On Mon, Sep 05, 2022 at 10:44:52PM +0200, Felix Potthast wrote: > i just stumbled upon the fact that debian doesn't yet make use of the > Intel CET security feature, while many other distributions > (Ubuntu, Fedora, Suse, Arch Linux) do. > > The idea is to insert endbr instructions, > (which are just NOPs on older CPUs) at the beginning > of functions to identify valid call targets to mitigate > ROP attacks. > > You can do a quick test with > > objdump -d /usr/bin/mv | grep endbr | wc -l > > which outputs a nonzero number if the feature is used. It's indeed nonzero on my testing and sid machines, with coreutils 8.32-4.1. In which version is it zero? -- WBR, wRAR
Attachment:
signature.asc
Description: PGP signature