diff mbox series

[v5,02/14] Exclude routines from fortification

Message ID 20230705141055.274575-3-fberat@redhat.com
State New
Headers show
Series Allow glibc to be built with _FORTIFY_SOURCE | expand

Commit Message

Frederic Berat July 5, 2023, 2:10 p.m. UTC
Since the _FORTIFY_SOURCE feature uses some routines of Glibc, they need to
be excluded from the fortification.

On top of that:
 - some tests explicitly verify that some level of fortification works
   appropriately, we therefore shouldn't modify the level set for them.
 - some objects need to be build with optimization disabled, which
   prevents _FORTIFY_SOURCE to be used for them.

Assembler files that implement architecture specific versions of the
fortified routines were not excluded from _FORTIFY_SOURCE as there is no
C header included that would impact their behavior.

Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
---
 debug/Makefile                              | 12 +--
 io/Makefile                                 | 16 ++++
 libio/Makefile                              | 23 +++++-
 login/Makefile                              |  6 ++
 misc/Makefile                               |  7 ++
 posix/Makefile                              | 11 +++
 rt/Makefile                                 |  5 ++
 setjmp/Makefile                             |  9 +++
 socket/Makefile                             |  6 ++
 stdio-common/Makefile                       | 15 +++-
 stdlib/Makefile                             |  7 ++
 string/Makefile                             | 17 +++++
 sysdeps/ieee754/ldbl-128ibm-compat/Makefile | 81 +++++++++++++++++----
 sysdeps/ieee754/ldbl-opt/Makefile           | 29 ++++++++
 sysdeps/pthread/Makefile                    |  4 +
 sysdeps/unix/sysv/linux/Makefile            |  3 +
 wcsmbs/Makefile                             | 23 +++++-
 17 files changed, 248 insertions(+), 26 deletions(-)
diff mbox series

Patch

diff --git a/debug/Makefile b/debug/Makefile
index 9d658e3002..434e52f780 100644
--- a/debug/Makefile
+++ b/debug/Makefile
@@ -171,13 +171,13 @@  CFLAGS-recvfrom_chk.c += -fexceptions -fasynchronous-unwind-tables
 # set up for us, so keep the CFLAGS/CPPFLAGS split logical as the order is:
 # <user CFLAGS> <test CFLAGS> <user CPPFLAGS> <test CPPFLAGS>
 CFLAGS-tst-longjmp_chk.c += -fexceptions -fasynchronous-unwind-tables
-CPPFLAGS-tst-longjmp_chk.c += -D_FORTIFY_SOURCE=1
+CPPFLAGS-tst-longjmp_chk.c += $(no-fortify-source),-D_FORTIFY_SOURCE=1
 CFLAGS-tst-longjmp_chk2.c += -fexceptions -fasynchronous-unwind-tables
-CPPFLAGS-tst-longjmp_chk2.c += -D_FORTIFY_SOURCE=1
+CPPFLAGS-tst-longjmp_chk2.c += $(no-fortify-source),-D_FORTIFY_SOURCE=1
 CFLAGS-tst-longjmp_chk3.c += -fexceptions -fasynchronous-unwind-tables
-CPPFLAGS-tst-longjmp_chk3.c += -D_FORTIFY_SOURCE=1
-CPPFLAGS-tst-realpath-chk.c += -D_FORTIFY_SOURCE=2
-CPPFLAGS-tst-chk-cancel.c += -D_FORTIFY_SOURCE=2
+CPPFLAGS-tst-longjmp_chk3.c += $(no-fortify-source),-D_FORTIFY_SOURCE=1
+CPPFLAGS-tst-realpath-chk.c += $(no-fortify-source),-D_FORTIFY_SOURCE=2
+CPPFLAGS-tst-chk-cancel.c += $(no-fortify-source),-D_FORTIFY_SOURCE=2
 
 # _FORTIFY_SOURCE tests.
 # Auto-generate tests for _FORTIFY_SOURCE for different levels, compilers and
@@ -215,7 +215,7 @@  src-chk-nongnu = \#undef _GNU_SOURCE
 # cannot be disabled via pragmas, so require -Wno-error to be used.
 define gen-chk-test
 tests-$(1)-$(4)-chk += tst-fortify-$(1)-$(2)-$(3)-$(4)
-CFLAGS-tst-fortify-$(1)-$(2)-$(3)-$(4).$(1) += -D_FORTIFY_SOURCE=$(3) -Wno-format \
+CFLAGS-tst-fortify-$(1)-$(2)-$(3)-$(4).$(1) += $(no-fortify-source),-D_FORTIFY_SOURCE=$(3) -Wno-format \
 					  -Wno-deprecated-declarations \
 					  -Wno-error
 $(eval $(call cflags-$(2),$(1),$(3),$(4)))
diff --git a/io/Makefile b/io/Makefile
index d573064ecc..6ccc0e8691 100644
--- a/io/Makefile
+++ b/io/Makefile
@@ -149,6 +149,22 @@  routines := \
   write \
   # routines
 
+# Exclude fortified routines from being built with _FORTIFY_SOURCE
+routines_no_fortify += \
+  getcwd \
+  getwd \
+  open \
+  open64 \
+  openat \
+  openat64 \
+  poll \
+  ppoll \
+  read \
+  readlink \
+  readlinkat \
+  ttyname_r \
+  # routines_no_fortify
+
 others := \
  pwd \
  # others
diff --git a/libio/Makefile b/libio/Makefile
index 2877fec484..287ec11338 100644
--- a/libio/Makefile
+++ b/libio/Makefile
@@ -53,6 +53,21 @@  routines	:=							      \
 
 gen-as-const-headers += libio-macros.sym
 
+# Exclude fortified routines from being built with _FORTIFY_SOURCE
+routines_no_fortify += \
+  fwprintf \
+  iofgets \
+  iofgets_u \
+  iofgetws \
+  iofgetws_u \
+  swprintf \
+  vasprintf \
+  vsnprintf \
+  vswprintf \
+  vwprintf \
+  wprintf \
+  # routines_no_fortify
+
 tests = tst_swprintf tst_wprintf tst_swscanf tst_wscanf tst_getwc tst_putwc   \
 	tst_wprintf2 tst-widetext test-fmemopen tst-ext tst-ext2 \
 	tst-fgetws tst-ungetwc1 tst-ungetwc2 tst-swscanf tst-sscanf	      \
@@ -165,11 +180,15 @@  CFLAGS-iofgets_u.c += $(config-cflags-wno-ignored-attributes)
 CFLAGS-iofputs_u.c += $(config-cflags-wno-ignored-attributes)
 # XXX Do we need filedoalloc and wfiledoalloc?  Others?
 
+# Prevent fortification as these are built with -O0
+CFLAGS-tst-bz24051.c += $(no-fortify-source)
+CFLAGS-tst-bz24153.c += $(no-fortify-source)
+
 CFLAGS-tst_putwc.c += -DOBJPFX=\"$(objpfx)\"
 
 # These test cases intentionally use overlapping arguments
-CFLAGS-tst-sprintf-ub.c += -Wno-restrict
-CFLAGS-tst-sprintf-chk-ub.c += -Wno-restrict
+CFLAGS-tst-sprintf-ub.c += -Wno-restrict $(no-fortify-source)
+CFLAGS-tst-sprintf-chk-ub.c += -Wno-restrict $(no-fortify-source)
 
 LDFLAGS-tst-bz24228 = -Wl,--version-script=tst-bz24228.map
 
diff --git a/login/Makefile b/login/Makefile
index 13b155d344..74216cbcb2 100644
--- a/login/Makefile
+++ b/login/Makefile
@@ -66,6 +66,12 @@  include ../Rules
 CFLAGS-getpt.c += -fexceptions
 CFLAGS-getlogin_r.c += $(config-cflags-wno-ignored-attributes)
 
+# Exclude fortified routines from being built with _FORTIFY_SOURCE
+routines_no_fortify += \
+  getlogin_r \
+  ptsname_r \
+  # routines_no_fortify
+
 ifeq (yesyes,$(have-fpie)$(build-shared))
 pt_chown-cflags += $(pie-ccflag)
 endif
diff --git a/misc/Makefile b/misc/Makefile
index 84aa4cb0ad..36ba7a0bad 100644
--- a/misc/Makefile
+++ b/misc/Makefile
@@ -205,6 +205,13 @@  routines := \
   writev \
   # routines
 
+# Exclude fortified routines from being built with _FORTIFY_SOURCE
+routines_no_fortify += \
+  getdomain \
+  gethostname \
+  syslog \
+  # routines_no_fortify
+
 generated += \
   tst-allocate_once-mem.out \
   tst-allocate_once.mtrace \
diff --git a/posix/Makefile b/posix/Makefile
index ad43cbdec6..5113ee3b74 100644
--- a/posix/Makefile
+++ b/posix/Makefile
@@ -183,6 +183,14 @@  routines := \
   wordexp \
   # routines
 
