CME-116
FORTIFY_SOURCE (Buffer Overflow Detection)
Description
Compile-time and runtime detection of buffer overflows in common C library functions (memcpy, strcpy, sprintf, read, etc.). At compile time, the compiler replaces standard library calls with bounds-checked variants when buffer sizes are known. At runtime, remaining checks abort the process when a buffer overflow is detected. FORTIFY_SOURCE level 2 checks all detectable overflows; level 3 (GCC 12+) extends coverage to dynamically-sized buffers and flexible array members. Catches many integer-overflow-to-buffer-overflow chains where the overflowed size value is passed to a libc copy function.
CVSS Vector Impacts
| Metric | Transition | Rationale |
|---|---|---|
| Attack Complexity (AC) | L → H | Buffer overflows in instrumented libc functions are detected and the process is terminated before attacker-controlled data overwrites adjacent memory; exploitation requires finding an uninstrumented copy path or a non-libc buffer operation |
CWE Relationships
Verification
Check that system packages are compiled with _FORTIFY_SOURCE=2 or higher
$ rpm -q --queryformat "%{OPTFLAGS}" redhat-rpm-config 2>/dev/null | grep -o "_FORTIFY_SOURCE=[0-9]"
# Expected: _FORTIFY_SOURCE=2
# Expected: _FORTIFY_SOURCE=2
Platform: rhel
$ readelf -s /usr/bin/ls | grep -c __.*_chk
# Expected: non-zero count indicates fortified functions
# Expected: non-zero count indicates fortified functions
Platform: linux
$ objdump -d /usr/bin/coreutils 2>/dev/null | grep -c __memcpy_chk || objdump -d /usr/bin/ls | grep -c __memcpy_chk
# Expected: non-zero count
# Expected: non-zero count
Platform: linux