Bug 2265039

Summary: Missing -fwrapv for improved memory safety
Product: [Fedora] Fedora Reporter: secureblue <secureblueadmin>
Component: chromiumAssignee: Than Ngo <than>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 39CC: spotrh, than, tpopela, yaneti
Target Milestone: ---Keywords: Desktop, Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: chromium-122.0.6261.69-1.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-02-28 01:10:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description secureblue 2024-02-20 03:31:51 UTC 
Setting -fwrapv in cflags makes signed integer overflow defined behavior, improving memory safety. Without this setting, signed integer overflow is undefined behavior. This leads compilers to do surprising things like "optimizing out" explicit overflow checks that happen too late or themselves overflow. Sometimes these overflow checks are needed for memory safety.

Other chromium distributions already apply this patch for this reason: https://github.com/GrapheneOS/Vanadium/blob/main/patches/0004-enable-fwrapv-in-Clang-for-non-UBSan-builds.patch

It is not at all clear why upstream doesn't already do this: https://issues.chromium.org/issues/40164442

Reproducible: Always
Comment 1 Fedora Update System 2024-02-24 07:12:49 UTC 
FEDORA-2024-ef56ea86fc (chromium-122.0.6261.69-1.fc39) has been submitted as an update to Fedora 39.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-ef56ea86fc
Comment 2 Fedora Update System 2024-02-25 02:30:05 UTC 
FEDORA-2024-ef56ea86fc has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-ef56ea86fc`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-ef56ea86fc

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 3 Fedora Update System 2024-02-28 01:10:36 UTC 
FEDORA-2024-ef56ea86fc (chromium-122.0.6261.69-1.fc39) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.