+# Exclude fortified routines from being built with _FORTIFY_SOURCE
+routines_no_fortify += \
+  confstr \
+  getgroups \
+  pread \
+  pread64 \
+  # routines_no_fortify
+
 aux := \
   environ \
   init-posix \
@@ -604,6 +612,9 @@  bug-glob1-ARGS = "$(objpfx)"
 tst-execvp3-ARGS = --test-dir=$(objpfx)
 CFLAGS-tst-spawn3.c += -DOBJPFX=\"$(objpfx)\"
 
+# Test voluntarily overflows struct dirent
+CFLAGS-bug-glob2.c += $(no-fortify-source)
+
 $(objpfx)testcases.h: TESTS TESTS2C.sed
 	LC_ALL=C sed -f TESTS2C.sed < $< > $@T
 	mv $@T $@
diff --git a/rt/Makefile b/rt/Makefile
index a97333dc02..3d4a3f0eec 100644
--- a/rt/Makefile
+++ b/rt/Makefile
@@ -100,6 +100,11 @@  CFLAGS-aio_suspend.c += -fexceptions
 CFLAGS-mq_timedreceive.c += -fexceptions -fasynchronous-unwind-tables
 CFLAGS-mq_timedsend.c += -fexceptions -fasynchronous-unwind-tables
 
+# Exclude fortified routines from being built with _FORTIFY_SOURCE
+routines_no_fortify += \
+  mq_open \
+  # routines_no_fortify
+
 LDFLAGS-rt.so = -Wl,--enable-new-dtags,-z,nodelete
 
 $(objpfx)librt.so: $(shared-thread-library)
diff --git a/setjmp/Makefile b/setjmp/Makefile
index e5733a8c52..363fb6673c 100644
--- a/setjmp/Makefile
+++ b/setjmp/Makefile
@@ -38,4 +38,13 @@  gen-as-const-headers += jmp_buf-macros.sym
 
 include ../Rules
 
+# This test messes the stack on purpose, which triggers longjump fortify
+# failure
+CFLAGS-bug269-setjmp.c += $(no-fortify-source)
+
+# Exclude fortified routines from being built with _FORTIFY_SOURCE
+routines_no_fortify += \
+  longjmp \
+  # routines_no_fortify
+
 $(objpfx)tst-setjmp-fp: $(libm)
diff --git a/socket/Makefile b/socket/Makefile
index d9b0b4af64..08f20118cd 100644
--- a/socket/Makefile
+++ b/socket/Makefile
@@ -60,6 +60,12 @@  routines := \
   socketpair \
   # routines
 
+# Exclude fortified routines from being built with _FORTIFY_SOURCE
+routines_no_fortify += \
+  recv \
+  recvfrom \
+  # routines_no_fortify
+
 tests := \
   tst-accept4 \
   tst-cmsg_cloexec \
diff --git a/stdio-common/Makefile b/stdio-common/Makefile
index 8871ec7668..fe304b8373 100644
--- a/stdio-common/Makefile
+++ b/stdio-common/Makefile
@@ -117,6 +117,19 @@  routines := \
   wprintf_function_invoke \
   # routines
 
+# Exclude fortified routines from being built with _FORTIFY_SOURCE
+routines_no_fortify += \
+  asprintf \
+  dprintf \
+  fprintf \
+  printf \
+  snprintf \
+  sprintf \
+  vfprintf \
+  vfwprintf \
+  vprintf \
+  # routines_no_fortify
+
 aux := \
   errlist \
   errlist-data \
@@ -461,7 +474,7 @@  CFLAGS-tst-gets.c += -Wno-deprecated-declarations
 
 # BZ #11319 was first fixed for regular vdprintf, then reopened because
 # the fortified version had the same bug.
-CFLAGS-tst-bz11319-fortify2.c += -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
+CFLAGS-tst-bz11319-fortify2.c += $(no-fortify-source),-D_FORTIFY_SOURCE=2
 
 CFLAGS-tst-memstream-string.c += -fno-builtin-fprintf
 
diff --git a/stdlib/Makefile b/stdlib/Makefile
index 0975f55ee6..25e42a77e7 100644
--- a/stdlib/Makefile
+++ b/stdlib/Makefile
@@ -145,6 +145,13 @@  routines := \
   xpg_basename \
   # routines
 
