Fedora 38 To Beef Up Its Compiler Fortification Defenses

Written by Michael Larabel in Fedora on 4 January 2023 at 09:00 AM EST. 42 Comments
FEDORA
In addition to Fedora 38 now allowing "no-omit-frame-pointer" to enhance profiling/debugging with possible performance costs, this next Fedora Linux release is also planning to use "_FORTIFY_SOURCE=3" compiler defenses to further bolster security.

The _FORTIFY_SOURCE=3 level allows detecting more buffer overflows and other possible security issues. GCC 12 and Glibc 2.34 have supported the _FORTIFY_SOURCE=3 level for detecting more problems at compile-time and run-time while is in good enough shape that FESCo has approved of fortify source level three replacing level two as a default compiler setting. Developers believe the improved security coverage from _FORTIFY_SOURCE=3 is well worth the small performance overhead cost and code size increase of the new level.


The Fedora Engineering and Steering Committee has granted the change proposal to use "_FORTIFY_SOURCE=3" as part of the default compiler flags when building packages to help in mitigating security issues. Though some packages will revert to _FORTIFY_SOURCE=2 as packages like systemd currently have issues with the higher fortification level.

Red Hat / Fedora developers believe that the increased fortification level improves mitigation coverage by a factor of 2.4x and in some cases protecting more than half of the fortified glibc calls in target applications. Fedora isn't the first to engage _FORTIFY_SOURCE=3 at a distribution level but openSUSE ALP is using the new level by default and Gentoo's hardened profile is also likely to use this new level too.

More details on this increased security change via the Fedora Wiki. Over on the Red Hat Developer Blog is more information in general on this higher fortification level with GCC.
42 Comments
Related News
Fedora 42 Looking To Package Intel SGX Software Stack
Fedora 42 Aims To Enhance The Windows Subsystem For Linux Experience
Fedora Stakeholders Debate Concerns Over "Karma" Term For Their Updates System
Fedora KDE Desktop Spin Promoted To Same Tier As GNOME-Based Fedora Workstation
Fedora Stakeholders Debate Idea Of "-O3" Optimized Packages
Fedora 41 Releases Today With Many Shiny New Features
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
Rustls Multi-Threaded Performance Is Battering OpenSSL
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd