Your message dated Thu, 01 May 2025 14:47:25 +0200 (CEST)
with message-id <20250501124725.cc366be2...@eldamar.lan>
and subject line Closing this bug (BTS maintenance for src:linux bugs)
has caused the Debian Bug report #998653,
regarding linux: Please enable ZERO_CALL_USED_REGS to reduce ROP probability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
998653: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998653
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: linux
Version: 5.15-1~exp1
Severity: wishlist
Hi, the option ZERO_CALL_USED_REGS will improve kernel security by
reducing the amount of available ROP gadgets by 20% on average in
the Linux kernel. Currently the option is not enabled in Debians
experimental kernel config. Please enable it if you consider build
size to be reasonable on all architectures.
The option requires building with GCC11 or a compiler that support
-fzero-call-user-regs.
Here is a comparison between the amount of unique ROP gadgets found
compared between a kernel build without CALL_USED_REGS in two
different ROP gadget scanning tools.
rp++ is a popular ROP scanning tool due to its ability to find many
different gadgets.
$ wc -l vmlinux-5.15-zero-regs-rp++-rop
249527 vmlinux-5.15-zero-regs-rp++-rop
$ wc -l vmlinux-5.15-skip-rp++-rop
326214 vmlinux-5.15-skip-rp++-rop
The tool ROPgadget is popular due to its ability to automatically
build ROP chains for a statically linked target.
vmlinux-5.15-zero-regs:
Unique gadgets found: 136014
No automatic chain building possible.
vmlinux-5.15-skip:
Unique gadgets found: 214104
Automatich chain building of gadgets possible.
Thank you!
Best regards Christoffer Kugg Jerkeby
--- End Message ---
--- Begin Message ---
Hi
This bug was filed for a (very) old kernel or the bug is old itself
without resolution. Maybe it was for a feature enablement which nobody
acted on. We are sorry we were not able to timely deal with this issue.
There are many open bugs for the src:linux package and thus we are
closing older bugs where it's unclear if they still occur in newer
versions and are still relevant to the reporter. For an overview see:
https://bugs.debian.org/src:linux .
If you can reproduce your issue with
- the current version in unstable/testing
- the latest kernel from backports
or, if it was a feature addition/wishlist and still consider it
relevant, then:
Please reopen the bug, see https://www.debian.org/Bugs/server-control
for details.
Please try to provide as much fresh details including kernel logs where
relevant. In particular were an issue is coupled with specific hardware we
might ask you to do additional debugging on your side as the owner of the
hardware.
Regards,
Salvatore
--- End Message ---