+# Exclude fortified routines from being built with _FORTIFY_SOURCE
+routines_no_fortify += \
+  mbstowcs \
+  wcstombs \
+  wctomb \
+  # routines_no_fortify
+
 aux = \
   grouping \
   groupingwc \
diff --git a/string/Makefile b/string/Makefile
index d3106d10a9..8cdfd5b000 100644
--- a/string/Makefile
+++ b/string/Makefile
@@ -118,6 +118,23 @@  routines := \
   xpg-strerror \
 # routines
 
+# Exclude fortified routines from being built with _FORTIFY_SOURCE
+routines_no_fortify += \
+  explicit_bzero \
+  memcpy \
+  memmove \
+  mempcpy \
+  memset \
+  stpcpy \
+  stpncpy \
+  strcat \
+  strcpy \
+  strlcat \
+  strlcpy \
+  strncat \
+  strncpy \
+  # routines_no_fortify
+
 tests := \
   bug-envz1 \
   bug-strcoll1 \
diff --git a/sysdeps/ieee754/ldbl-128ibm-compat/Makefile b/sysdeps/ieee754/ldbl-128ibm-compat/Makefile
index 42cca25a09..34273a5f58 100644
--- a/sysdeps/ieee754/ldbl-128ibm-compat/Makefile
+++ b/sysdeps/ieee754/ldbl-128ibm-compat/Makefile
@@ -88,13 +88,19 @@  tests-internal += test-wprintf-ieee128 test-wprintf-ibm128
 CFLAGS-test-wprintf-ieee128.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi
 CFLAGS-test-wprintf-ibm128.c += -mabi=ibmlongdouble -Wno-psabi
 
+# The following tests are setting _FORTIFY_SOURCE internally
 tests-internal += test-obstack-ieee128 test-obstack-ibm128
-CFLAGS-test-obstack-ieee128.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi
-CFLAGS-test-obstack-ibm128.c += -mabi=ibmlongdouble -Wno-psabi
+CFLAGS-test-obstack-ieee128.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi \
+				 $(no-fortify-source)
+CFLAGS-test-obstack-ibm128.c += -mabi=ibmlongdouble -Wno-psabi \
+				$(no-fortify-source)
 
+# The following tests are setting _FORTIFY_SOURCE internally
 tests-internal += test-obstack-chk-ieee128 test-obstack-chk-ibm128
-CFLAGS-test-obstack-chk-ieee128.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi
-CFLAGS-test-obstack-chk-ibm128.c += -mabi=ibmlongdouble -Wno-psabi
+CFLAGS-test-obstack-chk-ieee128.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi \
+				     $(no-fortify-source)
+CFLAGS-test-obstack-chk-ibm128.c += -mabi=ibmlongdouble -Wno-psabi \
+				    $(no-fortify-source)
 
 tests-internal += test-scanf-ieee128 test-scanf-ibm128
 CFLAGS-test-scanf-ieee128.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi -std=c89 -D_GNU_SOURCE
@@ -216,25 +222,37 @@  ldbl-extra-routines += asprintf_chk \
 		       obstack_chk \
 		       vobstack_chk
 
+# The following tests are setting _FORTIFY_SOURCE internally
 tests-internal += test-printf-chk-ieee128 test-printf-chk-ibm128
-CFLAGS-test-printf-chk-ieee128.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi
-CFLAGS-test-printf-chk-ibm128.c += -mabi=ibmlongdouble -Wno-psabi
+CFLAGS-test-printf-chk-ieee128.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi \
+				    $(no-fortify-source)
+CFLAGS-test-printf-chk-ibm128.c += -mabi=ibmlongdouble -Wno-psabi \
+				   $(no-fortify-source)
 
+# The following tests are setting _FORTIFY_SOURCE internally
 tests-internal += test-printf-chk-redir-ieee128 test-printf-chk-redir-ibm128
 CFLAGS-test-printf-chk-redir-ieee128.c += -mfloat128 -mabi=ieeelongdouble \
-					  -Wno-psabi -Wno-unused-result
+					  -Wno-psabi -Wno-unused-result \
+					  $(no-fortify-source)
 CFLAGS-test-printf-chk-redir-ibm128.c += -mabi=ibmlongdouble -Wno-psabi \
-					 -Wno-unused-result
+					 -Wno-unused-result \
+					 $(no-fortify-source)
 
+# The following tests are setting _FORTIFY_SOURCE internally
 tests-internal += test-wprintf-chk-ieee128 test-wprintf-chk-ibm128
-CFLAGS-test-wprintf-chk-ieee128.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi
-CFLAGS-test-wprintf-chk-ibm128.c += -mabi=ibmlongdouble -Wno-psabi
+CFLAGS-test-wprintf-chk-ieee128.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi \
+				     $(no-fortify-source)
+CFLAGS-test-wprintf-chk-ibm128.c += -mabi=ibmlongdouble -Wno-psabi \
+				    $(no-fortify-source)
 
+# The following tests are setting _FORTIFY_SOURCE internally
 tests-internal += test-wprintf-chk-redir-ieee128 test-wprintf-chk-redir-ibm128
 CFLAGS-test-wprintf-chk-redir-ieee128.c += -mfloat128 -mabi=ieeelongdouble \
-					   -Wno-psabi -Wno-unused-result
+					   -Wno-psabi -Wno-unused-result \
+					   $(no-fortify-source)
 CFLAGS-test-wprintf-chk-redir-ibm128.c += -mabi=ibmlongdouble -Wno-psabi \
-					  -Wno-unused-result
+					  -Wno-unused-result \
+					  $(no-fortify-source)
 endif
 
 ifeq ($(subdir),argp)
@@ -281,13 +299,19 @@  CFLAGS-tst-ieee128-error.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi
 CFLAGS-tst-ieee128-efgcvt.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi
 CFLAGS-tst-ieee128-errorfptr.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi
 
+# The following tests are setting _FORTIFY_SOURCE internally
 tests-container += test-syslog-ieee128 test-syslog-ibm128
-CFLAGS-test-syslog-ieee128.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi
-CFLAGS-test-syslog-ibm128.c += -mabi=ibmlongdouble -Wno-psabi
+CFLAGS-test-syslog-ieee128.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi \
+				$(no-fortify-source)
+CFLAGS-test-syslog-ibm128.c += -mabi=ibmlongdouble -Wno-psabi \
+			       $(no-fortify-source)
 
+# The following tests are setting _FORTIFY_SOURCE internally
 tests-container += test-syslog-chk-ieee128 test-syslog-chk-ibm128
-CFLAGS-test-syslog-chk-ieee128.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi
-CFLAGS-test-syslog-chk-ibm128.c += -mabi=ibmlongdouble -Wno-psabi
+CFLAGS-test-syslog-chk-ieee128.c += -mfloat128 -mabi=ieeelongdouble -Wno-psabi \
+				    $(no-fortify-source)
+CFLAGS-test-syslog-chk-ibm128.c += -mabi=ibmlongdouble -Wno-psabi \
+				   $(no-fortify-source)
 endif
 
 ifeq ($(subdir),stdlib)
@@ -395,6 +419,31 @@  endif
 # Add IEEE binary128 files as make targets.
 routines += $(foreach r,$(ldbl-extra-routines),ieee128-$(r))
 
+routines_no_fortify += \
+  ieee128-asprintf \
+  ieee128-dprintf \
+  ieee128-fprintf \
+  ieee128-fwprintf \
+  ieee128-obstack \
+  ieee128-printf \
+  ieee128-snprintf \
+  ieee128-sprintf \
+  ieee128-swprintf \
+  ieee128-syslog \
+  ieee128-vasprintf \
+  ieee128-vdprintf \
+  ieee128-vfprintf \
+  ieee128-vfwprintf \
+  ieee128-vobstack \
+  ieee128-vprintf \
+  ieee128-vsnprintf \
+  ieee128-vsprintf \
+  ieee128-vswprintf \
+  ieee128-vsyslog \
+  ieee128-vwprintf \
+  ieee128-wprintf \
+  # routines_no_fortify
+
 # On powerpc64le, the routines responsible for converting between long
 # double and string (e.g.: printf, scanf, strtold, strfroml) default to
 # IBM long double mode.  When support for TS 18661-3 was added, several
diff --git a/sysdeps/ieee754/ldbl-opt/Makefile b/sysdeps/ieee754/ldbl-opt/Makefile
index 22e778ad0e..0ed1cd2cae 100644
--- a/sysdeps/ieee754/ldbl-opt/Makefile
+++ b/sysdeps/ieee754/ldbl-opt/Makefile
@@ -269,3 +269,32 @@  CFLAGS-tst-nldbl-wscanf-binary-gnu89.c += -mlong-double-64 -std=gnu89 \
 					  -DOBJPFX=\"$(objpfx)\"
 
