Increase _FORTIFY_SOURCE level to 3 #

• Date proposed: 2023-01-05
• RFC MR: https://gitlab.archlinux.org/archlinux/rfcs/-/merge_requests/0017

Summary #

Adjust packaging CFLAGS from -D_FORTIFY_SOURCE=2 to -D_FORTIFY_SOURCE=3 for better fortification coverage

Motivation #

For a long time, we have been using -D_FORTIFY_SOURCE=2 in our build flags to detect C memory management problems at build time. Recently, glibc (2.34) added \_FORTIFY_SOURCE=3 to add extra checking. This has been supported in clang for some time, and is now available in GCC with the release of version 12.

The gains are enhanced buffer size detection and better fortification coverage.

A study showed level 3 improved fortification coverage by nearly 4 times on average. Extreme examples include the Bash shell going from roughly 3.4% coverage with level 2 to 47% with level 3. Similarly, sudo went from 1.3% to 49.57%.

Specification #

CFLAGS in the distribution packaging makepkg.conf would change from -D_FORTIFY_SOURCE=2 to -D_FORTIFY_SOURCE=3.

Some applications use malloc_usable_size (despite the glibc manual stating it is for diagnostic purposes only). This is currently incompatible with \_FORTIFY_SOURCE=3, so these packages will need to continue using level 2 by modifying C{,XX}FLAGS in the PKGBUILD. A TODO list will be created for all such packages on adoption of this proposal.

Drawbacks #

Some claims of performance overhead have been made, but these are likely overblown. Most of the checks are at compile time, and this change is being adopted by OpenSUSE, Fedora and Gentoo (in their hardened profile).

Unresolved Questions #

None.

Alternatives Considered #

None.