[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: think twice before enabling -D_FORTIFY_SOURCE=2 for C projects without thorough build-time testing

On Fri, 20 Sep 2013, Bastian Blank wrote:

> On Fri, Sep 20, 2013 at 03:05:37PM -0400, Yaroslav Halchenko wrote:
> > long story short -- reason was the combination of optimization (-O1 was enough)
> > +  -D_FORTIFY_SOURCE=2 to fall into the "undefined"  darkness of C standard(s)
> > in s*printf() functions (man 3 sprintf, search for undefined or NOTES).

> So the code is already full of undefined behaviour?

yes. but so far it was (surprisingly) consistent behaviour so far...

> > On "your" code you could look for some (no multiline or more complex
> > expressions, no snprintf) hits in sprintf with following grep
> > grep -re 'sprintf(\s*\(\w\+\)\s*,[^,]\+,\s*\1\>' *

> You search for a sprintf that references the same variable both as
> source and destination?


> C99 clearly stats:
> | If copying takes place between objects that overlap, the behavior is
> | undefined.

> > To mitigate this issue, besides reporting upstream, for now I had to disable
> > this fortification with
> > preceding inclusion of /usr/share/hardening-includes/hardening.make

> I would call code that hits such clear definitions too buggy to be
> supported.

yeah -- let's burn it!!!... oh no -- I am using it, so I guess I
better fix/report bugs ;-)

Yaroslav O. Halchenko, Ph.D.
http://neuro.debian.net http://www.pymvpa.org http://www.fail2ban.org
Senior Research Associate,     Psychological and Brain Sciences Dept.
Dartmouth College, 419 Moore Hall, Hinman Box 6207, Hanover, NH 03755
Phone: +1 (603) 646-9834                       Fax: +1 (603) 646-1419
WWW:   http://www.linkedin.com/in/yarik        

Reply to: