gcc FORTIFY_SOURCE application security flags

[Erik Joelsson]

Hello Matthias,

We have tried to use it before but later removed it. See 
https://bugs.openjdk.java.net/browse/JDK-8050803

/Erik

On 2019-05-03 08:12, Baesken, Matthias wrote:
>
>
> Hello.
>      maybe some of you are aware of the gcc  FORTIFY_SOURCE application security flags.
> Developers can enable compile and also runtime checks for some string / memory related operations with the flag.
>
> See details :
> https://access.redhat.com/blogs/766093/posts/1976213
>
> Have you tried already those flags in the OpenJDK ?
>
> One issue I experienced when using the flag  (-D_FORTIFY_SOURCE=2) is that in case that a runtime issue is detected,
> no hs_err file is written , only a "*** buffer overflow detected ***"  + backtrace + Memory map  output is written, looks like this :
>
>
> *** buffer overflow detected ***: <my-path>/bin/java terminated
> ======= Backtrace: =========
> /lib64/libc.so.6(__fortify_fail+0x37)[0x7f5b500b7177]
> /lib64/libc.so.6(+0xe8e10)[0x7f5b500b4e10]
> /lib64/libc.so.6(+0xe8109)[0x7f5b500b4109]
> /lib64/libc.so.6(_IO_default_xsputn+0x85)[0x7f5b5003f705]
> /lib64/libc.so.6(_IO_vfprintf+0x18e)[0x7f5b5000f0ce]
> /lib64/libc.so.6(__vsprintf_chk+0x9d)[0x7f5b500b41ad]
> /lib64/libc.so.6(__sprintf_chk+0x80)[0x7f5b500b40f0]
>
> ........
> ======= Memory map: ========
> c0000000-c0700000 rw-p 00000000 00:00 0
> .....
>
>
>
> I would prefer to get a hs_err file, do you know a way to get this in context of the gcc flag _FORTIFY_SOURCE ?
>
> In case this is not possible, the flag might not be useful any more for OpenJDK .
> Maybe the   gcc7 flags for memory error detection
>
> https://developers.redhat.com/blog/2017/02/22/memory-error-detection-using-gcc/
>
> might provide an alternative solution - are they already enabled by default ?
>
>
> Thanks, Matthias