On a Geode LX (i686 without PAE), the most recent sudo dumps core. dmesg shows the following:

# dmesg | grep traps
[  150.890563] traps: sudo[729] trap invalid opcode ip:44ffa0 sp:bfd59cfc error:0 in sudo[44f000+27000]
[  154.997101] traps: sudo[745] trap invalid opcode ip:461fa0 sp:bfd5a77c error:0 in sudo[461000+27000]
[  195.085329] traps: sudo[813] trap invalid opcode ip:4b6fa0 sp:bfa918ec error:0 in sudo[4b6000+27000]
[  227.145870] traps: sudo[842] trap invalid opcode ip:48ffa0 sp:bfd9978c error:0 in sudo[48f000+27000]
[  419.727558] traps: sudo[1640] trap invalid opcode ip:412fa0 sp:bff2567c error:0 in sudo[412000+27000]
[  421.724746] traps: sudo[1644] trap invalid opcode ip:49cfa0 sp:bfa5adac error:0 in sudo[49c000+27000]

# coredumpctl debug 1644
           PID: 1644 (sudo)
           UID: 1000 (perkelix)
           GID: 1000 (perkelix)
        Signal: 4 (ILL)
     Timestamp: Thu 2022-02-03 09:01:49 EET (4min 26s ago)
  Command Line: sudo journalctl --vacuum-time=1d
    Executable: /usr/bin/sudo
 Control Group: /user.slice/user-1000.slice/session-1.scope
          Unit: session-1.scope
         Slice: user-1000.slice
       Session: 1
     Owner UID: 1000 (perkelix)
       Boot ID: a9bc307137484b5ea8737cdcfb628610
    Machine ID: 1063a9d1fb9df6e371ea9f94491345ed
      Hostname: geode
       Storage: /var/lib/systemd/coredump/core.sudo.1000.a9bc307137484b5ea8737cdcfb628610.1644.1643871709000000.zst (present)
     Disk Size: 33.6K
       Message: Process 1644 (sudo) of user 1000 dumped core.

                Module linux-gate.so.1 with build-id 598c8083710539a0d5fb3baab6246b053a769e43
                Module libpthread.so.0 with build-id e86be904a5d7f0b52cb0a3a729049909a548e3e9
                Module ld-linux.so.2 with build-id bba92aa07f95103e1f37c78065e5a29bf3772ad4
                Module libdl.so.2 with build-id 3d4e397859cdd91bfbaa59627813192469087b5e
                Module libpcre2-8.so.0 with build-id a4df58fa222acba18708316d4a6b451ad7b173db
                Module libcap-ng.so.0 with build-id aa6038a53112df6f372332a19d44df3f0226cf3e
                Module libc.so.6 with build-id 0664ee9761108af17a12afc957834a09b9efa606
                Module libsudo_util.so.0 with build-id 9365ea68f3d56343b5f0ec16a88c8f3bae8ae8a5
                Module libutil.so.1 with build-id a4b03373737eb0b3b68d111d33b652def5d48304
                Module libselinux.so.1 with build-id a3e4158f4327b4f6836562f4f9808260e2b626f8
                Module libaudit.so.1 with build-id 5a935b323c041a7ebbb4f03d7a3ef06be7888913
                Module sudo with build-id a564233ee048049a8da1f14f4bf78238e1cdaadd
                Stack trace of thread 1644:
                #0  0x000000000049cfa0 n/a (sudo + 0x4fa0)
                #1  0x00000000b7d2f905 __libc_start_main (libc.so.6 + 0x1e905)
                #2  0x000000000049f791 n/a (sudo + 0x7791)
                ELF object binary architecture: Intel 80386

GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/sudo...
(No debugging symbols found in /usr/bin/sudo)
[New LWP 1644]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Core was generated by `sudo journalctl --vacuum-time=1d'.
Program terminated with signal SIGILL, Illegal instruction.
#0  0x0049cfa0 in ?? ()
(gdb) bt full
#0  0x0049cfa0 in ?? ()
No symbol table info available.
#1  0xb7d2f905 in __libc_start_main (main=0x49cfa0, argc=3, argv=0xbfa5ae54, init=0x4c2e50, fini=0x4c2eb0, rtld_fini=0xb7fb9480 <_dl_fini>, stack_end=0xbfa5ae4c)
    at ../csu/libc-start.c:332
        self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 3, 4847456, 0, -1612358959, 1901020865}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0xb7fda000}, data = {prev = 0x0,
              cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
#2  0x0049f791 in ?? ()
No symbol table info available.
(gdb) quit

