-O' is set to 2 or higher.  This enables additional
     compile-time and run-time checks for several libc functions.  To
     disable, specify either `-U_FORTIFY_SOURCE' or
     `-D_FORTIFY_SOURCE=0'.

I have seen some FORTIFY_SOURCE bugs in the bugzilla and in some cases,
people claim the the bug lies in the FORTIFY_SOURCE feature itself
(that is, people claim that FORTIFY_SOURCE misidentifies a buffer overflow).
One example: http://bugs.gentoo.org/show_bug.cgi?id=257016

I have installed GCC-4.3.3 (but have not enabled it through gcc-config yet),
but my system is otherwise mostly stable.

1) I would like to use GCC-4.3.3 because it is the latest bugfix release
and is presumably more bug-free (correct?).

2) But until FORTIFY_SOURCE is stable on Gentoo, I don't want it.
How can I disable it?
If I add -U_FORTIFY_SOURCE to CPPFLAGS (this would be the correct
place to add it, right?), wouldn't it disable the feature for every
package, even for those that specify FORTIFY_SOURCE on their own?

I want the traditional behavior: packages that ask for FORTIFY_SOURCE
get it, those that don't ask don't get it.

And of course, do you know if FORTIFY_SOURECE has a significant
performance cost and if it is really ready to be default (as in,
it is unlikely for new false positives to appear)?

Also, am I wise to use GCC 4.3.3 compiler in a mostly stable system?

--
Software is like sex: it is better when it is free. --Linus Torvalds

Reply | Threaded
Open this post in threaded view
|

Re: Should we disable FORTIFY_SOURCE for packages where it is not default?

Peter Alfredsen-3
On Wed, 8 Apr 2009 21:39:26 -0300
Jorge Morais <[hidden email]> wrote:

> From the info page of GCC 4.3.3
> NOTE: In Gentoo, `-D_FORTIFY_SOURCE=2' is set by default, and is
>      activated when `-O' is set to 2 or higher.  This enables
> additional compile-time and run-time checks for several libc
> functions.  To disable, specify either `-U_FORTIFY_SOURCE' or
>      `-D_FORTIFY_SOURCE=0'.
>
> I have seen some FORTIFY_SOURCE bugs in the bugzilla and in some
> cases, people claim the the bug lies in the FORTIFY_SOURCE feature
> itself (that is, people claim that FORTIFY_SOURCE misidentifies a
> buffer overflow). One example:
> http://bugs.gentoo.org/show_bug.cgi?id=257016

Very rare, but it happens.

> I have installed GCC-4.3.3 (but have not enabled it through
> gcc-config yet), but my system is otherwise mostly stable.
>
> 1) I would like to use GCC-4.3.3 because it is the latest bugfix
> release and is presumably more bug-free (correct?).

So far, yes. Especially users of -march=amdfam10 flag want this
version.

> 2) But until FORTIFY_SOURCE is stable on Gentoo, I don't want it.
> How can I disable it?

CXXFLAGS="-U_FORTIFY_SOURCE"

That's where most ebuilds will pick it up.

> If I add -U_FORTIFY_SOURCE to CPPFLAGS (this would be the correct
> place to add it, right?), wouldn't it disable the feature for every
> package, even for those that specify FORTIFY_SOURCE on their own?

Yes, but in general, packages have not been specifying _FORTIFY_SOURCE.
It's a new feature in recent glibcs that was only made usable in
glibc-2.8.

> I want the traditional behavior: packages that ask for FORTIFY_SOURCE
> get it, those that don't ask don't get it.

Packages don't ask for FORTIFY_SOURCE. They get it, good and hard.
FORTIFY_SOURCE is a one-time pain for longterm gain.

> And of course, do you know if FORTIFY_SOURECE has a significant
> performance cost and if it is really ready to be default (as in,
> it is unlikely for new false positives to appear)?

It has virtually no performance cost.

> Also, am I wise to use GCC 4.3.3 compiler in a mostly stable system?

At the moment, we are only processing bugs about _FORTIFY_SOURCE when
they can be confirmed on ~arch. As long as you're prepared to use
package.keywords liberally, it should be mostly ok.

/loki_val

Reply | Threaded
Open this post in threaded view
|

Re: Should we disable FORTIFY_SOURCE for packages where it is not default?

Peter Alfredsen-3
On Fri, 10 Apr 2009 14:55:36 +0200
Peter Alfredsen <[hidden email]> wrote:

> CXXFLAGS="-U_FORTIFY_SOURCE"
>
> That's where most ebuilds will pick it up.

+CFLAGS of course.

D'oh.

/loki_val

Reply | Threaded
Open this post in threaded view
|

Re: Should we disable FORTIFY_SOURCE for packages where it is not default?

Jorge Morais-3
In reply to this post by Peter Alfredsen-3
On Fri, 10 Apr 2009 14:55:36 +0200
Peter Alfredsen <[hidden email]> wrote:

> > I have seen some FORTIFY_SOURCE bugs in the bugzilla and in some
> > cases, people claim the the bug lies in the FORTIFY_SOURCE feature
> > itself (that is, people claim that FORTIFY_SOURCE misidentifies a
> > buffer overflow). One example:
> > http://bugs.gentoo.org/show_bug.cgi?id=257016
>
> Very rare, but it happens.
>
> > I have installed GCC-4.3.3 (but have not enabled it through
> > gcc-config yet), but my system is otherwise mostly stable.
> >
> > 1) I would like to use GCC-4.3.3 because it is the latest bugfix
> > release and is presumably more bug-free (correct?).
>
> So far, yes. Especially users of -march=amdfam10 flag want this
> version.
Thank you.
And do you know of any other new behavior from GCC-4.3.2 to GCC-4.3.3
aside from FORTIFY_SOURCE and warning options such as -Wformat?

>
> > 2) But until FORTIFY_SOURCE is stable on Gentoo, I don't want it.
> > How can I disable it?
>
> CXXFLAGS="-U_FORTIFY_SOURCE"
>
> That's where most ebuilds will pick it up.
Sorry to take your time, but CXXFLAGS? Isn't that for extra flags
for the C++ compiler? Isn't the appropriate place CPPFLAGS (extra
flags for the C preprocessor)?
I even remember a Gentoo bug report in which someone criticized a user
for putting a macro definition in CFLAGS, and said that certain ebuilds
could fail because of it.

> > Also, am I wise to use GCC 4.3.3 compiler in a mostly stable system?
>
> At the moment, we are only processing bugs about _FORTIFY_SOURCE when
> they can be confirmed on ~arch. As long as you're prepared to use
> package.keywords liberally, it should be mostly ok.

A suggestion: with this kind of tracker (like bug 259417), don't
you think it would be useful to have separate trackers for build-time
bugs and run-time bugs? This way, users who want to test the new feature
(GCC-4.3.3 and _FORTIFY_SOURCE in this case) can easily see if there are
run-time bugs affecting them.
Build-time bugs are much less worrisome for me.
Well, this is a suggestion that seems convenient for users, but you
obviously know fare more about Gentoo bug-squashing than me.

Thank you for your time.
--
Software is like sex: it is better when it is free. --Linus Torvalds