build: use _FORTIFY

fanquake commented at 3:34 pm on February 2, 2023: member

glibc 2.33 introduced a new fortification level, _FORTIFY_SOURCE=3. It improves the coverage of cases where _FORTIFY_SOURCE can use _chk functions.

For example, using GCC 13 and glibc 2.36 (Fedora Rawhide), compiling master:

 0nm -C src/bitcoind | grep _chk
 1                 U __fprintf_chk@GLIBC_2.17
 2                 U __memcpy_chk@GLIBC_2.17
 3                 U __snprintf_chk@GLIBC_2.17
 4                 U __sprintf_chk@GLIBC_2.17
 5                 U __stack_chk_fail@GLIBC_2.17
 6                 U __stack_chk_guard@GLIBC_2.17
 7                 U __vsnprintf_chk@GLIBC_2.17
 8
 9objdump -d src/bitcoind | grep "_chk@plt" | wc -l
1033

vs this branch:

 0nm -C src/bitcoind | grep _chk
 1                 U __fprintf_chk@GLIBC_2.17
 2                 U __memcpy_chk@GLIBC_2.17
 3                 U __memset_chk@GLIBC_2.17
 4                 U __snprintf_chk@GLIBC_2.17
 5                 U __sprintf_chk@GLIBC_2.17
 6                 U __stack_chk_fail@GLIBC_2.17
 7                 U __stack_chk_guard@GLIBC_2.17
 8                 U __vsnprintf_chk@GLIBC_2.17
 9
10objdump -d src/bitcoind | grep "_chk@plt" | wc -l
1161

Usage of level 3 requires LLVM/Clang 9+, or GCC 12+. Older compilers/glibc will still use _FORTIFY_SOURCE=2. For example, in the glibc we currently use for Linux release builds (2.24), __USE_FORTIFY_LEVEL is determined using the following:

 0#if defined _FORTIFY_SOURCE && _FORTIFY_SOURCE > 0
 1# if !defined __OPTIMIZE__ || __OPTIMIZE__ <= 0
 2#  warning _FORTIFY_SOURCE requires compiling with optimization (-O)
 3# elif !__GNUC_PREREQ (4, 1)
 4#  warning _FORTIFY_SOURCE requires GCC 4.1 or later
 5# elif _FORTIFY_SOURCE > 1
 6#  define __USE_FORTIFY_LEVEL 2
 7# else
 8#  define __USE_FORTIFY_LEVEL 1
 9# endif
10#endif
11#ifndef __USE_FORTIFY_LEVEL
12# define __USE_FORTIFY_LEVEL 0
13#endif

so any value > 1 will turn on _FORTIFY_SOURCE=2. This value detection logic has become slightly more complex in later versions of glibc.

https://sourceware.org/pipermail/libc-alpha/2021-February/122207.html https://developers.redhat.com/blog/2021/04/16/broadening-compiler-checks-for-buffer-overflows-in-_fortify_source

DrahtBot commented at 3:34 pm on February 2, 2023: contributor

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Reviews

See the guideline for information on the review process.

Type	Reviewers
ACK	theuni
Concept ACK	john-moffett, TheCharlatan

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

DrahtBot added the label Build system on Feb 2, 2023

hebasto commented at 3:42 pm on February 2, 2023: member

https://sourceware.org/pipermail/libc-alpha/2021-February/122207.html:

At this level, glibc may use additional checks that may have an additional performance overhead.

Any estimations of the mentioned “additional performance overhead” for our binaries?

theuni commented at 8:33 pm on February 2, 2023: member

Hahaha, I was just poking at this myself today.

FYI support has been recently proposed to mingw as well: https://sourceforge.net/p/mingw-w64/mailman/message/37772473/

At this level, glibc may use additional checks that may have an additional performance overhead.

Any estimations of the mentioned “additional performance overhead” for our binaries?

This was my hesitation as well. It’d be nice to have a before/after for our benches at least.

Edit: Concept ACK, btw. And ACK after a quick bench shows it doesn’t tank performace.

john-moffett commented at 9:42 pm on February 2, 2023: contributor

Concept ACK

Yeah, I ran the benchmarks before and after with both a Linux (GCC) and macOS (Clang) build and couldn’t see a significant change, not that I was expecting it on macOS at least. I may try more extensive measurements soon.

theuni commented at 9:00 pm on February 3, 2023: member

In order to test this, I decided to try out the recommended fortify metrics plugin for gcc.

I spent all day tracking down a bug in the plugin (PR’d what I believe to be the fix here). Next week I’ll use it to gather some statistics on _FORTIFY_SOURCE=2 vs =3.

It will also be usable to test how much additional fortification we’d get if we built depends that way as well.

fanquake commented at 3:34 pm on February 5, 2023: member

Hahaha, I was just poking at this myself today.

heh. I had just sent a doc change up to glibc before opening: https://github.com/bminor/glibc/commit/1423a26a488aae1c6fa7210e20c147a242f40f47.

FYI support has been recently proposed to mingw as well:

Looks like this has gone in https://github.com/mirror/mingw-w64/commit/e34c747fa6a3fb1def1518d1953a7ba516d24ab1.

Note I’ve also opened #27038 to add a sanity check that foritification (like other haardneing) is being used in the release binaries.

