difference between gcc -D_FORTIFY_SOURCE=1 and -D_FORTIFY_SOURCE=2

Question

Can someone point out the difference between gcc -D_FORTIFY_SOURCE=1 and -D_FORTIFY_SOURCE=2? I guess =2 is more secure? I haven\'t be

Answer 1

http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html goes into more detail than feature_test_macros(7).

Here's the relevant excerpt, lightly edited/reformatted for clarity:

The difference between -D_FORTIFY_SOURCE=1 and -D_FORTIFY_SOURCE=2 is e.g. for

  struct S {
      struct T {
        char buf[5];
        int x;
      } t;
      char buf[20];
  } var;

With -D_FORTIFY_SOURCE=1,

  strcpy (&var.t.buf[1], "abcdefg");

is not considered an overflow (object is whole VAR), while with -D_FORTIFY_SOURCE=2

  strcpy (&var.t.buf[1], "abcdefg");

will be considered a buffer overflow.

Another difference is that with -D_FORTIFY_SOURCE=2, %n in format strings of the most common *printf family functions is allowed only if it is stored in read-only memory (usually string literals, gettext's _("%s string %n") is fine too), but usually when an attacker attempts to exploit a format string vulnerability, %n will be somewhere where the attacker could write it into.