- -- System Information:
Debian Release: bookworm/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'stable-security'), (500, 'testing')
Architecture: i386 (i586)

Kernel: Linux 5.15.0-3-686 (SMP w/1 CPU thread)
Kernel taint flags: TAINT_CPU_OUT_OF_SPEC
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8), LANGUAGE=fi:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sudo depends on:
ii  init-system-helpers  1.61
ii  libaudit1            1:3.0.6-1+b1
ii  libc6                2.33-5
ii  libpam-modules       1.4.0-11
ii  libpam0g             1.4.0-11
ii  libselinux1          3.3-1+b1
ii  lsb-base             11.1.0
ii  zlib1g               1:1.2.11.dfsg-2

sudo recommends no packages.

sudo suggests no packages.

- -- Configuration Files:
/etc/sudoers [Errno 13] Lupa evätty: '/etc/sudoers'
/etc/sudoers.d/README [Errno 13] Lupa evätty: '/etc/sudoers.d/README'

- -- no debconf information
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEyJACx3qL7GpObXOQrh+Cd8S017YFAmH7gAcACgkQrh+Cd8S0
17a7eA/6AzSNmUjUzENkHZKHKSvFJ4xhGf8BwBVKsjLniCxk/q3Bueh6+v3Zokd4
OEglbaHv/30p9BuM+xlVoCtAI5gEAz0Bi/s+82AvClr/xWoy5TEbssPpaiahueF7
4t4KKGs8dSuYvEYg9aNvfADbwpLD8vB9aSHv1Wm1EwhqxuVMman3IgRvmDNPIdUl
smIjiDZODrleQgKcizeshdnZYj+Ijpd3N8JmUaAW8Zcx6F7pShsIKBNdV3k0ucQt
u6xzwVsWnvsCP9a7wUvhRFgeHfMFJHEIWq7zVQcOhzN4ts4upYjQfjRbtCv/i8md
dw8IYuM4WUKTtSX2Oawsoan8unkG3+QZZruNFSfBbAXyV6GeeE9vBW0Hr5pzGsAa
K1vy/AA2wd+C7i4LNiAOH/vHCa39KLS2K+hz6BTMXFGBXGLNIaqi3M8t1UwkEQbi
EMPpChLz99CZ24ZTr53jATcqkQIquGXPAhyv7AV5XkEYosJ4WVm5NHfJQMkyTLUh
k3n3ZYAoN/asxbv/XTtVYRBs+urCkXRZGqAqgqlXUJu97EGyL0IHBcQgxG2NcLR+
y+bthZxR9owrXoiwihubh47+ukBxpweg8MNKTOhDaTzjX1mzZgJxyFAfTcYd2LlJ
UGBm667skLh8IUiiJZZm9dw6DXnC9YkD6uhiRZ58yZcfUSnFVPk=
=gERS
-----END PGP SIGNATURE-----

Just for the record, the current i386 sudo was built on x86-ubc-02, Logs
https://buildd.debian.org/status/logs.php?pkg=sudo&ver=1.9.9-1&arch=i386

I guess this might be a toolchain or autobuilder issue.

Greetings
Marc

On Thu, Feb 3, 2022 at 9:41 AM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

The log suggests that this was built on an amd64 host configured with
a 386 chroot. This might explain it. Putting the port maintainers in
CC.

Martin-Éric

Hi,
Kernel taint flags: TAINT_CPU_OUT_OF_SPEC

Is Geode LX a supported machine in Bullseye in the first place? I
understand that the ALIX boards use that CPU and that they are rather
widely deployed, but...

Greetings
Marc

On Thu, Feb 3, 2022 at 9:55 AM Martin-Éric Racine <martin-eric.racine@iki.fi> wrote:

