[Bug c/110168] Security issue on FORTIFY_SOURCE for strcpy function (tested on i386/32 bits)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110168 Xi Ruoyao changed: What|Removed |Added CC||xry111 at gcc dot gnu.org --- Comment #4 from Xi Ruoyao --- With GCC-13.1.0 and Glibc-2.37 we have: $ cc hw.c -D_FORTIFY_SOURCE In file included from /usr/include/bits/libc-header-start.h:33, from /usr/include/stdio.h:27, from hw.c:1: /usr/include/features.h:413:4: warning: #warning _FORTIFY_SOURCE requires compiling with optimization (-O) [-Wcpp] 413 | # warning _FORTIFY_SOURCE requires compiling with optimization (-O) |^~~ It's enough to highlight the "issue". If there is no such warning, it's because the downstream distro is doing stupid thing and the distro maintainer should fix it.
[Bug c/110168] Security issue on FORTIFY_SOURCE for strcpy function (tested on i386/32 bits)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110168 Jakub Jelinek changed: What|Removed |Added Resolution|--- |INVALID CC||jakub at gcc dot gnu.org Status|UNCONFIRMED |RESOLVED --- Comment #3 from Jakub Jelinek --- At least -O is intentionally required, without that while e.g. always_inline inline functions are inlined, arguments to them aren't really forward propagated, so __builtin_object_size (x, [01]) would pretty much always return -1, as it couldn't track what the pointer points to.
[Bug c/110168] Security issue on FORTIFY_SOURCE for strcpy function (tested on i386/32 bits)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110168 --- Comment #2 from José Ramón Méndez Reboredo --- I have checked it. And you are right. Source fortification is only enabled when using -O* options (optimization). Al also checked that the usage of the option -D_FORTIFY_SOURCE=1 is not enough to enable it (-O* is required). I do not know if -O* should be mandatory for this purpose. I'm afraid we should close this ticket/bug (feel free to do it). Perhaps we could close this one and create another one stating that optimization options should not be required to enable code fortification. Thanks for your time. Best regards.
[Bug c/110168] Security issue on FORTIFY_SOURCE for strcpy function (tested on i386/32 bits)
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110168 Sam James changed: What|Removed |Added CC||sjames at gcc dot gnu.org --- Comment #1 from Sam James --- Please note that: 1. _FORTIFY_SOURCE does nothing without optimisation; 2. you're not explicitly enabling _F_S here - I know Debian patches it on (we do in Gentoo too), but for bug reports, it's best to be explicit.