disabling FORTIFY_SOURCE

[Alexandre Julliard]

Kees Cook <kees at ubuntu.com> writes:

> It seems to me that disabling FORTIFY_SOURCE is a mistake. It offers
> a great many protections, and virtually every distribution has very
> intentionally turned on this compiler flag by default. Given Wine's
> size[1], I would argue the benefits[2] outweigh the hassle of rearranging
> the structures and accessors to not trick the compiler into allocating
> memory beyond the end of the structure for incoming strings.
>
> It has found, at least in other projects, a lot of potential problems,
> and better yet, has repeatedly turned exploitable vulnerabilities into
> simple denial of services.

So far in Wine, all it has done is repeatedly turn perfectly valid code
into denial of service.

Actually, even if Fortify worked correctly, the benefits would most
likely be small, given that we make little use of the standard libc
functions. Though given the trouble we've had so far, I shudder to think
what would happen if we used libc functions all over the place.

Fortify is a nice idea in theory, and I'd certainly encourage developers
to enable it to see if it catches anything useful. But at this point
it's not reliable enough to be forced upon end users.

-- 
Alexandre Julliard
julliard at winehq.org