-D_FORTIFY_SOURCE=1 protections were added in Android in 4.2, and almost all programs on 4.2 are compiled with FORTIFY_SOURCE enabled.
Some implementation notes, for those curious: - FORTIFY_SOURCE protections are only enabled for applications compiled with gcc. In particiular, llvm does not support<https://android.googlesource.com/platform/bionic.git/+/829c089f83ddee37203b52bcb294867a9ae7bdbc>the gnu_inline function attribute necessary for FORTIFY_SOURCE to work. - FORTIFY_SOURCE protections are only enabled on ARM based systems. MIPS and x86 Android systems do not currently have it enabled. The following Android libc functions are fortified: - bzero - memcpy - memmove - strcpy - strncpy - strcat - strncat - memset - strlcpy (not in GLIBC) - strlcat (not in GLIBC) - strlen (bionic FORTIFY_SOURCE extension. Detect strlen calls on non-null terminated character arrays.) - umask (bionic FORTIFY_SOURCE extension. Detect invalid umask calls. For example: umask(777) instead of umask(0777)) - open - openat - vsnprintf - vsprintf - snprintf - sprintf - fgets FORTIFY_SOURCE was just one of the security hardening measures added in 4.2. A more complete list can be found at http://developer.android.com/about/versions/jelly-bean.html -- Nick On Sun, Nov 18, 2012 at 3:55 AM, Pau Oliva Fora <[email protected]> wrote: > I believe yes, but not sure if support is completed. > > You can check through the git commits for tag android-4.2_r1 here: > > https://android.googlesource.**com/platform/bionic.git/+/**android-4.2_r1<https://android.googlesource.com/platform/bionic.git/+/android-4.2_r1> > > Cheers, > > pof > > > On 11/18/2012 11:05 AM, Jeffrey Walton wrote: > >> Did Android 4.2 add support for FORTIFY_SOURCE=1? >> >> > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To post to this group, send email to android-security-discuss@** > googlegroups.com <[email protected]>. > To unsubscribe from this group, send email to android-security-discuss+** > [email protected]<android-security-discuss%[email protected]> > . > For more options, visit this group at http://groups.google.com/** > group/android-security-**discuss?hl=en<http://groups.google.com/group/android-security-discuss?hl=en> > . > > -- Nick Kralevich | Android Security | [email protected] | 650.214.4037 -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
