Disable FORTIFY_SOURCE=3 and switch back to ...=2?
Hi all, I failed to find instructions on how to revert the change to FORTIFY_SOURCE=3 for a single package. I thought there was a thread on the factory list, but fail to find it again. I did not find anything regarding FORTIFY_SOURCE=3 in the wiki, the only page I found was this: https://en.opensuse.org/openSUSE:Build_system_recipes
The %configure macro will set CFLAGS, CXXFLAGS, FFLAGS to %optflags if they have not been previously set. To add in your own flags, put on a line before %configure:
export CPPFLAGS="-Dpreprocessor_options -Ihere"
But apparently setting the CPPFLAGS like this overrides all of the previously set flags, and does not only add something (as Dominique pointed out in SR#1005907). Maybe someone can enlighten me on how to properly revert FORTIFY_SOURCE=3? :-) Thanks in advance! Kind Regards, Johannes -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
On Tue, Sep 27, 2022 at 08:22:05AM +0200, Johannes Kastl wrote:
Hi all,
I failed to find instructions on how to revert the change to FORTIFY_SOURCE=3 for a single package. I thought there was a thread on the factory list, but fail to find it again.
I did not find anything regarding FORTIFY_SOURCE=3 in the wiki, the only page I found was this: https://en.opensuse.org/openSUSE:Build_system_recipes
The %configure macro will set CFLAGS, CXXFLAGS, FFLAGS to %optflags if they have not been previously set. To add in your own flags, put on a line before %configure:
export CPPFLAGS="-Dpreprocessor_options -Ihere"
But apparently setting the CPPFLAGS like this overrides all of the previously set flags, and does not only add something (as Dominique pointed out in SR#1005907).
Maybe someone can enlighten me on how to properly revert FORTIFY_SOURCE=3? :-)
try export RPM_OPT_FLASG="$RPM_OPT_FLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2" or export CLAGS="%optflags -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2" at begin of %build section? Ciao, Marcus
On Tuesday 2022-09-27 08:22, Johannes Kastl wrote:
I did not find anything regarding FORTIFY_SOURCE=3 in the wiki, the only page I found was this: https://en.opensuse.org/openSUSE:Build_system_recipes
The %configure macro will set CFLAGS, CXXFLAGS, FFLAGS to %optflags if they have not been previously set. To add in your own flags, put on a line before %configure:
export CPPFLAGS="-Dpreprocessor_options -Ihere"
But apparently setting the CPPFLAGS like this overrides all of the previously set flags,
Well that's good, isn't it? You wanted to override the fortify3. Anyway.. There are limitations everywhere. * %configure puts -D_FORTIFY_SOURCE=3 into CXXFLAGS, which is not the nicest place to put it, but it is what it is. * To meaningfully override a(ny) setting, the _same_ variable that was originally modified needs to be adjusted. Since %configure puts -D_FORTIFY_SOURCE=3 into CXXFLAGS as per the above, it is CXXFLAGS that needs to be extended with -D_FORTIFY_SOURCE=2. This does not invalidate the general recommendation for CPPFLAGS when that works out. As to why -D_FORTIFY_SOURCE=3 shows up in CXXFLAGS not CPPFLAGS: * The placement is a result of rpm not making a distinction between CPPFLAGS and CXXFLAGS. * In fact, rpm does not even distinguish between CFLAGS, CXXFLAGS and FFLAGS, because it lumps everything into %optflags. (Meaning we can't add C++-only -W flags to %optflags.) Thirdly, the ordering between CPPFLAGS and C(XX)FLAGS was already received attention, cf. https://mail.gnu.org/archive/html/automake/2022-03/msg00000.html Result: can't rely on a particular order today, unfortunately. End result: %build export CFLAGS="%optflags -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2" export CXXFLAGS="$CFLAGS" %configure
Hi Marcus, thanks for the fast reply. On 27.09.22 at 09:18 Marcus Meissner wrote:
Maybe someone can enlighten me on how to properly revert FORTIFY_SOURCE=3? :-)
try
export RPM_OPT_FLASG="$RPM_OPT_FLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2"
That did not work, even when I fixed the typo ("FLASG"). :-)
export CLAGS="%optflags -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2"
at begin of %build section?