TheCharlatan commented at 9:49 am on February 14, 2023: contributor

Concept ACK

Ran this on Ubuntu 22.04 with glibc 2.35 and clang 14. Also did not observe a significant slowdown of the benchmarks. On master:

0objdump -d src/bitcoind | grep "_chk@plt" | wc -l
1...
236

This branch:

0objdump -d src/bitcoind | grep "_chk@plt" | wc -l
1...
276

build: use _FORTIFY_SOURCE=3

glibc 2.33 introduced a new fortification level, _FORTIFY_SOURCE=3.
Which improves the coverage of cases where _FORTIFY_SOURCE can use _chk
functions. For example, using GCC 13 and glibc 2.36 (Fedora Rawhide),
compiling master:
```bash
nm -C src/bitcoind | grep _chk
                 U __fprintf_chk@GLIBC_2.17
                 U __memcpy_chk@GLIBC_2.17
                 U __snprintf_chk@GLIBC_2.17
                 U __sprintf_chk@GLIBC_2.17
                 U __stack_chk_fail@GLIBC_2.17
                 U __stack_chk_guard@GLIBC_2.17
                 U __vsnprintf_chk@GLIBC_2.17

objdump -d src/bitcoind | grep "_chk@plt" | wc -l
33
```

vs this branch:
```bash
nm -C src/bitcoind | grep _chk
                 U __fprintf_chk@GLIBC_2.17
                 U __memcpy_chk@GLIBC_2.17
                 U __memset_chk@GLIBC_2.17
                 U __snprintf_chk@GLIBC_2.17
                 U __sprintf_chk@GLIBC_2.17
                 U __stack_chk_fail@GLIBC_2.17
                 U __stack_chk_guard@GLIBC_2.17
                 U __vsnprintf_chk@GLIBC_2.17

objdump -d src/bitcoind | grep "_chk@plt" | wc -l
61
```

Usage of level 3 requires LLVM/Clang 9+, or GCC 12+. Older
compilers/glibc will still use _FORTIFY_SOURCE=2. For example, in the
glibc we currently use for Linux release builds (2.24), FORTIFY_LEVEL is
determined using the following:
```c
```
so any value > 1 will turn on _FORTIFY_SOURCE=2.

https://sourceware.org/pipermail/libc-alpha/2021-February/122207.html
https://developers.redhat.com/blog/2021/04/16/broadening-compiler-checks-for-buffer-overflows-in-_fortify_source

4faa4e37a6

fanquake force-pushed on Feb 17, 2023

theuni commented at 3:18 pm on February 17, 2023: member

ACK 4faa4e37a6511c6ada303ef7929ac99c7462f083. After playing with this quite a bit I didn’t observe any noticeable pitfalls.

I’d expect this to matter more in low-level code, so I’m interested to see how much #27118 affects the numbers.

fanquake merged this on Feb 20, 2023

fanquake closed this on Feb 20, 2023

fanquake deleted the branch on Feb 20, 2023

sidhujag referenced this in commit 80d6385ec3 on Feb 25, 2023

maflcko commented at 9:37 am on March 2, 2023: member

This triggered https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56529 ?

kristapsk commented at 9:26 am on March 8, 2023: contributor

On my Gentoo system with GCC 11.3.1 and glibc 2.36 this now gives me these warnings for each .cpp file when building Bitcoin Core:

 0  CXX      bitcoind-bitcoind.o
 1In file included from /usr/lib/gcc/x86_64-pc-linux-gnu/11/include/g++-v11/x86_64-pc-linux-gnu/bits/os_defines.h:39,
 2                 from /usr/lib/gcc/x86_64-pc-linux-gnu/11/include/g++-v11/x86_64-pc-linux-gnu/bits/c++config.h:586,
 3                 from /usr/lib/gcc/x86_64-pc-linux-gnu/11/include/g++-v11/bits/stl_algobase.h:59,
 4                 from /usr/lib/gcc/x86_64-pc-linux-gnu/11/include/g++-v11/memory:63,
 5                 from ./chainparamsbase.h:8,
 6                 from ./chainparams.h:9,
 7                 from bitcoind.cpp:10:
 8/usr/include/features.h:424:5: warning: #warning _FORTIFY_SOURCE > 2 is treated like 2 on this platform [-Wcpp]
 9  424 | #   warning _FORTIFY_SOURCE > 2 is treated like 2 on this platform
10      |     ^~~~~~~

kristapsk commented at 9:35 am on March 8, 2023: contributor

This triggered https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56529 ?

What’s there?

fanquake commented at 11:04 am on March 8, 2023: member

This triggered https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=56529 ?

It will have been #27118 that triggered it. I can’t look at this in more detail right now, but will by next week. It’s possible that this is already fixed, and there is a patch/similar we can drop into depends.

On my Gentoo system with GCC 11.3.1 and glibc 2.36 this now gives me these warnings for each .cpp file when building Bitcoin Core

Looks like that’s because you’re using GCC 11.x, which doesn’t support >=3 (it is supported with Clang >= 9). Somewhat annoying that glibc is going to warn like that, but they are also harmless, and fortification (level 2) is still being applied.

kristapsk commented at 11:16 am on March 8, 2023: contributor

Looks like that’s because you’re using GCC 11.x, which doesn’t support >=3 (it is supported with Clang >= 9). Somewhat annoying that glibc is going to warn like that, but they are also harmless, and fortification (level 2) is still being applied.

Could we somehow detect this at configure stage and apply fortification 3 only if it is supported?

bitcoin locked this on Mar 7, 2024

build: use _FORTIFY_SOURCE=3 #27027

Reviews