libpsl-native: Fix _FORTIFY_SOURCE macros (#88)

disconnect3d · andyleejordan · web-flow · commit af5359bf7ecc · 2023-01-05T14:19:18.000-08:00
This commit fixes the mistake in the `_FORTIFY_SOURCE` macro where it was not prefixed with underscore while it has to be (see e.g. https://github.com/search?q=repo%3Abminor%2Fglibc%20FORTIFY_SOURCE&type=code). Additionally, to make this macro add extra security, one has to enable optimizations. I am not sure if the build system enables them, but it is worth double checking that as well. Overall, I would recommend using `-D_FORTIFY_SOURCE=3` with `-O2` or `-O3`. (The fortify source level 3 was added recently and you can read more about it here: https://developers.redhat.com/blog/2021/04/16/broadening-compiler-checks-for-buffer-overflows-in-_fortify_source). Remove superfluous `-O2` flag, since CMake adds `-O3` for `Release` builds anyway. Co-authored-by: Andy Jordan <andy.jordan@microsoft.com>
diff --git a/src/libpsl-native/CMakeLists.txt b/src/libpsl-native/CMakeLists.txt
@@ -3,7 +3,7 @@ project(PSL-NATIVE)
 
 # Can't use add_compile_options with 2.8.11
 set(CMAKE_BUILD_TYPE "Release")
-set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 -Wall -Werror -fstack-protector-strong -fpie -DFORTIFY_SOURCE=2 -O2")
+set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 -Wall -Werror -fstack-protector-strong -fpie -D_FORTIFY_SOURCE=2")
 
 if (${CMAKE_SYSTEM_NAME} MATCHES "Linux")
     set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,-z,relro,-z,now")
diff --git a/src/libpsl-native/arm.toolchain.cmake b/src/libpsl-native/arm.toolchain.cmake
@@ -1,7 +1,7 @@
 set(CMAKE_SYSTEM_NAME Linux)
 set(CMAKE_SYSTEM_VERSION 1)
 set(CMAKE_SYSTEM_PROCESSOR armv7l)
-set(CMAKE_CXX_COMPILER arm-linux-gnueabihf-g++ -fstack-protector-strong -fpie -DFORTIFY_SOURCE=2 -O2)
+set(CMAKE_CXX_COMPILER arm-linux-gnueabihf-g++ -fstack-protector-strong -fpie -D_FORTIFY_SOURCE=2)
 set(CMAKE_SHARED_LINKER_FLAGS "-Wl,-z,relro,-z,now")
 set(CMAKE_C_COMPILER arm-linux-gnueabihf-gcc)
 
diff --git a/src/libpsl-native/arm64.toolchain.cmake b/src/libpsl-native/arm64.toolchain.cmake
@@ -1,7 +1,7 @@
 set(CMAKE_SYSTEM_NAME Linux)
 set(CMAKE_SYSTEM_VERSION 1)
 set(CMAKE_SYSTEM_PROCESSOR aarch64)
-set(CMAKE_CXX_COMPILER aarch64-linux-gnu-g++ -fstack-protector-strong -fpie -DFORTIFY_SOURCE=2 -O2)
+set(CMAKE_CXX_COMPILER aarch64-linux-gnu-g++ -fstack-protector-strong -fpie -D_FORTIFY_SOURCE=2)
 set(CMAKE_SHARED_LINKER_FLAGS "-Wl,-z,relro,-z,now")
 set(CMAKE_C_COMPILER aarch64-linux-gnu-gcc)
 
