disabling FORTIFY_SOURCE
Kees Cook
kees at ubuntu.com
Sat Oct 23 12:44:58 CDT 2010
Hi,
It seems to me that disabling FORTIFY_SOURCE is a mistake. It offers
a great many protections, and virtually every distribution has very
intentionally turned on this compiler flag by default. Given Wine's
size[1], I would argue the benefits[2] outweigh the hassle of rearranging
the structures and accessors to not trick the compiler into allocating
memory beyond the end of the structure for incoming strings.
It has found, at least in other projects, a lot of potential problems,
and better yet, has repeatedly turned exploitable vulnerabilities into
simple denial of services. I realize it's a bit of a pain to work with
given how you're building some of the structures, but I'd like to ask
that it not be globally disabled.
Thanks,
-Kees
[1] $ find . -type f -name '*.[ch]' | xargs wc -l | grep total
2678911 total
[2] Some details at https://wiki.ubuntu.com/CompilerFlags#-D_FORTIFY_SOURCE=2
but at least the following...
Compile time:
- static buffer length checks
- missed return values
- open() checks for missing mode when used with O_CREAT
Run time:
- dynamic buffer length checks
- dynamic format string safety check
- dynamic format position safety checks
Functions with buffer length (or other) checks:
asprintf confstr dprintf fgets fgetws fprintf fread fwprintf getcwd
getdomainname getgroups gethostname getlogin_r gets getwd longjmp
mbsnrtowcs mbsrtowcs mbstowcs memcpy memmove mempcpy memset pread64 pread
printf ptsname_r read readlinkat readlink realpath recv recvfrom snprintf
sprintf stpcpy stpncpy strcat strcpy strncat strncpy swprintf syslog
ttyname_r vasprintf vdprintf vfprintf vfwprintf vprintf vsnprintf vsprintf
vswprintf vsyslog vwprintf wcpcpy wcpncpy wcrtomb wcscat wcscpy wcsncat
wcsncpy wcsnrtombs wcsrtombs wcstombs wctomb wmemcpy wmemmove wmempcpy
wmemset wprintf
--
Kees Cook
Ubuntu Security Team
More information about the wine-devel
mailing list