git: 13184a69faa7 - main - build: provide a FORTIFY_SOURCE.<src file> override

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kyle Evans <kevans_at_FreeBSD.org>
Date: Wed, 17 Jun 2026 22:40:54 UTC
The branch main has been updated by kevans:

URL: https://cgit.FreeBSD.org/src/commit/?id=13184a69faa700319ab16357cd39708a0e89fc15

commit 13184a69faa700319ab16357cd39708a0e89fc15
Author:     Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2026-06-17 22:40:46 +0000
Commit:     Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2026-06-17 22:40:46 +0000

    build: provide a FORTIFY_SOURCE.<src file> override
    
    For native files we can do more minimal fixes to avoid this large of a
    hammer, but for third party files it may not be worth the effort to try
    and patch them.  NetBSD has the original _FORTIFY_SOURCE implementation
    that ours is based on, for instance, but tests sourced from there can't
    do an __ssp_real(foo) without being certain that `foo` actually has a
    fortified definition.
    
    This change does always define _FORTIFY_SOURCE as a result, so gate it
    on CFLAGS not already containing _FORTIFY_SOURCE definitions.
    
    This re-applies c46a0b59071614, but without re-defining _FORTIFY_SOURCE
    needlessly.
    
    PR:             294881
    Reviewed by:    markj, sjg (both previous version)
    Differential Revision:  https://reviews.freebsd.org/D57356
---
 share/mk/bsd.sys.mk | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/share/mk/bsd.sys.mk b/share/mk/bsd.sys.mk
index 4ffac401eb4c..139cb8bec843 100644
--- a/share/mk/bsd.sys.mk
+++ b/share/mk/bsd.sys.mk
@@ -307,9 +307,6 @@ CLANG_OPT_SMALL+= -mllvm -simplifycfg-dup-ret
 CLANG_OPT_SMALL+= -mllvm -enable-load-pre=false
 CFLAGS.clang+=	 -Qunused-arguments
 
-# XXX This should be defaulted to 2 when WITH_SSP is in use after further
-# testing and soak time.
-FORTIFY_SOURCE?=	0
 .if ${MK_SSP} != "no"
 # Don't use -Wstack-protector as it breaks world with -Werror.
 .if ${COMPILER_FEATURES:Mstackclash}
@@ -319,9 +316,19 @@ SSP_CFLAGS?=	-fstack-protector-strong
 .endif
 CFLAGS+=	${SSP_CFLAGS}
 .endif # SSP
-.if ${FORTIFY_SOURCE} > 0
-CFLAGS+=	-D_FORTIFY_SOURCE=${FORTIFY_SOURCE}
-CXXFLAGS+=	-D_FORTIFY_SOURCE=${FORTIFY_SOURCE}
+
+# XXX This should be defaulted to 2 when WITH_SSP is in use after further
+# testing and soak time.
+FORTIFY_SOURCE?=	0
+
+# We want to avoid defining _FORTIFY_SOURCE if it's set to 0, but we rely on
+# deferred-evaluation for ${.IMPSRC} to expand.  The below construction
+# is, unfortunately, necessary.
+.if empty(CFLAGS:M-D_FORTIFY_SOURCE*)
+CFLAGS+=	${FORTIFY_SOURCE.${.IMPSRC:T}:U${FORTIFY_SOURCE}:S/^/-D_FORTIFY_SOURCE=/:N*=0}
+.endif
+.if empty(CXXFLAGS:M-D_FORTIFY_SOURCE*)
+CXXFLAGS+=	${FORTIFY_SOURCE.${.IMPSRC:T}:U${FORTIFY_SOURCE}:S/^/-D_FORTIFY_SOURCE=/:N*=0}
 .endif
 
 # Additional flags passed in CFLAGS and CXXFLAGS when MK_DEBUG_FILES is