CompilerFlags

Differences between revisions 1 and 5 (spanning 4 versions)
Revision 1 as of 2008-05-02 21:18:34
Size: 1755
Editor: c-76-105-157-155
Comment: initial pass
Revision 5 as of 2008-05-02 21:49:29
Size: 3371
Editor: c-76-105-157-155
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
This page documents the Ubuntu-specific default compiler flags in the toolchain. Based on the work from GccSsp, [:Security/HardeningWrapper:], and DistCompiler. Please attempt to fix a source package's problems before disabling a given compiler feature. This page documents the Ubuntu-specific default compiler flags in the toolchain. Based on the work from GccSsp, [:Security/HardeningWrapper], and DistCompiler. Please attempt to fix a source package's problems before disabling a given compiler feature.
Line 5: Line 5:
First enabled in Ubuntu 6.10.
See GccSsp for further details.
First enabled in Ubuntu 6.10.  See GccSsp for further details.  Most problems are related to packages that do not use stdlib directly (kernel modules, certain libraries, etc).
Line 8: Line 7:
Failure example: {{{ Failure examples:
{{{
Line 12: Line 12:
Disabled with {{{-fno-stack-protector}}} or {{{-nostdlib}}}.  {{{
*** stack smashing detected ***
Aborted
}}}
  A function did not correctly maintain its stack variables. Usually indicates a stack buffer overflow.

Disabled with {{{-fno-stack-protector}}} or {{{-nostdlib}}} in {{{CPPFLAGS}}}.
Line 16: Line 22:
First enabled in Ubuntu 8.10. See [:Security/FortifySource:] for more details. First enabled in Ubuntu 8.10. See [:Security/FortifySource] for further details.  Most problems are related to common unsafe uses of certain libc functions.
Line 22: Line 28:
  The return value from {{{system()}}} functions should be evaluated and handled appropriately.
Line 26: Line 33:
  When using {{{open()}}} with {{{O_CREAT}}}, best-practice is to define a valid {{{mode}}} argument.
Line 30: Line 38:
  The call to {{{read()}}} was done into a buffer with the wrong size. Double-check the size argument and the buffer size.
Line 31: Line 40:
Reduced checking via {{{-D_FORTIFY_SOURCE=1}}}. Disabled with {{{-U_FORTIFY_SOURCE}}} or {{{-D_FORTIFY_SOURCE=0}}}.  {{{
warning: passing argument 1 of 'memcpy' discards qualifiers from pointer target type
warning: passing argument 1 of 'strcpy' discards qualifiers from pointer target type
}}}
  Code compiled with {{{-Werror}}} and using memcpy/strcpy/etc with qualifier overrides will fail. This is a bug in glibc 2.7. See [https://launchpad.net/bugs/217481].

 {{{
*** %n in writable segment detected ***
Aborted
}}}
  Use of {{{"%n"}}} in a format string is limited to read-only memory (not stack or heap allocated strings).

 {{{
*** buffer overflow detected ***
Aborted
}}}
  A call to {{{sprintf}}} should be changed to use {{{snprintf}}}, or a too-small buffer was read into (see {{{read()}}} warnings above).

Reduced checking via {{{-D_FORTIFY_SOURCE=1}}} in {{{CPPFLAGS}}}. Disabled with {{{-U_FORTIFY_SOURCE}}} or {{{-D_FORTIFY_SOURCE=0}}} in {{{CPPFLAGS}}}.
Line 35: Line 62:
First enabled in Ubuntu 8.10. These options should only cause FTBFS if the package is compiling with {{{-Werror}}}. First enabled in Ubuntu 8.10. These options should only cause build failures if the package is compiling with {{{-Werror}}}.
Line 42: Line 69:
This is caused by code that fails to use {{{"%s"}}} for a {{{*printf}}} function. For example: {{{
printf(buf);
  This is caused by code that forgot to use {{{"%s"}}} for a {{{*printf}}} function. For example:
  
{{{
fprintf(stderr,buf);
Line 45: Line 73:
should be: {{{
printf("%s",buf);
  should be:
  
{{{
fprintf(stderr,"%s",buf);
Line 49: Line 78:
Disabled with {{{-Wno-format-security}}} or {{{-Wformat=0}}}. Disabled with {{{-Wno-format-security}}} or {{{-Wformat=0}}} in {{{CPPFLAGS}}}.
Line 53: Line 82:
First enabled in Ubuntu 8.10. First enabled in Ubuntu 8.10. This option paves the way for using {{{-z now}}} to further harden long-running programs like daemons.

This page documents the Ubuntu-specific default compiler flags in the toolchain. Based on the work from GccSsp, [:Security/HardeningWrapper], and DistCompiler. Please attempt to fix a source package's problems before disabling a given compiler feature.

-fstack-protector

First enabled in Ubuntu 6.10. See GccSsp for further details. Most problems are related to packages that do not use stdlib directly (kernel modules, certain libraries, etc).

Failure examples:

  • '__stack_chk_fail' symbol not found
    *** stack smashing detected ***
    Aborted
    • A function did not correctly maintain its stack variables. Usually indicates a stack buffer overflow.

Disabled with -fno-stack-protector or -nostdlib in CPPFLAGS.

-D_FORTIFY_SOURCE=2

First enabled in Ubuntu 8.10. See [:Security/FortifySource] for further details. Most problems are related to common unsafe uses of certain libc functions.

Failure examples:

  • error: ignoring return value of 'int system(const char*)', declared with attribute warn_unused_result
    • The return value from system() functions should be evaluated and handled appropriately.

    error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT in second argument needs 3 arguments
    • When using open() with O_CREAT, best-practice is to define a valid mode argument.

    warning: call to ‘__read_chk_warn’ declared with attribute warning: read called with bigger length than size of the destination buffer
    • The call to read() was done into a buffer with the wrong size. Double-check the size argument and the buffer size.

    warning: passing argument 1 of 'memcpy' discards qualifiers from pointer target type
    warning: passing argument 1 of 'strcpy' discards qualifiers from pointer target type
    *** %n in writable segment detected ***
    Aborted
    • Use of "%n" in a format string is limited to read-only memory (not stack or heap allocated strings).

    *** buffer overflow detected ***
    Aborted
    • A call to sprintf should be changed to use snprintf, or a too-small buffer was read into (see read() warnings above).

Reduced checking via -D_FORTIFY_SOURCE=1 in CPPFLAGS. Disabled with -U_FORTIFY_SOURCE or -D_FORTIFY_SOURCE=0 in CPPFLAGS.

-Wformat -Wformat-security

First enabled in Ubuntu 8.10. These options should only cause build failures if the package is compiling with -Werror.

Failure examples:

  • warning: format not a string literal and no format arguments
    • This is caused by code that forgot to use "%s" for a *printf function. For example:

      • fprintf(stderr,buf);
      should be:
      • fprintf(stderr,"%s",buf);

Disabled with -Wno-format-security or -Wformat=0 in CPPFLAGS.

-Wl,-z,relro

First enabled in Ubuntu 8.10. This option paves the way for using -z now to further harden long-running programs like daemons.

No known failure examples.

Disabled with -Wl,-z,norelro in LDFLAGS.

ToolChain/CompilerFlags (last edited 2024-03-22 22:52:13 by eslerm)