[DTrace-devel] [PATCH 2/2] libcommon: turn off FORTIFY_SOURCE more aggressively
Kris Van Hees
kris.van.hees at oracle.com
Thu Jan 16 22:09:57 UTC 2025
On Thu, Jan 16, 2025 at 09:33:32PM +0000, Nick Alcock wrote:
> This is incompatible with dof_parser_t's use of trailing strings of
> variable length, and buys us nothing anyway since we're running in a
> seccomped parser child and any buffer overruns are harmless and cannot
> result in anything other than a dying child. We were already -U'ing
> FORTIFY_SOURCE in libcommon_CPPFLAGS, but that precedes CFLAGS on the
> command line, so if the build system passes -D_FORTIFY_SOURCE there, it
> still takes effect.
>
> Use _NOCFLAGS and _NOCPPFLAGS to explicitly disable every level of
> fortification that currently exists.
>
> Signed-off-by: Nick Alcock <nick.alcock at oracle.com>
Reviewed-by: Kris Van Hees <kris.van.hees at oracle.com>
> ---
> libcommon/Build | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/libcommon/Build b/libcommon/Build
> index fd54dc044f9af..00c0d46d125e4 100644
> --- a/libcommon/Build
> +++ b/libcommon/Build
> @@ -10,4 +10,6 @@ libcommon_TARGET = libcommon
> libcommon_DIR := $(current-dir)
> libcommon_CPPFLAGS := -Ilibcommon -Ilibproc -U_FORTIFY_SOURCE
> libcommon_SOURCES = dof_parser.c dof_parser_host.c dt_list.c
> +libcommon_NOCFLAGS := -D_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1 -D_FORTIFY_SOURCE=2 -D_FORTIFY_SOURCE=3
> +libcommon_NOCPPFLAGS := -D_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1 -D_FORTIFY_SOURCE=2 -D_FORTIFY_SOURCE=3
> libcommon_LIBSOURCES = libcommon
> --
> 2.47.1.279.g84c5f4e78e
>
More information about the DTrace-devel
mailing list