[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Illegal Instruction Using sudo in Bookworm on i686



On Thu, Aug 21, 2025 at 04:48:35PM +0200, Marcos Del Sol Vives wrote:
I've recently acquired a Vortex86DX3 machine and found about this bug. This
machine, while even being SSE1-capable, crashes with a SIGILL if ENDBR32
instructions are encountered. So far, sudo has been the only issue I've
encountered.

I am working on getting a patch merged on the Linux kernel to simply
skip over these instructions when they raise an exception, and another
kernel developer was confused to see ENDBR32 in IA32 because the kernel's
IA32 vDSO is not CET-compliant, so CET would AFAIK not protect against
anything in an IA32 environment (or IA32 running under IA64):
https://lore.kernel.org/all/9EDED468-AB68-4558-8D94-C3756170C364@zytor.com/

Would it be acceptable to, rather than disable it entirely as previously
proposed, enable CET only when compiling for IA64 (amd64), but not for any
other architecture?

Hardware that support it for sure would still be protected that way, while
it would allow running sudo again on older hardware that all other
Debian packages support just fine.

Please note (and ideally follow) https://www.debian.org/releases/trixie/release-notes/issues.html#reduced-support-for-i386
While you are of course free to file wishlist bugs with any content, anything up to and including *dropping sudo on i386* is currently possible and valid. If you are fine with staying on bookworm or maybe trixie you can recompile sudo with the necessary changes yourself (taking into account possible security updates to it).

--
WBR, wRAR

Attachment: signature.asc
Description: PGP signature


Reply to: