I agree that all the literature and discussion out there states that Fortify support was added for 4.2 (for gcc) and 4.4 (for clang). - NDK GCC Support for Fortify - https://developer.android.com/about/versions/jelly-bean.html#android-42. - NDK Clang Support for Fortify - http://source.android.com/devices/tech/security/enhancements44.html
I guess I was questioning whether the compiler flag actually did anything in NDK context. Did anyone actually dump the symbol table of the compiled binary to verify the flag is NOT a no-op? Empirically speaking, I have seen zero instances of *_chk() calls for code that should have been fortified. On Thursday, September 4, 2014 11:55:30 AM UTC-7, Jeffrey Walton wrote: > > Android 5.2? Nope...not a release > Yeah, typo. 4.2. > > On Thu, Sep 4, 2014 at 2:01 PM, Kristian Erik Hermansen > <[email protected] <javascript:>> wrote: > > Android 5.2? Nope...not a release > > > > -- > > Regards, > > > > Kristian Erik Hermansen > > https://www.linkedin.com/in/kristianhermansen > > > > On Sep 4, 2014 10:19 AM, "Jeffrey Walton" <[email protected] > <javascript:>> wrote: > >> > >> > -DFORTIFY_SOURCE=2 > >> I believe its -DFORTIFY_SOURCE=1 for Android. > >> > >> > support was to Clang in 4.4. > >> I believe it was added in Android 5.2. I don't believe it depends on > >> Clang. > >> > >> Also see "Android 4.2 and FORTIFY_SOURCE", > >> > >> > https://groups.google.com/d/msg/android-security-discuss/39oaPaWJX2I/2AqV5Q2wFvYJ. > > > >> And "Jelly Bean 4.2", > >> https://developer.android.com/about/versions/jelly-bean.html#android-42. > > >> > >> Jeff > >> > >> On Tue, Sep 2, 2014 at 2:40 PM, Edith Kan <[email protected] > <javascript:>> > >> wrote: > >> > Hello, > >> > > >> > So my understanding is that FORTIFY_SOURCE support was to Clang in > 4.4. > >> > > >> > I tried to compile the following code (supplied by nnk in a separate > >> > thread): > >> > > >> > > https://groups.google.com/forum/#!topic/android-security-discuss/39oaPaWJX2I > >> > > >> > 1: int main(int argc, char ** argv) { > >> > 2: char buf[10]; > >> > 3: memcpy(buf, "0123456789", sizeof(buf)); > >> > 4: // The next line will segfault with Android's FORTIFY_SOURCE > >> > extensions > >> > 5: size_t buf_len = strlen(buf); > >> > 6: size_t argv0_len = strlen(argv[0]); > >> > 7: printf("%d %d\n", buf_len, argv0_len); > >> > 8: return 0; > >> > 9: } > >> > > >> > Modified the Application.mk's LOCAL_CPPFLAGS and LOCAL_CFLAGS to > include > >> > -DFORTIFY_SOURCE=2. Then hit ndk-build.bat. > >> > > >> > When I perform a objdump of the symbol table for the compiled binary > I > >> > don't > >> > see any *_chk method. > >> > > >> > I tried to compile with clang3.4 and gcc. Same results. > >> > > >> > Am I missing smething here or is FORTIFY_SOURCE unsupported by NDK? > >> > > >> > Thanks in advance for any insight! > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
