Add _FORTIFY_SOURCE=3 to distribution build flags
Replace the current
_FORTIFY_SOURCE=3 to improve mitigation of security issues arising from buffer overflows in packages in Fedora.
- Name: Siddhesh Poyarekar
- Email: firstname.lastname@example.org
- Bugzilla email: email@example.com
- Targeted release: Fedora Linux 38
- Last updated: 2023-01-04
- devel thread
- FESCo issue: #2917
- Tracker bug: #2158232
- Release notes issue: #942
Default C and C++ compiler flags to build packages in Fedora currently includes
-Wp,-D_FORTIFY_SOURCE=2, which enables fortification of some functions in glibc, thus providing some mitigation against buffer overflows. Since glibc 2.34 and GCC 12, there has been a new fortification level (
_FORTIFY_SOURCE=3) which improves the coverage of this mitigation.
The core change to bring in this mitigation is to change the default build flags in
redhat-rpm-config so that packages build by default with
-Wp,-D_FORTIFY_SOURCE=3. There are packages (e.g.
systemd) that do not interact well with
_FORTIFY_SOURCE and will also need a workaround to downgrade fortification to level 2. The change will also include this override.
Benefit to Fedora
Analysis of packages in Fedora rawhide indicate that the improvement of mitigation coverage is on average over 2.4x, in some cases protecting more than half of the fortified glibc calls in the target application.
This change will thus harden Fedora to a significant extent, thus making it a more secure distribution out of the box.
Status in other distributions
- All packages in OpenSUSE ALP are built with _FORTIFY_SOURCE=3 by default.
- Gentoo is considering making
_FORTIFY_SOURCE=3the default level for their
- Proposal owners:
Post a merge request to redhat-rpm-config with the actual change to build flags.
- Other developers:
Resolve bugs filed for build failures, either by fixing the bug exposed by
_FORTIFY_SOURCE=3 or by disabling
_FORTIFY_SOURCE=3 for the package if it is a false positive or if the package is unable to adapt to the change.
- Release engineering: Mass rebuild required, ticket here: https://pagure.io/releng/issue/11173
- Policies and guidelines: Guidelines should include workaround for packages that fail to build with
-Wp,-D_FORTIFY_SOURCE=3due to a false positive.
- Trademark approval: N/A (not needed for this Change)
No ABI change, so there should be no impact on compatibility in a mixed environment.
How To Test
- Nearly 10,000 source packages were built in copr with this flag using the mass prebuilder (and subsequently by hand to rule out transient issues) and failures reported, list is maintained in the spreadsheet. Only package failure in the core OS is systemd and it has already been reported upstream. Systemd will have to be built without fortification until that issue is resolved.
- Package maintainers should smoke test their packages after rebuild to ensure that no new bugs are found. Some packages may have overflows exposed at runtime, which may need to be fixed.
No user-visible functional change.
_FORTIFY_SOURCE=3 generates size expressions instead of constants as in
_FORTIFY_SOURCE=2 and also succeeds in fortification in more cases than
_FORTIFY_SOURCE=2, there is a theoretical concern of a performance overhead due to this. Tests using SPEC2000 and SPEC2017 show no real difference between
_FORTIFY_SOURCE=2, which indicates that there is no general slowdown due to this feature. Hence this concern is limited to cases where the fortified function is in the hot path and at the same time, the size expression needs to be evaluated separately in each iteration of the hot path. Per-application performance benchmarks may be useful in understanding the impact for those specific use cases.
In practice, no performance issues have been reported in distributions that have already enabled
_FORTIFY_SOURCE=3 by default. The linux kernel will improve its fortification to match
_FORTIFY_SOURCE=3 by default in a future release.
- Contingency mechanism: (What to do? Who will do it?) Packages that fail to work correctly with
_FORTIFY_SOURCE=3, either due to bugs that are not immediately resolvable in the package or due to bug in the compiler or runtime will be fixed up to continue using
_FORTIFY_SOURCE=2. If too many packages are found to be broken at runtime, the default for fortification will be left at
_FORTIFY_SOURCE=2for Fedora 38. Change owner will do this in
- Contingency deadline: 2023-02-07 to decide if the default should be
_FORTIFY_SOURCE=2or not. Beta freeze to switch packages with unresolved bugs related to this, to use
- Blocks release? Yes
- Blocks product? No
More context on