From the manual page for the Feature Test Macros (man 7 feature_test_macros)
_FORTIFY_SOURCE(since glibc 2.3.4)Defining this macro causes some lightweight checks to be performed to detect some buffer overflow errors when employing various string and memory manipulation functions (for example,
memcpy,memset,stpcpy,strcpy,strncpy,strcat,strncat,sprintf,snprintf,vsprintf,vsnprintf,gets, and wide character variants thereof). For some functions, argument consistency is checked; for example, a check is made thatopenhas been supplied with a mode argument when the specified flags includeO_CREAT. Not all problems are detected, just some common cases.If
_FORTIFY_SOURCEis set to 1, with compiler optimization level 1 (gcc -O1) and above, checks that shouldn’t change the behavior of conforming programs are performed.With
_FORTIFY_SOURCEset to 2, some more checking is added, but some conforming programs might fail.Some of the checks can be performed at compile time (via macros logic implemented in header files), and result in compiler warnings; other checks take place at run time, and result in a run-time error if the check fails.
Use of this macro requires compiler support, available with
gccsince version 4.0.
Moreover, the article Enhance application security with FORTIFY_SOURCE (March 2014) says:
gcc -D_FORTIFY_SOURCE=1adds checks at compile-time only (some headers are necessary as#include <string.h>)gcc -D_FORTIFY_SOURCE=2also adds checks at run-time (detected buffer overflow terminates the program)
Essentially, _FORTIFY_SOURCE level 2 is more secure, but is a slightly riskier compilation strategy; if you use it, make sure you have very strong regression tests for your compiled code to prove the compiler hasn’t introduced any unexpected behaviour.