More README updates
This commit is contained in:
parent
c0815c880d
commit
cebacfb06e
51
README
51
README
@ -3,22 +3,44 @@ What is it?
|
|||||||
|
|
||||||
This is a standalone implementation of fortify source[0]. It is libc-agnostic
|
This is a standalone implementation of fortify source[0]. It is libc-agnostic
|
||||||
and simply overlays the system headers by using the #include_next extension found
|
and simply overlays the system headers by using the #include_next extension found
|
||||||
in GCC and clang. It was initially designed to be used on musl[1] based Linux
|
in GCC and clang. It was initially intended to be used on musl[1] based Linux
|
||||||
distributions.
|
distributions.
|
||||||
|
|
||||||
|
|
||||||
Features
|
Features
|
||||||
========
|
========
|
||||||
|
|
||||||
- It is portable, works on *BSD and Linux systems.
|
- It is portable, works on *BSD, Linux and possibly other systems.
|
||||||
- It will only trap non-conformant programs. This means that fortify
|
- It will only trap non-conformant programs. This means that fortify
|
||||||
level 2 is treated in the same way as level 1.
|
level 2 is treated in the same way as level 1.
|
||||||
- Avoids making function calls when UB has already been invoked. This
|
- Avoids making function calls when UB has already been invoked. This
|
||||||
is handled by using __builtin_trap().
|
is handled by using __builtin_trap().
|
||||||
- Support for out-of-bounds read interfaces, such as send(), write(),
|
- Support for out-of-bounds read interfaces, such as send(), write(),
|
||||||
fwrite() etc.
|
fwrite() etc.
|
||||||
- No ABI is enforced. All of the check functions are inlined into the
|
- No ABI is enforced. All of the fortify check functions are inlined
|
||||||
resulting binary.
|
into the resulting binary.
|
||||||
|
|
||||||
|
|
||||||
|
Sample usage
|
||||||
|
============
|
||||||
|
|
||||||
|
A plan for integrating fortify into a system is still under discussion.
|
||||||
|
If you want to quickly test it, you can try something like the following:
|
||||||
|
|
||||||
|
cat > fgets.c <<EOF
|
||||||
|
#include <stdio.h>
|
||||||
|
int
|
||||||
|
main(void)
|
||||||
|
{
|
||||||
|
char buf[BUFSIZ];
|
||||||
|
fgets(buf, sizeof(buf) + 1, stdin);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
cc -I<path-to-fortify-include-dir> -D_FORTIFY_SOURCE=1 -O1 fgets.c
|
||||||
|
./a.out
|
||||||
|
|
||||||
|
At this point, the program will crash.
|
||||||
|
|
||||||
|
|
||||||
Supported interfaces
|
Supported interfaces
|
||||||
@ -84,26 +106,5 @@ wmemset
|
|||||||
write
|
write
|
||||||
|
|
||||||
|
|
||||||
Sample usage
|
|
||||||
============
|
|
||||||
|
|
||||||
A plan for integrating fortify into a system is still under discussion.
|
|
||||||
If you want to quickly test it, you can try something like the following:
|
|
||||||
|
|
||||||
cat > fgets.c <<EOF
|
|
||||||
#include <stdio.h>
|
|
||||||
int
|
|
||||||
main(void)
|
|
||||||
{
|
|
||||||
char buf[BUFSIZ];
|
|
||||||
fgets(buf, sizeof(buf) + 1, stdin);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
EOF
|
|
||||||
cc -I<path-to-fortify-include-dir> -D_FORTIFY_SOURCE=1 -O1 fgets.c
|
|
||||||
./a.out
|
|
||||||
|
|
||||||
At this point, the program will crash.
|
|
||||||
|
|
||||||
[0] http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
|
[0] http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
|
||||||
[1] http://www.musl-libc.org/
|
[1] http://www.musl-libc.org/
|
||||||
|
Loading…
Reference in New Issue
Block a user