From Fedora Project Wiki
Line 134: Line 134:


<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
* Contingency mechanism: (What to do?  Who will do it?) N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency mechanism: (What to do?  Who will do it?) If too many packages are found to be broken at runtime, the default for fortification will be left at `_FORTIFY_SOURCE=2` for Fedora 38. Change owner will do this in `redhat-rpm-config`
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Contingency deadline: N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency deadline: Beta freeze
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? N/A (not a System Wide Change), Yes/No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks release? Yes <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks product? product <!-- Applicable for Changes that blocks specific product release/Fedora.next -->
* Blocks product? No <!-- Applicable for Changes that blocks specific product release/Fedora.next -->


== Documentation ==
== Documentation ==

Revision as of 15:50, 5 December 2022


Add _FORTIFY_SOURCE=3 to distribution build flags

Summary

Replace the current _FORTIFY_SOURCE=2 with _FORTIFY_SOURCE=3 to improve mitigation of security issues arising from buffer overflows in packages in Fedora.

Owner

Current status

  • Targeted release: Fedora 38
  • Last updated: 2022-12-05
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Default C and C++ compiler flags to build packages in Fedora currently includes -Wp,-D_FORTIFY_SOURCE=2, which enables fortification of some functions in glibc, thus providing some mitigation against buffer overflows. Since glibc 2.34 and GCC 12, there has been a new fortification level (_FORTIFY_SOURCE=3) which improves the coverage of this mitigation.

The core change to bring in this mitigation is to change the default build flags in redhat-rpm-config so that packages build by default with -Wp,-D_FORTIFY_SOURCE=3. There are packages (e.g. systemd) that do not interact well with _FORTIFY_SOURCE and will also need a workaround to downgrade fortification to level 2. The change will also include this override.

Benefit to Fedora

Analysis of packages in Fedora rawhide indicate that the improvement of mitigation coverage is on average over 2.4x, in some cases protecting more than half of the fortified glibc calls in the target application.

This change will thus harden Fedora to a significant extent, thus making it a more secure distribution out of the box.

Scope

  • Proposal owners:

Post a merge request to redhat-rpm-config with the actual change to build flags.

  • Other developers:

Resolve bugs filed for build failures, either by fixing the bug exposed by _FORTIFY_SOURCE=3 or by disabling _FORTIFY_SOURCE=3 for the package if it is a false positive or if the package is unable to adapt to the change.

  • Policies and guidelines: None

Guidelines should include workaround for packages that fail to build with -Wp,-D_FORTIFY_SOURCE=3 due to a false positive.

  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

No ABI change, so there should be no impact on compatibility in a mixed environment.

How To Test

  • fortify-metrics to get compiler level metrics of coverage improvement
  • Smoke testing of packages to ensure that they continue to work correctly. Some packages may have overflows exposed at runtime, which may need to be fixed.


User Experience

No noticeable change to users.

Dependencies

None.

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) If too many packages are found to be broken at runtime, the default for fortification will be left at _FORTIFY_SOURCE=2 for Fedora 38. Change owner will do this in redhat-rpm-config
  • Contingency deadline: Beta freeze
  • Blocks release? Yes
  • Blocks product? No

Documentation

TODO

Release Notes

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/Add_FORTIFY_SOURCE%3D3_to_distribution_build_flags&oldid=662152"