That does not work either (when using "CFLAGS" instead of "CLAGS"). It also does not work when moving the %optflags to the end. The resulting gcc call has both arguments (FORTIFY_SOURCE=2 and FORTIFY_SOURCE=3) and it seems the FORTIFY_SOURCE=3 wins...
gcc -DHAVE_CONFIG_H -I. -I.. -Wall -ggdb -D_GNU_SOURCE -DSBINDIR=\"\" -pthread -I/usr/include/fuse -D_FILE_OFFSET_BITS=64 -DLIBDIR=\"/usr/lib64\" -DRUNTIME_PATH=\"/run\" -O2 -Wall -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -Werror=return-type -flto=auto -g -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
But your recommendations lead me to something that does the trick:
%build # disable FORTIFY_SOURCE=3 and switch back to FORTIFY_SOURCE=2 CFLAGS_NEW="%optflags" CFLAGS="${CFLAGS_NEW/FORTIFY_SOURCE=3/FORTIFY_SOURCE=2}" echo "CFLAGS is set to $CFLAGS" export CFLAGS
Not nice, but working. :-) Kind Regards, Johannes P.S.: I just found out that the error with lxc and lxcfs was not related to FORTIFY_SOURCE=3, as it still fails to build using FORTIFY_SOURCE=2. But I am one step further to getting them fixed... -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
On 27.09.22 at 09:49 Johannes Kastl wrote:
On 27.09.22 at 09:18 Marcus Meissner wrote:
export RPM_OPT_FLASG="$RPM_OPT_FLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2"
That did not work, even when I fixed the typo ("FLASG"). :-)
export CLAGS="%optflags -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2"
That does not work either (when using "CFLAGS" instead of "CLAGS"). It also does not work when moving the %optflags to the end.
Both variants might have worked, but the build failed. But apparently due to other reasons that I found out later, when I got a solution that only had FORTIFY_SOURCE=2 and still failed. Sorry for any confusion...
P.S.: I just found out that the error with lxc and lxcfs was not related to FORTIFY_SOURCE=3, as it still fails to build using FORTIFY_SOURCE=2. But I am one step further to getting them fixed...
-- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
Hi Jan, thanks for the detailled explanation. On 27.09.22 at 09:44 Jan Engelhardt wrote:
End result:
%build export CFLAGS="%optflags -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2" export CXXFLAGS="$CFLAGS" %configure
That looks a lot nicer than what I came up with. I was just surprised that I can have both options in the call and gcc picks one of them (the latter one wins, I guess). That puzzled me... Kind Regards, Johannes -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
On Sep 27 2022, Johannes Kastl wrote:
Hi Jan,
thanks for the detailled explanation.
On 27.09.22 at 09:44 Jan Engelhardt wrote:
End result: %build export CFLAGS="%optflags -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2" export CXXFLAGS="$CFLAGS" %configure
Or put it directly in optflags: %global optflags %optflags -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 That should then be picked up automatically everywhere it matters. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different."
On 27.09.22 at 10:32 Andreas Schwab wrote:
Or put it directly in optflags:
%global optflags %optflags -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
That should then be picked up automatically everywhere it matters.
Thanks Andreas, that also looks like a nice solution. Kind Regards, Johannes -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
Hi Cristian, On 27.09.22 at 16:45 Cristian Rodríguez wrote:
On Tue, Sep 27, 2022 at 3:22 AM Johannes Kastl <kastl@b1-systems.de> wrote:
Hi all,
I failed to find instructions on how to revert the change to FORTIFY_SOURCE=3
Just wondering.. which buggy code breaks that you need to revert it ?
As stated in the solved mail, I thought the build failed due to FORTIFY_SOURCE=3, but it turned out that it also failed with FORTIFY_SOURCE=2. :-( Kind Regards, Johannes -- Johannes Kastl Linux Consultant & Trainer Tel.: +49 (0) 151 2372 5802 Mail: kastl@b1-systems.de B1 Systems GmbH Osterfeldstraße 7 / 85088 Vohburg http://www.b1-systems.de GF: Ralph Dehner Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
participants (5)
-
Andreas Schwab -
Cristian Rodríguez -
Jan Engelhardt -
Johannes Kastl -
Marcus Meissner