Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Control: tags -1 - moreinfo
Hi Marcos and Marc,
Your request is received. Thanks for providing extensive detail and
adding more where questions have been asked. Can we all slow down a bit
to avoid getting repetitive?
I am removing the moreinfo tag for now as we need a bit of time to
digest what's there.
Marc, in
https://lore.kernel.org/all/aLan9S_47ERx69xO@torres.zugschlus.de/ you
say that you require a TC maintainer override to implement the change
whereas in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113774#15
you suggest that TC advice would be sufficient to you. Can you clarify
which procedural level you require here?
>From a technical point of view, I note that -fcf-protection is not
enabled for i386 at the toolchain level for any Debian release. It was
added to the default flags for amd64 in trixie. This wasn't fully
evident from the discussion to me. It really is sudo that is adding this
flag.
https://sources.debian.org/src/sudo/1.9.13p3-1%2Bdeb12u1/m4/hardening.m4#L108
There seem to be two major arguments involved both of which I have not
yet verified in depth.
1. The -fcf-protection flag bears no benefit in 32bit user applications.
2. The ENDBR32 instruction inserted by -fcf-protection is not supported
in some CPUs that were considered supported by bookworm's baseline.
In principle, this is a baseline violation and would usually be
considered a release-critical bug.
An argument against this change is that bookworm has been released more
than two years ago and that indicates that the number of systems
affected by this problem cannot be huge.
Christoph, Paul, Stefano, you've all been replying quickly. Would any of
you have capacity to take the moderation role? I prefer not to at
this time.
Helmut
Reply to: