Bug#1113774: Disabling -fcf-protection in sudo for bookworm

To: Helmut Grohne <helmut@subdivi.de>, Marcos Del Sol Vives <marcos@orca.pet>, 1113774@bugs.debian.org
Subject: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
From: Marc Haber <mh+debian-packages@zugschlus.de>
Date: Wed, 3 Sep 2025 12:45:24 +0200
Message-id: <[🔎] aLgcRHUaacaYQplz@torres.zugschlus.de>
Reply-to: Marc Haber <mh+debian-packages@zugschlus.de>, 1113774@bugs.debian.org
In-reply-to: <[🔎] 20250902162812.GA342841@subdivi.de>
References: <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet> <[🔎] 20250902162812.GA342841@subdivi.de> <[🔎] 0ef6f9b2-e5ed-4f4d-b08f-b2d4a5fd6255@orca.pet>

Hello,

On Tue, Sep 02, 2025 at 06:28:12PM +0200, Helmut Grohne wrote:

Marc, in
https://lore.kernel.org/all/aLan9S_47ERx69xO@torres.zugschlus.de/ you
say that you require a TC maintainer override to implement the change
whereas in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113774#15
you suggest that TC advice would be sufficient to you. Can you clarify
which procedural level you require here?

I would be fine with everything. Advice would be good for the beginning.Maybe I end up convinced and then would not need to be overridden. Idon't know enough about the issue to have a firm opinion yet. Yourexpertise is appreciated.

From a technical point of view, I note that -fcf-protection is not
enabled for i386 at the toolchain level for any Debian release. It was
added to the default flags for amd64 in trixie.  This wasn't fully
evident from the discussion to me. It really is sudo that is adding this
flag.
https://sources.debian.org/src/sudo/1.9.13p3-1%2Bdeb12u1/m4/hardening.m4#L108

sudo upstream did that back in 2021. The submitter of this TC bug reportconvinced Upstream to only enable this on x86_64 recently. I don't knowwhether this makes sense; upstream accepted the patch. Who am I to arguewith upstream?

This however will never apply to oldstable with the submitter wantschanged.

There seem to be two major arguments involved both of which I have not
yet verified in depth.

1. The -fcf-protection flag bears no benefit in 32bit user applications.
2. The ENDBR32 instruction inserted by -fcf-protection is not supported
  in some CPUs that were considered supported by bookworm's baseline.

In principle, this is a baseline violation and would usually be
considered a release-critical bug.


In sudo? In the toolchain? in whatever provides -fcf-protection?

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Reply to:

References:
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Marcos Del Sol Vives <marcos@orca.pet>
- Bug#1113774: Disabling -fcf-protection in sudo for bookworm
  - From: Helmut Grohne <helmut@subdivi.de>

Prev by Date: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Next by Date: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Previous by thread: Bug#1113774: Disabling -fcf-protection in sudo for bookworm
Next by thread: Bug#1115317: advice for using /var/lock (which is a link to /run/lock) (#1110981)
Index(es):
- Date
- Thread