diff --git a/pkgs/applications/audio/alsa-scarlett-gui/default.nix b/pkgs/applications/audio/alsa-scarlett-gui/default.nix index 6433bdbe3d0..80db9e85d3d 100644 --- a/pkgs/applications/audio/alsa-scarlett-gui/default.nix +++ b/pkgs/applications/audio/alsa-scarlett-gui/default.nix @@ -25,6 +25,9 @@ stdenv.mkDerivation rec { nativeBuildInputs = [ pkg-config wrapGAppsHook4 ]; buildInputs = [ gtk4 alsa-lib ]; + # causes redefinition of _FORTIFY_SOURCE + hardeningDisable = [ "fortify3" ]; + meta = with lib; { description = "GUI for alsa controls presented by Focusrite Scarlett Gen 2/3 Mixer Driver"; homepage = "https://github.com/geoffreybennett/alsa-scarlett-gui"; diff --git a/pkgs/applications/emulators/retroarch/cores.nix b/pkgs/applications/emulators/retroarch/cores.nix index 8da558bfbeb..63e03bc00ad 100644 --- a/pkgs/applications/emulators/retroarch/cores.nix +++ b/pkgs/applications/emulators/retroarch/cores.nix @@ -722,6 +722,10 @@ in # remove ccache substituteInPlace CMakeLists.txt --replace "ccache" "" ''; + + # causes redefinition of _FORTIFY_SOURCE + hardeningDisable = [ "fortify3" ]; + postBuild = "cd /build/source/build/pcsx2"; meta = { description = "Port of PCSX2 to libretro"; diff --git a/pkgs/applications/graphics/foxotron/default.nix b/pkgs/applications/graphics/foxotron/default.nix index b16025e8829..c2eaac0f563 100644 --- a/pkgs/applications/graphics/foxotron/default.nix +++ b/pkgs/applications/graphics/foxotron/default.nix @@ -51,6 +51,9 @@ stdenv.mkDerivation rec { "-Wno-error=array-bounds" ]; + # error: writing 1 byte into a region of size 0 + hardeningDisable = [ "fortify3" ]; + installPhase = '' runHook preInstall diff --git a/pkgs/applications/science/chemistry/ergoscf/default.nix b/pkgs/applications/science/chemistry/ergoscf/default.nix index b7d61848134..a2ea5b90153 100644 --- a/pkgs/applications/science/chemistry/ergoscf/default.nix +++ b/pkgs/applications/science/chemistry/ergoscf/default.nix @@ -28,6 +28,12 @@ stdenv.mkDerivation rec { OMP_NUM_THREADS = 2; # required for check phase + # With "fortify3", there are test failures, such as: + # Testing cnof CAMB3LYP/6-31G using FMM + # *** buffer overflow detected ***: terminated + # ./test_fmm_camb3lyp.sh: line 81: 1061289 Aborted (core dumped) ./ergo < /dev/null + hardeningDisable = [ "fortify3" ]; + doCheck = true; meta = with lib; { diff --git a/pkgs/applications/terminal-emulators/kitty/default.nix b/pkgs/applications/terminal-emulators/kitty/default.nix index 7ff455286fc..ecd0169acff 100644 --- a/pkgs/applications/terminal-emulators/kitty/default.nix +++ b/pkgs/applications/terminal-emulators/kitty/default.nix @@ -99,8 +99,13 @@ buildPythonApplication rec { ./disable-test_ssh_bootstrap_with_different_launchers.patch ]; - # Causes build failure due to warning - hardeningDisable = lib.optional stdenv.cc.isClang "strictoverflow"; + hardeningDisable = [ + # causes redefinition of _FORTIFY_SOURCE + "fortify3" + ] ++ lib.optionals stdenv.cc.isClang [ + # Causes build failure due to warning + "strictoverflow" + ]; CGO_ENABLED = 0; GOFLAGS = "-trimpath"; diff --git a/pkgs/development/libraries/libffi/3.3.nix b/pkgs/development/libraries/libffi/3.3.nix index b6837c6523f..294717d1fb1 100644 --- a/pkgs/development/libraries/libffi/3.3.nix +++ b/pkgs/development/libraries/libffi/3.3.nix @@ -29,6 +29,9 @@ stdenv.mkDerivation rec { "--disable-exec-static-tramp" ]; + # with fortify3, tests fail for some reason + hardeningDisable = [ "fortify3" ]; + preCheck = '' # The tests use -O0 which is not compatible with -D_FORTIFY_SOURCE. NIX_HARDENING_ENABLE=''${NIX_HARDENING_ENABLE/fortify/} diff --git a/pkgs/development/libraries/libxlsxwriter/default.nix