configure: Use FORTIFY_SOURCE=3 when hardening is enabled

FORTIFY_SOURCE=3 provides much more robust checks for buffer overruns
and other memory bugs[1].  It requires gcc 12 and glibc 2.34 which
should be available on most modern distributions (which are the ones
that use --enable-hardening).

[1] https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level

Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/configure b/configure
index 2ffbc60..866eca2 100755 (executable)
--- a/configure
+++ b/configure
@@ -1596,7 +1596,7 @@ Optional Features:
   --enable-bsd-shlibs     select BSD shared libraries
   --enable-profile        build profiling libraries
   --enable-gcov           build for coverage testing using gcov
-  --enable-hardening      build for coverage testing using gcov
+  --enable-hardening      build with hardening flags such as fortify
   --enable-jbd-debug      enable journal debugging
   --enable-blkid-debug    enable blkid debugging
   --disable-testio-debug  disable the use of the test I/O manager for
@@ -5961,7 +5961,7 @@ if test ${enable_hardening+y}
 then :
   enableval=$enable_hardening; if test "$enableval" = "yes"
 then
-       HARDEN_CFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong"
+       HARDEN_CFLAGS="-D_FORTIFY_SOURCE=3 -fstack-protector-strong"
        HARDEN_LDFLAGS="-Wl,-z,relro -Wl,-z,now"
        CFLAGS="$CFLAGS $HARDEN_CFLAGS -fPIE"
        CFLAGS_SHLIB="$CFLAGS_SHLIB $HARDEN_CFLAGS"

diff --git a/configure.ac b/configure.ac
index e4a17b9..cc20403 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -365,10 +365,10 @@ CFLAGS_STLIB="${CFLAGS_STLIB:-$CFLAGS}"
 LDFLAGS_SHLIB=${LDFLAGS_SHLIB:-$LDFLAGS}
 LDFLAGS_STATIC=${LDFLAGS_STATIC:-$LDFLAGS}
 AC_ARG_ENABLE([hardening],
-AS_HELP_STRING([--enable-hardening],[build for coverage testing using gcov]),
+AS_HELP_STRING([--enable-hardening],[build with hardening flags such as fortify]),
 if test "$enableval" = "yes"
 then
-       HARDEN_CFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong"
+       HARDEN_CFLAGS="-D_FORTIFY_SOURCE=3 -fstack-protector-strong"
        HARDEN_LDFLAGS=["-Wl,-z,relro -Wl,-z,now"]
        CFLAGS="$CFLAGS $HARDEN_CFLAGS -fPIE"
        CFLAGS_SHLIB="$CFLAGS_SHLIB $HARDEN_CFLAGS"