Bug#1113862: marked as done (Replace -fcf-protection=full with -fcf-protection=return)

Wed, 03 Sep 2025 07:49:27 -0700 

Your message dated Wed, 3 Sep 2025 16:37:57 +0200
with message-id <[email protected]>
and subject line Close #1113862
has caused the Debian Bug report #1113862,
regarding Replace -fcf-protection=full with -fcf-protection=return
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1113862: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113862
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: dpkg-dev
Priority: wishlist

Hello everyone.

I have been instructed by Helmut Grohne from the technical commitee
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113774#126)
to open a bug here to ask for a change in the current hardening defaults
of Debian for sid and future stable releases.

Currently, on amd64 and i386 as of Trixie, packages are being built by
default with -fcf-protection=full. This results in shadow stacks and IBT
(branch tracking) being enabled on binaries.

The issue is that, right now, user-mode applications running in the Linux
kernel in 64-bit mode only support shadow stacks. IBT protection is only
supported in the kernel, thus compiling user-mode applications with IBT
enabled results simply in an increased code size (due to generated ENDBR
landing instructions), all while offering no security improvements.

This is stated in the kernel documentation
(https://docs.kernel.org/next/x86/shstk.html):

> Today in the 64-bit kernel, only userspace shadow stack and kernel IBT
> are supported.

32-bit applications (either in native 32-bit mode or running under a 64-bit
kernel) do not support neither shadow stacks nor IBT.

I have provided in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1113774#96
a very simple program alongside compilation instructions that proves this
being the case.

By changing the default from -fcf-protection=full to -fcf-protection=return
(which only enables shadow stacks), the users would still experience the
exact same protection as they have right now, while generating smaller
binaries.

--- End Message ---
--- Begin Message --- 
Accidental duplicate of #1113864

--- End Message ---

Reply via email to