From cdc686eecc00d448d724f8e5e5853f88c8ac4e04 Mon Sep 17 00:00:00 2001 From: Keith Packard Date: Sun, 19 Nov 2023 00:33:23 -0800 Subject: [PATCH] compiler/gcc: _FORTIFY_SOURCE=1 doesn't mean compile-time only checks _FORTIFY_SOURCE=1 differs from _FORTIFY_SOURCE=2 only in the bounds checking mode that it uses. With _FORTIFY_SOURCE=1, bounds checks are 'loose', allowing access to the whole underlying object, not just the subset referenced in the expression (e.g, the bounds of a struct member is the whole struct, not just the member). With _FORTIFY_SOURCE=2, bounds checks are strict, meaning that the bounds of an expression are limited to the referenced value. Both of these perform their checks at runtime, calling _chk_fail if the bounds check fails. That's done in the __*_chk functions included in the C library. These are always called when _FORTIFY_SOURCE > 0, unless the compiler replaces the call with inline code. GCC already does all of the compile-time bounds checking for string and mem functions when not using -ffreestanding, so there's nothing we need to add for that to work. That means the security_fortify_compile_time property should be empty. Signed-off-by: Keith Packard --- cmake/compiler/gcc/compiler_flags.cmake | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/cmake/compiler/gcc/compiler_flags.cmake b/cmake/compiler/gcc/compiler_flags.cmake index 5b1dbde49c6..a118fbe570c 100644 --- a/cmake/compiler/gcc/compiler_flags.cmake +++ b/cmake/compiler/gcc/compiler_flags.cmake @@ -169,9 +169,11 @@ endif() if(NOT CONFIG_NO_OPTIMIZATIONS) # _FORTIFY_SOURCE: Detect common-case buffer overflows for certain functions - # _FORTIFY_SOURCE=1 : Compile-time checks (requires -O1 at least) - # _FORTIFY_SOURCE=2 : Additional lightweight run-time checks - set_compiler_property(PROPERTY security_fortify_compile_time _FORTIFY_SOURCE=1) + # _FORTIFY_SOURCE=1 : Loose checking (use wide bounds checks) + # _FORTIFY_SOURCE=2 : Tight checking (use narrow bounds checks) + # GCC always does compile-time bounds checking for string/mem functions, so + # there's no additional value to set here + set_compiler_property(PROPERTY security_fortify_compile_time) set_compiler_property(PROPERTY security_fortify_run_time _FORTIFY_SOURCE=2) endif()