You're running into a couple of different problems here. 1) AFAIK, FORTIFY_SOURCE support isn't in the NDK yet. 2) Some of the FORTIFY_SOURCE extensions (i.e., fortified strlen(), strchr(), strrchr(), maybe umask()) were committed after the code freeze for the 4.2* series. They'll be available in a future Android release.
To hack around your problem, you can supply your own implementation of __strlen_chk() in your code. Android's implementation can be found at https://android.googlesource.com/platform/bionic/+/master/libc/bionic/__strlen_chk.cpp On Sat, Jan 26, 2013 at 4:29 AM, Herve Sibert <[email protected]>wrote: > Hi, > > It seems that the latest NDK version does not support this, as building a > native app using the NDK and shared libs from an Android 4.2 device (i.e. > compiled with FORTIFY_SOURCE enabled) fails, mentioning undef references to > some of the related functions (e.g. __strlen_chk). > > Do you confirm this, and if so when will there be an Android NDK that is > compatible with FORTIFY_SOURCE (I can always replace the original libs of > the NDK with those I got from the device, but that's rather a temporary fix) > > Cheers > Hervé > > > On Sunday, November 18, 2012 7:01:58 PM UTC+1, Jeffrey Walton wrote: > >> Awesome job. Thanks. >> >> On Sun, Nov 18, 2012 at 10:40 AM, Nick Kralevich <[email protected]> >> wrote: >> > >> > -D_FORTIFY_SOURCE=1 protections were added in Android in 4.2, and >> almost all >> > programs on 4.2 are compiled with FORTIFY_SOURCE enabled. >> > >> > Some implementation notes, for those curious: >> > >> > FORTIFY_SOURCE protections are only enabled for applications compiled >> with >> > gcc. In particiular, llvm does not support the gnu_inline function >> attribute >> > necessary for FORTIFY_SOURCE to work. >> > FORTIFY_SOURCE protections are only enabled on ARM based systems. MIPS >> and >> > x86 Android systems do not currently have it enabled. >> > >> > The following Android libc functions are fortified: >> > >> > bzero >> > memcpy >> > memmove >> > strcpy >> > strncpy >> > strcat >> > strncat >> > memset >> > strlcpy (not in GLIBC) >> > strlcat (not in GLIBC) >> > strlen (bionic FORTIFY_SOURCE extension. Detect strlen calls on >> non-null >> > terminated character arrays.) >> > umask (bionic FORTIFY_SOURCE extension. Detect invalid umask calls. For >> > example: umask(777) instead of umask(0777)) >> > open >> > openat >> > vsnprintf >> > vsprintf >> > snprintf >> > sprintf >> > fgets >> > >> > FORTIFY_SOURCE was just one of the security hardening measures added in >> 4.2. >> > A more complete list can be found at >> > http://developer.android.com/**about/versions/jelly-bean.html<http://developer.android.com/about/versions/jelly-bean.html> >> > >> > -- Nick >> > >> > On Sun, Nov 18, 2012 at 3:55 AM, Pau Oliva Fora <[email protected]> >> wrote: >> >> >> >> I believe yes, but not sure if support is completed. >> >> >> >> You can check through the git commits for tag android-4.2_r1 here: >> >> >> >> https://android.googlesource.**com/platform/bionic.git/+/** >> android-4.2_r1<https://android.googlesource.com/platform/bionic.git/+/android-4.2_r1> >> >> >> >> Cheers, >> >> >> >> pof >> >> >> >> >> >> On 11/18/2012 11:05 AM, Jeffrey Walton wrote: >> >>> >> >>> Did Android 4.2 add support for FORTIFY_SOURCE=1? >> >>> >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> Groups >> >> "Android Security Discussions" group. >> >> To post to this group, send email to >> >> android-secu...@**googlegroups.com. >> >> To unsubscribe from this group, send email to >> >> android-security-discuss+**[email protected]. >> >> For more options, visit this group at >> >> http://groups.google.com/**group/android-security-**discuss?hl=en<http://groups.google.com/group/android-security-discuss?hl=en>. >> >> >> >> > >> > >> > >> > -- >> > Nick Kralevich | Android Security | [email protected] | 650.214.4037 >> > >> > -- Nick Kralevich | Android Security | [email protected] | 650.214.4037 -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