b/pkgs/development/libraries/libxlsxwriter/default.nix index 5d9b50e7251..3716090a30d 100644 --- a/pkgs/development/libraries/libxlsxwriter/default.nix +++ b/pkgs/development/libraries/libxlsxwriter/default.nix @@ -31,6 +31,9 @@ stdenv.mkDerivation rec { "USE_SYSTEM_MINIZIP=1" ]; + # TEST 428/429 worksheet:worksheet_table15 *** buffer overflow detected ***: terminated + hardeningDisable = [ "fortify3" ]; + doCheck = true; checkTarget = "test"; diff --git a/pkgs/development/tools/analysis/sparse/default.nix b/pkgs/development/tools/analysis/sparse/default.nix index 7842954cde6..497d571cf14 100644 --- a/pkgs/development/tools/analysis/sparse/default.nix +++ b/pkgs/development/tools/analysis/sparse/default.nix @@ -22,6 +22,14 @@ in stdenv.mkDerivation rec { doCheck = true; buildFlags = [ "GCC_BASE:=${GCC_BASE}" ]; + # Test failures with "fortify3" on, such as: + # +*** buffer overflow detected ***: terminated + # +Aborted (core dumped) + # error: Actual exit value does not match the expected one. + # error: expected 0, got 134. + # error: FAIL: test 'bool-float.c' failed + hardeningDisable = [ "fortify3" ]; + passthru.tests = { simple-execution = callPackage ./tests.nix { }; }; diff --git a/pkgs/games/cdogs-sdl/default.nix b/pkgs/games/cdogs-sdl/default.nix index 89321b9c96f..3db387990eb 100644 --- a/pkgs/games/cdogs-sdl/default.nix +++ b/pkgs/games/cdogs-sdl/default.nix @@ -50,6 +50,9 @@ stdenv.mkDerivation rec { protobuf ]; + # inlining failed in call to 'tinydir_open': --param max-inline-insns-single limit reached + hardeningDisable = [ "fortify3" ]; + meta = with lib; { homepage = "https://cxong.github.io/cdogs-sdl"; description = "Open source classic overhead run-and-gun game"; diff --git a/pkgs/os-specific/linux/mmc-utils/default.nix b/pkgs/os-specific/linux/mmc-utils/default.nix index fb1763a735d..9580301eae9 100644 --- a/pkgs/os-specific/linux/mmc-utils/default.nix +++ b/pkgs/os-specific/linux/mmc-utils/default.nix @@ -12,6 +12,9 @@ stdenv.mkDerivation { makeFlags = [ "CC=${stdenv.cc.targetPrefix}cc" "prefix=$(out)" ]; + # causes redefinition of _FORTIFY_SOURCE + hardeningDisable = [ "fortify3" ]; + postInstall = '' mkdir -p $out/share/man/man1 cp man/mmc.1 $out/share/man/man1/ diff --git a/pkgs/os-specific/linux/sgx/psw/default.nix b/pkgs/os-specific/linux/sgx/psw/default.nix index 4a5e50d9c6a..fa4a7be01cf 100644 --- a/pkgs/os-specific/linux/sgx/psw/default.nix +++ b/pkgs/os-specific/linux/sgx/psw/default.nix @@ -59,7 +59,10 @@ stdenv.mkDerivation rec { protobuf ]; - hardeningDisable = lib.optionals debug [ + hardeningDisable = [ + # causes redefinition of _FORTIFY_SOURCE + "fortify3" + ] ++ lib.optionals debug [ "fortify" ]; diff --git a/pkgs/os-specific/linux/x86info/default.nix b/pkgs/os-specific/linux/x86info/default.nix index db5b040da3a..f330fbbe6c7 100644 --- a/pkgs/os-specific/linux/x86info/default.nix +++ b/pkgs/os-specific/linux/x86info/default.nix @@ -26,6 +26,9 @@ stdenv.mkDerivation rec { pciutils ]; + # causes redefinition of _FORTIFY_SOURCE + hardeningDisable = [ "fortify3" ]; + postBuild = '' patchShebangs lsmsr/createheader.py make -C lsmsr diff --git a/pkgs/tools/networking/tgt/default.nix b/pkgs/tools/networking/tgt/default.nix index 8de6a67faed..0b4e75879ca 100644 --- a/pkgs/tools/networking/tgt/default.nix +++ b/pkgs/tools/networking/tgt/default.nix @@ -27,6 +27,11 @@ stdenv.mkDerivation rec { "-Wno-error=maybe-uninitialized" ]; + hardeningDisable = lib.optionals stdenv.isAarch64 [ + # error: 'read' writing 1 byte into a region of size 0 overflows the destination + "fortify3" + ]; + installFlags = [ "sysconfdir=${placeholder "out"}/etc" ];