gcc FORTIFY_SOURCE application security flags
Baesken, Matthias
matthias.baesken at sap.com
Fri May 3 15:12:51 UTC 2019
Hello.
maybe some of you are aware of the gcc FORTIFY_SOURCE application security flags.
Developers can enable compile and also runtime checks for some string / memory related operations with the flag.
See details :
https://access.redhat.com/blogs/766093/posts/1976213
Have you tried already those flags in the OpenJDK ?
One issue I experienced when using the flag (-D_FORTIFY_SOURCE=2) is that in case that a runtime issue is detected,
no hs_err file is written , only a "*** buffer overflow detected ***" + backtrace + Memory map output is written, looks like this :
*** buffer overflow detected ***: <my-path>/bin/java terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f5b500b7177]
/lib64/libc.so.6(+0xe8e10)[0x7f5b500b4e10]
/lib64/libc.so.6(+0xe8109)[0x7f5b500b4109]
/lib64/libc.so.6(_IO_default_xsputn+0x85)[0x7f5b5003f705]
/lib64/libc.so.6(_IO_vfprintf+0x18e)[0x7f5b5000f0ce]
/lib64/libc.so.6(__vsprintf_chk+0x9d)[0x7f5b500b41ad]
/lib64/libc.so.6(__sprintf_chk+0x80)[0x7f5b500b40f0]
........
======= Memory map: ========
c0000000-c0700000 rw-p 00000000 00:00 0
.....
I would prefer to get a hs_err file, do you know a way to get this in context of the gcc flag _FORTIFY_SOURCE ?
In case this is not possible, the flag might not be useful any more for OpenJDK .
Maybe the gcc7 flags for memory error detection
https://developers.redhat.com/blog/2017/02/22/memory-error-detection-using-gcc/
might provide an alternative solution - are they already enabled by default ?
Thanks, Matthias
More information about the build-dev
mailing list