think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing
Just to share with fellow developers, in particular those who maintain
scientific software projects which still quite often come without
thorough unittests batteries.
Within NeuroDebian we have been preparing a package of AFNI (which now could
soon be uploaded to Debian proper) which, unfortunately, does not have/ship any
test suite. To add oil into the fire, for "proper" building we maintain
a separate cmake build infrastructure.
Recently I have (blindly) enabled hardening flags and was pleasantly surprised
that no major issues popped up. Yesterday I got a report from users that
a command providing a simple 'math' interface fails to compute a simple
$> /usr/lib/afni/bin/ccalc -eval 1000 \* 10
long story short -- reason was the combination of optimization (-O1 was enough)
+ -D_FORTIFY_SOURCE=2 to fall into the "undefined" darkness of C standard(s)
in s*printf() functions (man 3 sprintf, search for undefined or NOTES).
On "your" code you could look for some (no multiline or more complex
expressions, no snprintf) hits in sprintf with following grep
grep -re 'sprintf(\s*\(\w\+\)\s*,[^,]\+,\s*\1\>' *
unfortunately codesearch.d.n seems to not have support for referencing a
group in regexp yet, thus couldn't search for obvious hits within archive.
If anyone comes up with proper parser/analyzer to catch those -- I would
be very grateful (I am surprised that gcc doesn't issue any warning).
To mitigate this issue, besides reporting upstream, for now I had to disable
this fortification with
DEB_BUILD_HARDENING_FORTIFY := 0
preceding inclusion of /usr/share/hardening-includes/hardening.make
P.S. Written with the sole hope to save someone unpleasant (or even
painful) moments of stepping into this issue on your own.
Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Senior Research Associate, Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834 Fax: +1 (603) 646-1419