compiler/gcc: _FORTIFY_SOURCE=1 doesn't mean compile-time only checks
_FORTIFY_SOURCE=1 differs from _FORTIFY_SOURCE=2 only in the bounds
checking mode that it uses.
With _FORTIFY_SOURCE=1, bounds checks are 'loose', allowing access to the
whole underlying object, not just the subset referenced in the expression
(e.g, the bounds of a struct member is the whole struct, not just the
member).
With _FORTIFY_SOURCE=2, bounds checks are strict, meaning that the bounds
of an expression are limited to the referenced value.
Both of these perform their checks at runtime, calling _chk_fail if the
bounds check fails. That's done in the __*_chk functions included in the C
library. These are always called when _FORTIFY_SOURCE > 0, unless the
compiler replaces the call with inline code.
GCC already does all of the compile-time bounds checking for string and mem
functions when not using -ffreestanding, so there's nothing we need to add
for that to work. That means the security_fortify_compile_time property
should be empty.
Signed-off-by: Keith Packard <keithp@keithp.com>
diff --git a/cmake/compiler/gcc/compiler_flags.cmake b/cmake/compiler/gcc/compiler_flags.cmake
index 5b1dbde..a118fbe 100644
--- a/cmake/compiler/gcc/compiler_flags.cmake
+++ b/cmake/compiler/gcc/compiler_flags.cmake
@@ -169,9 +169,11 @@
if(NOT CONFIG_NO_OPTIMIZATIONS)
# _FORTIFY_SOURCE: Detect common-case buffer overflows for certain functions
- # _FORTIFY_SOURCE=1 : Compile-time checks (requires -O1 at least)
- # _FORTIFY_SOURCE=2 : Additional lightweight run-time checks
- set_compiler_property(PROPERTY security_fortify_compile_time _FORTIFY_SOURCE=1)
+ # _FORTIFY_SOURCE=1 : Loose checking (use wide bounds checks)
+ # _FORTIFY_SOURCE=2 : Tight checking (use narrow bounds checks)
+ # GCC always does compile-time bounds checking for string/mem functions, so
+ # there's no additional value to set here
+ set_compiler_property(PROPERTY security_fortify_compile_time)
set_compiler_property(PROPERTY security_fortify_run_time _FORTIFY_SOURCE=2)
endif()