Now running lintian sudo_1.9.9-1_i386.changes ...
W: sudo-dbgsym: elf-error In program headers: Unable to find program
interpreter name
[usr/lib/debug/.build-id/52/9f0be3cc3ee3895db3782367a6d5027b490c16.debug]
W: sudo-dbgsym: elf-error In program headers: Unable to find program
interpreter name
[usr/lib/debug/.build-id/60/b26a463d4e15e03b1cad5bbd3a1c7727374e33.debug]
W: sudo-dbgsym: elf-error In program headers: Unable to find program
interpreter name
[usr/lib/debug/.build-id/62/e514099b09b5784710801d4ee31c939fa78be2.debug]
W: sudo-dbgsym: elf-error In program headers: Unable to find program
interpreter name
[usr/lib/debug/.build-id/75/92f631f7e3d7b3d445949b531311bd3c9dfd8d.debug]
W: sudo-dbgsym: elf-error In program headers: Unable to find program
interpreter name
[usr/lib/debug/.build-id/bf/93824f1972a7ac3e65aa9cc4a2e688719c4218.debug]
W: sudo-dbgsym: elf-error In program headers: Unable to find program
interpreter name
[usr/lib/debug/.build-id/d0/3d4a21049378634ee409aedd9e737342f022f7.debug]
W: sudo-dbgsym: elf-error In program headers: Unable to find program
interpreter name
[usr/lib/debug/.build-id/dc/68f81b10cfdf0528275050a5c9f58212c747b7.debug]
W: sudo-ldap-dbgsym: elf-error In program headers: Unable to find
program interpreter name
[usr/lib/debug/.build-id/09/fd070313d4b734265d870c2a6c3c6ed5aa19af.debug]
W: sudo-ldap-dbgsym: elf-error In program headers: Unable to find
program interpreter name
[usr/lib/debug/.build-id/64/c8cb86718642d65fc1d409ba1d673c4a8a667d.debug]
W: sudo-ldap-dbgsym: elf-error In program headers: Unable to find
program interpreter name
[usr/lib/debug/.build-id/7e/ae661fff053994f13f649a30bde394ed533704.debug]
W: sudo-ldap-dbgsym: elf-error In program headers: Unable to find
program interpreter name
[usr/lib/debug/.build-id/87/15a519ebb851bbeae9dc69da45fce90621f43f.debug]
W: sudo-ldap-dbgsym: elf-error In program headers: Unable to find
program interpreter name
[usr/lib/debug/.build-id/dc/bc41efaa2f4467cabe9b472ae91056951a0bfe.debug]
W: sudo-ldap-dbgsym: elf-error In program headers: Unable to find
program interpreter name
[usr/lib/debug/.build-id/e8/be7f62e31944813b3c52f051f8507869aa6550.debug]
W: sudo-ldap-dbgsym: elf-error In program headers: Unable to find
program interpreter name
[usr/lib/debug/.build-id/e9/e23698273c50a1e632d319e1586a8de59dd38b.debug]
N: 38 hints overridden (28 errors, 6 warnings, 4 info); 0 unused overrides
Finished running lintian.

Martin-Éric

On Thu, Feb 3, 2022 at 10:10 AM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

The base level kernel for i386 (linux-image-686) currently is a kernel
configured for Geode.

CONFIG_MGEODE_LX=y

Martin-Éric

See #1000977 and #1000449

tl;dr, that's a binutils bug, which in turn causes those are non-overridable
lintian warnings.

Greetings
Marc

On Thu, Feb 3, 2022 at 10:14 AM Martin-Éric Racine <martin-eric.racine@iki.fi> wrote:

Hello again,

Is there any progress on this? Have you checked wiht upstream for
possible changes in the code that would explain this? Or have there
been recent changes in the i386 port's toolchain defaults?

Martin-Éric

Not yet. Can you confirm that old sudo upstream works with the current
toolchain? Sadly, I don't have any 32 bit systems left other than some
ARMs.

I was hoping that the i386 porters would comment on that.

Greetings
Marc

On Tue, Feb 15, 2022 at 1:23 PM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

Logged onto my unstable-i386 chroot.
$ dget http://deb.debian.org/debian/pool/main/s/sudo/sudo_1.9.5p2-3.dsc
Fetched build-deps.
$ debuild -uc -us
Copied sudo and sudo-dbgsym over to the Geode host.
Logged onto the Geode host.
$ su
dpkg -i sudo*.deb
Logged onto Geode host as a normal user.
Tried a sudo command. No core dump. Command works as expected.

This would suggest upstream changes as the source of the problem.

Martin-Éric

Thank you. Two more questions:

Can you do actual builds on the Geode box?
If so, does the 1.9.9 package also dump core when it was actually built
on Geode?

Greetings
Marc

And, can you try 1.9.8p2-1 from Snapshot?
https://snapshot.debian.org/package/sudo/1.9.8p2-1/

Greetings
Marc

On Tue, Feb 15, 2022 at 1:47 PM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

Logged onto Geode host.
$ dget http://deb.debian.org/debian/pool/main/s/sudo/sudo_1.9.9-1.dsc
Fetched build-deps.
$ debuild -uc -us
[have plenty of coffee and snacks while things build]
Build crashes. See attachment.

