1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
# What is it?
This is a [standalone implementation](https://git.2f30.org/fortify-headers/) of
[fortify source]( http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html ).
It provides compile time buffer checks.
It is libc-agnostic and simply overlays the system headers by using the
[`#include_next`](https://gcc.gnu.org/onlinedocs/cpp/Wrapper-Headers.html)
extension found in GCC, and
[black magic](https://github.com/jvoisin/fortify-headers/commit/fe149628eaae9748be08815d726cc56e8e492c73)
on Clang. It was initially intended to be used on
[musl](http://www.musl-libc.org/) based
[Linux distributions](https://git.alpinelinux.org/aports/commit/?id=067a4f28825478911bb62be3b8da758d9722753e).
# Features
- It is portable, works on *BSD, Linux, Solaris and possibly others.
- It will only trap non-conformant programs. This means that fortify
level 2 is treated in the same way as level 1.
- Avoids making function calls when undefined behaviour has already been
invoked. This is handled by using `__builtin_trap()`.
- Support for out-of-bounds read interfaces, such as send(), write(),
fwrite() etc.
- No ABI is enforced. All of the fortify check functions are inlined
into the resulting binary.
- It has a [comprehensive suite of tests](https://github.com/jvoisin/fortify-headers/tree/master/tests),
running both on Clang and on GCC for every commit, with
[significant coverage](https://jvoisin.github.io/fortify-headers/)
- Defining `USE_NATIVE_CHK` will make use of compiler-provided builtin `_chk`
functions, which might be a bit better in term of diagnostics,
but won't necessarily provide the same amount of security checks.
- Defining `PEDANTIC_CHECKS` will enable pedantic checks, that while technically
correct, might break some programs relying on widely accepted
undefined-behaviours.
# Sample usage
If you want to quickly test it, you can try something like the following:
```
cat > fgets.c <<EOF
#include <stdio.h>
int
main(void)
{
char buf[BUFSIZ];
fgets(buf, sizeof(buf) + 1, stdin);
return 0;
}
EOF
cc -I<path-to-fortify-include-dir> -D_FORTIFY_SOURCE=1 -O1 fgets.c
./a.out
```
At this point, the program will safely crash.
# Supported interfaces
- `FD_CLR`
- `FD_SET`
- `bcopy`
- `bzero`
- `calloc`
- `confstr`
- `fdopen`
- `fgets`
- `fgetws`
- `fmemopen`
- `fopen`
- `fprintf`
- `fread`
- `fwrite`
- `getcwd`
- `getdomainname`
- `getgroups`
- `gethostname`
- `getlogin_r`
- `malloc`
- `mbsnrtowcs`
- `mbsrtowcs`
- `mbstowcs`
- `memchr`
- `memcpy`
- `memmove`
- `mempcpy`
- `memset`
- `poll`
- `popen`
- `ppoll`
- `pread`
- `printf`
- `pwrite`
- `qsort`
- `read`
- `readlink`
- `readlinkat`
- `realloc`
- `reallocarray`
- `realpath`
- `recv`
- `recvfrom`
- `select`
- `send`
- `sendto`
- `snprintf`
- `sprintf`
- `stpcpy`
- `stpncpy`
- `strcat`
- `strchr`
- `strcpy`
- `strlcat`
- `strlcpy`
- `strlen`
- `strncat`
- `strncpy`
- `strrchr`
- `tmpfile`
- `ttyname_r`
- `umask`
- `vfprintf`
- `vprintf`
- `vsnprintf`
- `vsprintf`
- `wcrtomb`
- `wcscat`
- `wcscpy`
- `wcsncat`
- `wcsncpy`
- `wcsnrtombs`
- `wcsrtombs`
- `wcstombs`
- `wctomb`
- `wmemcpy`
- `wmemmove`
- `wmemset`
- `write`
|
