FORTIFY_SOURCE
In September 2004, Jakub Jelinek, from Red Hat,
sent patches
to both glibc and gcc, implementing FORTIFY_SOURCE
, “a lightweight buffer overflow protection to
some memory and string function”, based on annotations for the former, using
the newly added (in the latter) builtin __builtin_object_size
. The
implementation came with two levels, 1
and 2
, adding more coverage at the
price of maybe more performances impact.
This feature was enabled in OpenSUSE in 2005, Fedora in 2007, Ubuntu in 2008, Debian in 2011, …
In February 2021, the glibc 2.33 was released,
implementing FORTIFY_SOURCE=3
, based on the new builtin
__builtin_dynamic_object_size
, significantly increasing the coverage
by giving access to object sizes not only at compile-time, but at run-time as
well.
It was enabled in Fedora and OpenSUSE in 2023.
OpenBSD’s libc doesn’t have any FORTIFY_SOURCE
annotations.