ports/Mk/Features/fortify.mk, branch main FreeBSD ports tree Mk/Features: Add features for fortify, zeroregs and stack autoinit. 2025-05-24T18:21:13+00:00 Alexander Leidinger netchild@FreeBSD.org 2025-05-24T18:17:24+00:00 7a489e95c51f47f5e25a5613e375ec000618e52a Those 3 features for ports go along with the cooresponding features from the basesystem (some only availabe in -current). The options you can put into make.conf for the ports collections are: WITH_FORTIFY=yes This enables mitigations of common memory safety issues, such as buffer overflows, by adding checks to functions like memcpy, strcpy, sprintf, and others when the compiler can determine the size of the destination buffer at compile time. WITH_STACK_AUTOINIT=yes This enables a compiler specific option to automatically initialize local (automatic) variables to prevent the use of uninitialized memory. WITH_ZEROREGS=yes Zero call-used registers at function return to increase program security by either mitigating Return-Oriented Programming (ROP) attacks or preventing information leakage through registers. This depends upon support from the compiler for a given architecture. This is disabled for python ports, currently there are issues. Approved by: portmgr (mat) PR: 284270 
Those 3 features for ports go along with the cooresponding features from
the basesystem (some only availabe in -current).

The options you can put into make.conf for the ports collections are:

WITH_FORTIFY=yes
    This enables mitigations of common memory safety issues, such as buffer
    overflows, by adding checks to functions like memcpy, strcpy, sprintf,
    and others when the compiler can determine the size of the destination
    buffer at compile time.

WITH_STACK_AUTOINIT=yes
    This enables a compiler specific option to automatically initialize
    local (automatic) variables to prevent the use of uninitialized memory.

WITH_ZEROREGS=yes
    Zero call-used registers at function return to increase program
    security by either mitigating Return-Oriented Programming (ROP)
    attacks or preventing information leakage through registers.
    This depends upon support from the compiler for a given architecture.
    This is disabled for python ports, currently there are issues.

Approved by:	portmgr (mat)
PR:		284270