Bug 10491

Summary: Cannot output security warning when compiled with buildroot cross compilers
Product: buildroot Reporter: Jason.fang <jasonvfang>
Component: OtherAssignee: unassigned
Status: RESOLVED INVALID    
Severity: critical CC: buildroot
Priority: P5    
Version: 2013.11   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:

Description Jason.fang 2017-11-10 06:56:48 UTC 
I met a requirements, the executable binary must pass the checking by https://github.com/slimm609/checksec.sh,

so I enabled following build configurations for my toolchain gcc:

_D_FORTIFY_SOURCE=2  -Wl,-z,relro,-z,now -fstack-protector-all 

but it didn't output any warning msgs during the compiling, while it showed properly warning msg when i use host gcc build.

below were my build logs:
=====================================

jason@linux-server:~/tmp/test$ 
jason@linux-server:~/tmp/test$ /opt/buildroot-gcc463/usr/bin/mipsel-buildroot-linux-uclibc-gcc -Wall -O2 -D_FORTIFY_SOURCE=2  -Wl,-z,relro,-z,now -fstack-protector-all -fpie -pie test.c -o testjason 

there were no any warning output.

While in host x86 gcc:
jason@linux-server:~/tmp/test$ 
jason@linux-server:~/tmp/test$ gcc  -Wall -O2 -D_FORTIFY_SOURCE=2  -Wl,-z,relro,-z,now -fstack-protector-all -fpie -pie test.c -o testjason 
In file included from /usr/include/string.h:640:0,
                 from test.c:2:
In function ‘memcpy’,
    inlined from ‘main’ at test.c:28:8:
/usr/include/x86_64-linux-gnu/bits/string3.h:51:3: warning: call to __builtin___memcpy_chk will always overflow destination buffer [enabled by default]
   return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
   ^
In function ‘memset’,
    inlined from ‘main’ at test.c:35:8:
/usr/include/x86_64-linux-gnu/bits/string3.h:84:3: warning: call to __builtin___memset_chk will always overflow destination buffer [enabled by default]
   return __builtin___memset_chk (__dest, __ch, __len, __bos0 (__dest));
   ^
jason@linux-server:~/tmp/test$ 
=======================================


for build toolchain, I enabled libssp only in package/gcc/gcc.mk file:

HOST_GCC_COMMON_CONF_OPT = \
        --target=$(GNU_TARGET_NAME) \
        --with-sysroot=$(STAGING_DIR) \
        --disable-__cxa_atexit \
        --with-gnu-ld \
        --enable-libssp \
        --disable-multilib \
        --with-gmp=$(HOST_DIR)/usr \
        --with-mpfr=$(HOST_DIR)/usr
Comment 1 Arnout Vandecappelle 2017-11-11 09:18:48 UTC 
The warning you are looking for is supposed to be triggered by -D_FORTIFY_SOURCE=2.

Fortify is a bit special: it requires support both in the compiler and in libc. GCC has this support since 4.0, but uClibc and musl don't have support for Fortify at all. Thus, there is no way that -D_FORTIFY_SOURCE=2 is going to work with uClibc.

When support for Fortify will land in core Buildroot, it will depend on a glibc toolchain.

See also the discussion in http://patchwork.ozlabs.org/patch/830253/