How to test for FORTIFY_SOURCE?

Tue, 17 Mar 2020 22:34:49 -0700 

According to https://man.openbsd.org/NetBSD-8.1/security.7#FORTIFY_SOURCE
OpenBSD implements glibc bounds checking on certain functions. I am
trying to detect FORTIFY_SOURCE without looking up operating system
names and versions.

The following code works for Linux, but fails under OpenBSD (it is
part of an autoconf test):

    #include <string.h>
    int main(int argc, char** argv)
    {
      [char msg[16];]
      #[strcpy(msg, argv[0]);]
      #[return (int)(msg[0] & ~msg[1]);]
      [memcpy(msg, argv[0], strlen(argv[0]));]
      [return msg[0] != msg[strlen(argv[0])-1];]
    }

I then compile it and scan for the fortified function call:

    if $CC -D_FORTIFY_SOURCE=2 $CPPFLAGS -O2 $CFLAGS fortify_test.c -o
fortify_test.exe;
    then
      count=`readelf --relocs fortify_test.exe | grep -i -c '_chk'`
      if test "$count" -ne 0; then
        AC_MSG_RESULT([yes]); NSD_CPPFLAGS="$NSD_CPPFLAGS -D_FORTIFY_SOURCE=2"
      else
        AC_MSG_RESULT([no])
      fi
    fi

The problem is, OpenBSD is not using the fortified function even
though the destination buffer size can be deduced:

$ readelf --relocs fortify_test.exe | grep -i -c '_chk'
0

And:

$ readelf --relocs fortify_test.exe

Relocation section '.rela.dyn' at offset 0x488 contains 2 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
000000002168  000000000008 R_X86_64_RELATIVE                    00000000000013e0
000000002160  000300000006 R_X86_64_GLOB_DAT 0000000000000000
_Jv_RegisterClasses + 0

Relocation section '.rela.plt' at offset 0x4b8 contains 7 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
000000002188  000100000007 R_X86_64_JUMP_SLO 0000000000000000 _csu_finish + 0
000000002190  000200000007 R_X86_64_JUMP_SLO 0000000000000000 exit + 0
000000002198  000300000007 R_X86_64_JUMP_SLO 0000000000000000
_Jv_RegisterClasses + 0
0000000021a0  000400000007 R_X86_64_JUMP_SLO 0000000000000000 atexit + 0
0000000021a8  000500000007 R_X86_64_JUMP_SLO 0000000000000000 strlen + 0
0000000021b0  000600000007 R_X86_64_JUMP_SLO 0000000000000000 memcpy + 0
0000000021b8  000700000007 R_X86_64_JUMP_SLO 0000000000000000
__stack_smash_handler + 0

I expect to see memcpy_chk or strcpy_chk.

Do I have a misunderstanding of OpenBSD's implementation?

If someone could point out what is wrong I would greatly appreciate it.

Reply via email to