Fedora 38 To Beef Up Its Compiler Fortification Defenses

Written by Michael Larabel in Fedora on 4 January 2023 at 09:00 AM EST. 42 Comments
In addition to Fedora 38 now allowing "no-omit-frame-pointer" to enhance profiling/debugging with possible performance costs, this next Fedora Linux release is also planning to use "_FORTIFY_SOURCE=3" compiler defenses to further bolster security.

The _FORTIFY_SOURCE=3 level allows detecting more buffer overflows and other possible security issues. GCC 12 and Glibc 2.34 have supported the _FORTIFY_SOURCE=3 level for detecting more problems at compile-time and run-time while is in good enough shape that FESCo has approved of fortify source level three replacing level two as a default compiler setting. Developers believe the improved security coverage from _FORTIFY_SOURCE=3 is well worth the small performance overhead cost and code size increase of the new level.

The Fedora Engineering and Steering Committee has granted the change proposal to use "_FORTIFY_SOURCE=3" as part of the default compiler flags when building packages to help in mitigating security issues. Though some packages will revert to _FORTIFY_SOURCE=2 as packages like systemd currently have issues with the higher fortification level.

Red Hat / Fedora developers believe that the increased fortification level improves mitigation coverage by a factor of 2.4x and in some cases protecting more than half of the fortified glibc calls in target applications. Fedora isn't the first to engage _FORTIFY_SOURCE=3 at a distribution level but openSUSE ALP is using the new level by default and Gentoo's hardened profile is also likely to use this new level too.

More details on this increased security change via the Fedora Wiki. Over on the Red Hat Developer Blog is more information in general on this higher fortification level with GCC.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week