>On Tue, 17 Oct 2023 10:57:41 -0500, Justin <r...@neoquasar.org> wrote: >> Similar issue in Gentoo: >> https://bugs.gentoo.org/show_bug.cgi?id=862201 >> >> Similar issue in FreeBSD, more recent, but different processor: >> https://forums.freebsd.org/threads/illegal-instruction-after-12-4-upgrade-i386.89353/ >> >> Relevant GCC commit: >> https://gcc.gnu.org/git/gitweb.cgi?p=gcc.git;h=77d372abec0fbf2cfe922e3140ee3410248f979e > > The corresponding Debian issue are probably #1004893 and #1043281 > which was boiled down to a GCC issue, #1005863 and > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104713 > > As the sudo maintainer, I am reluctant to turn off a hardening feature > to support ancient CPUs. I would be reluctant to do that for a normal > package, but ESPECIALLY for a package like sudo which is installed > nearly everywhere and contains an suid root binary. > > I am willing to consider arguments and Ctte advice, but as things are > now I am fine with the current state.
Hello. I've recently acquired a Vortex86DX3 machine and found about this bug. This machine, while even being SSE1-capable, crashes with a SIGILL if ENDBR32 instructions are encountered. So far, sudo has been the only issue I've encountered. I am working on getting a patch merged on the Linux kernel to simply skip over these instructions when they raise an exception, and another kernel developer was confused to see ENDBR32 in IA32 because the kernel's IA32 vDSO is not CET-compliant, so CET would AFAIK not protect against anything in an IA32 environment (or IA32 running under IA64): https://lore.kernel.org/all/9eded468-ab68-4558-8d94-c3756170c...@zytor.com/ Would it be acceptable to, rather than disable it entirely as previously proposed, enable CET only when compiling for IA64 (amd64), but not for any other architecture? Hardware that support it for sure would still be protected that way, while it would allow running sudo again on older hardware that all other Debian packages support just fine. Greetings, Marcos
