why does -D_FORTIFY_SOURCE=2 has no effect in my compilation?
Question
I have been adding some "compilation flags" to activate security measures in my binary. And then I check that the measures are implemented using the checksec tool. I have been able to activate all of them except for FORTIFY .
I keep geting
FORTIFY = No, Fortified = 0, Fortifiable = 4
as output from checksec even after compiling with -D_FORTIFY_SOURCE=2
I have to say that I use a common CMakeLists.txt for many binaries and I added the -D_FORTIFY_SOURCE=2 in the global add_compile_options section.
For all the other generated binaries the macro has the expected behavior, that is, the other binaries get "fortified".
I am using gcc 9.3.0 , my application is written in c++17 and I compile with -O2 .
Does someone have an idea why my binary is not getting fortified?
Thanks in advance.
1 answers
solution1
3 2021-08-20 08:04:40
Fortification done by checksec script is done heuristically: by grepping for _chk symbols in output of readelf --dyn-syms . So it will only be able to detect fortification if
- your source code contains calls to fortified functions (
memset,memcpy, etc.) - code has been compiled with optimizations (macro
__OPTIMIZE__is defined and greater than zero) - GCC hasn't optimized them to unchecked versions or explicit loops (see eg
gimple_fold_builtin_memory_chkingimple-fold.c )
To identify the exact cause of your particular case we'll need an MVCE .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.