 endif
+
+routines_no_fortify += \
+  nldbl-asprintf \
+  nldbl-dprintf \
+  nldbl-fprintf \
+  nldbl-fwprintf \
+  nldbl-obstack_printf \
+  nldbl-obstack_vprintf \
+  nldbl-printf \
+  nldbl-snprintf \
+  nldbl-sprintf \
+  nldbl-swprintf \
+  nldbl-syslog \
+  nldbl-vasprintf \
+  nldbl-vdprintf \
+  nldbl-vfprintf \
+  nldbl-vfwprintf \
+  nldbl-vprintf \
+  nldbl-vsnprintf \
+  nldbl-vsprintf \
+  nldbl-vswprintf \
+  nldbl-vsyslog \
+  nldbl-vwprintf \
+  nldbl-wprintf \
+  # routines_no_fortify
+
+# We can't rely on Makeconfig here for whatever reason
+CFLAGS-.oS += $(call elide-fortify-source,.oS,$(routines_no_fortify))
+CFLAGS-.oS += $(call elide-fortify-source,_chk.oS,$(routines_no_fortify))
diff --git a/sysdeps/pthread/Makefile b/sysdeps/pthread/Makefile
index 32cf4eb119..31028406d5 100644
--- a/sysdeps/pthread/Makefile
+++ b/sysdeps/pthread/Makefile
@@ -304,6 +304,10 @@  tests-nolibpthread += \
 CFLAGS-tst-cleanup2.c += -fno-builtin
 CFLAGS-tst-cleanupx2.c += -fno-builtin
 
+# Disable fortification due to sprintf(NULL,...)
+CFLAGS-tst-cleanup2.c += $(no-fortify-source)
+CFLAGS-tst-cleanupx2.c += $(no-fortify-source)
+
 tests += \
   tst-cancelx2 \
   tst-cancelx3 \
diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
index 23a84cf225..be801e3be4 100644
--- a/sysdeps/unix/sysv/linux/Makefile
+++ b/sysdeps/unix/sysv/linux/Makefile
@@ -120,6 +120,9 @@  CFLAGS-sync_file_range.c = -fexceptions -fasynchronous-unwind-tables
 CFLAGS-pselect32.c = -fexceptions -fasynchronous-unwind-tables
 CFLAGS-tst-writev.c += "-DARTIFICIAL_LIMIT=(0x80000000-sysconf(_SC_PAGESIZE))"
 
+# The test triggers FORTIFY abortion due to purposely wrong parameters
+CFLAGS-test-errno-linux.c += $(no-fortify-source)
+
 sysdep_headers += \
   bits/a.out.h \
   bits/epoll.h \
diff --git a/wcsmbs/Makefile b/wcsmbs/Makefile
index 22192985e1..d25a2214f8 100644
--- a/wcsmbs/Makefile
+++ b/wcsmbs/Makefile
@@ -121,6 +121,27 @@  routines := \
   wmemset \
   # routines
 
+# Exclude fortified routines from being built with _FORTIFY_SOURCE
+routines_no_fortify += \
+  mbsnrtowcs \
+  mbsrtowcs \
+  wcpcpy \
+  wcpncpy \
+  wcrtomb \
+  wcscat \
+  wcscpy \
+  wcslcat \
+  wcslcpy \
+  wcsncat \
+  wcsncpy \
+  wcsnrtombs \
+  wcsrtombs \
+  wmemcpy \
+  wmemmove \
+  wmempcpy \
+  wmemset \
+  # routines_no_fortify
+
 tests := \
   test-c8rtomb \
   test-char-types \
@@ -231,7 +252,7 @@  CFLAGS-wcstod_l.c += $(strtox-CFLAGS) $(config-cflags-wno-ignored-attributes)
 CFLAGS-wcstold_l.c += $(strtox-CFLAGS) $(config-cflags-wno-ignored-attributes)
 CFLAGS-wcstof128_l.c += $(strtox-CFLAGS)
 CFLAGS-wcstof_l.c += $(strtox-CFLAGS) $(config-cflags-wno-ignored-attributes)
-CPPFLAGS-tst-wchar-h.c += -D_FORTIFY_SOURCE=2
+CPPFLAGS-tst-wchar-h.c += $(no-fortify-source),-D_FORTIFY_SOURCE=2
 
 CFLAGS-wcschr.c += $(config-cflags-wno-ignored-attributes)
 CFLAGS-wmemchr.c += $(config-cflags-wno-ignored-attributes)