Martin-Éric

On Tue, Feb 15, 2022 at 1:52 PM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

This build also crashes.  Log attached.

Martin-Éric

On Tue, Feb 15, 2022 at 3:04 PM Martin-Éric Racine <martin-eric.racine@iki.fi> wrote:

I also tried building that 1.9.8p2-1 on my amd64 host's i386 chroot.
It builds, and the binaries don't produce a core dump on the Geode
host. Presumably the breakage happened after that release.

Hopefully this can help you narrow it down.

Martin-Éric

Can you build a small table like

sudo version     built on      works/works not

When I do they there is possibility that I get it wrong and we have
wrong history in the bug report.

Thanks for your help, I appreciate that.

Greetings
Marc

On Tue, Feb 15, 2022 at 8:35 PM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

1.9.5p2-3 built in unstable i386 chroot (amd64 host) works on Geode host
1.9.8p2-1 built in unstable i386 chroot (amd64 host) works on Geode host
1.9.9-1 built in unstable i386 chroot (amd64 host) COREDUMPS on Geode host

1.9.8p2-1 FTBFS on Geode testing host (log attached earlier)
1.9.9-1 FTBFS on Geode testing host (log attached earlier)

Martin-Éric

I apologize, I didnt see earlier that your builds were already failing
at build time. The error is

config.status:1474: error: cannot find input file: `plugins/sudoers/sudoers'

Was that file actually missing in your build chroot? If not, I don't
know what went wrong there.

Greetings
Marc

On Tue, Feb 15, 2022 at 9:10 PM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

No idea. I unpacked the source and types debuild. That's all.

However, here's an interesting thing. I tried building 1.9.9-1 again
on the Geode using a good sudo instead of fakeroot. It fails as
follows:

during GIMPLE pass: cunroll
../../../lib/util/event.c: In function ‘sudo_ev_add_v2’:
../../../lib/util/event.c:465:1: internal compiler error: in
graphds_scc, at graphds.c:316
  465 | sudo_ev_add_v2(struct sudo_event_base *base, struct sudo_event *ev,
      | ^~~~~~~~~~~~~~
0xb7555904 __libc_start_main
    ../csu/libc-start.c:332
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <file:///usr/share/doc/gcc-11/README.Bugs> for instructions.
The bug is not reproducible, so it is likely a hardware or OS problem.
make[3]: *** [Makefile:653: event.lo] Virhe 1
make[3]: Poistutaan hakemistosta
”/home/perkelix/sudo-1.9.9/build-simple/lib/util”
make[2]: *** [Makefile:108: all] Virhe 2
make[2]: Poistutaan hakemistosta ”/home/perkelix/sudo-1.9.9/build-simple”
dh_auto_build: error: cd build-simple && make -j1 returned exit code 2
make[1]: *** [debian/rules:45: override_dh_auto_build] Virhe 2
make[1]: Poistutaan hakemistosta ”/home/perkelix/sudo-1.9.9”
make: *** [debian/rules:37: build] Virhe 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2

Martin-Éric

I think that this refers to gcc, not to sudo.

It would probably help to run those with an English locale.

Greetings
Marc

On Wed, Feb 16, 2022 at 9:11 AM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

Yes, it's a GCC failure while building sudo 1.9.9-1 on the Geode host itself.

/bin/bash ../../libtool --tag=disable-static --mode=compile gcc -c -o
json.lo -I../../../include -I../.. -I. -I../../../lib/util
-D_PATH_SUDO_CONF=\"/etc/sudo.conf\" -Wdate-time -D_FORTIFY_SOURCE=2
-DZLIB_CONST -DDEFAULT_TEXT_DOMAIN=\"sudo\" -g -O2
-ffile-prefix-map=/home/perkelix/sudo-1.9.9=. -fstack-protector-strong
-Wformat -Werror=format-security -Wall -pedantic -fvisibility=hidden
-fPIE -fstack-protector-strong -fstack-clash-protection
-fcf-protection ../../../lib/util/json.c
libtool: compile:  gcc -c -I../../../include -I../.. -I.
-I../../../lib/util -D_PATH_SUDO_CONF=\"/etc/sudo.conf\" -Wdate-time
-D_FORTIFY_SOURCE=2 -DZLIB_CONST -DDEFAULT_TEXT_DOMAIN=\"sudo\" -g -O2
-ffile-prefix-map=/home/perkelix/sudo-1.9.9=. -fstack-protector-strong
-Wformat -Werror=format-security -Wall -pedantic -fvisibility=hidden
-fstack-protector-strong -fstack-clash-protection -fcf-protection
../../../lib/util/json.c  -fPIC -DPIC -o .libs/json.o
during GIMPLE pass: dom
../../../lib/util/json.c: In function 'json_append_string':
../../../lib/util/json.c:122:1: internal compiler error: in
graphds_scc, at graphds.c:316
  122 | json_append_string(struct json_container *json, const char *str)
      | ^~~~~~~~~~~~~~~~~~
0xb7574904 __libc_start_main
    ../csu/libc-start.c:332
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <file:///usr/share/doc/gcc-11/README.Bugs> for instructions.
The bug is not reproducible, so it is likely a hardware or OS problem.
make[3]: *** [Makefile:968: json.lo] Error 1
make[3]: Leaving directory '/home/perkelix/sudo-1.9.9/build-simple/lib/util'
make[2]: *** [Makefile:108: all] Error 2
make[2]: Leaving directory '/home/perkelix/sudo-1.9.9/build-simple'
dh_auto_build: error: cd build-simple && make -j1 returned exit code 2
make[1]: *** [debian/rules:45: override_dh_auto_build] Error 2
make[1]: Leaving directory '/home/perkelix/sudo-1.9.9'
make: *** [debian/rules:37: build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2

Martin-Éric

That makes it a toolchain issue.

This bug has grown huge. Can you please file a new bug against gcc and
mark this bug as affected? I am not sure whether it woud make sense to
clone this monster to gcc.

Greetings
Marc

On Wed, Feb 16, 2022 at 10:11 AM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

Martin-Éric

Hi,

Can you retry building with the lines 4863-4866:

    AX_CHECK_LINK_FLAG([-fcf-protection], [
	AX_APPEND_FLAG([-fcf-protection], [SSP_CFLAGS])
	AX_APPEND_FLAG([-Wc,-fcf-protection], [SSP_LDFLAGS])
    ])

of configure.ac removed? There is suspicion that the hardening options don't
play too well with Geode LX.

Greetings
Marc

On Wed, Feb 16, 2022 at 6:45 PM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

Btw, the build log has tons of the following:

./configure: cannot duplicate fd -19201 to fd 0: Bad file descriptor

I cannot help but wonder why the build doesn't simply parse
$(HARDENING_CFLAGS) and $(HARDENING_LDFLAGS). Hard-coded hardening
options tend to be a bad idea. GCC supports them all, but the target
host's CPU won't always support them.

during GIMPLE pass: cunroll
../../../lib/util/event.c: In function ‘sudo_ev_add_v2’:
../../../lib/util/event.c:465:1: internal compiler error: in
graphds_scc, at graphds.c:316
  465 | sudo_ev_add_v2(struct sudo_event_base *base, struct sudo_event *ev,
      | ^~~~~~~~~~~~~~
0xb754d904 __libc_start_main
    ../csu/libc-start.c:332
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <file:///usr/share/doc/gcc-11/README.Bugs> for instructions.
The bug is not reproducible, so it is likely a hardware or OS problem.

***

diff -Nru sudo-1.9.9/debian/changelog sudo-1.9.9/debian/changelog
--- sudo-1.9.9/debian/changelog    2022-01-31 21:19:55.000000000 +0200
+++ sudo-1.9.9/debian/changelog    2022-02-16 18:56:31.000000000 +0200
@@ -1,3 +1,9 @@
+sudo (1.9.9-1.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+
+ -- Martin-Éric Racine <martin-eric.racine@iki.fi>  Wed, 16 Feb 2022
18:56:31 +0200
+
 sudo (1.9.9-1) unstable; urgency=medium

   * new upstream version
diff -Nru sudo-1.9.9/debian/patches/remove-fcf-protection.patch
sudo-1.9.9/debian/patches/remove-fcf-protection.patch
--- sudo-1.9.9/debian/patches/remove-fcf-protection.patch
1970-01-01 02:00:00.000000000 +0200
+++ sudo-1.9.9/debian/patches/remove-fcf-protection.patch
2022-02-16 18:56:31.000000000 +0200
@@ -0,0 +1,42 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ sudo (1.9.9-1.1) UNRELEASED; urgency=medium
+ .
+   * Non-maintainer upload.
+Author: Martin-Éric Racine <martin-eric.racine@iki.fi>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: https://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: 2022-02-16
+
+--- sudo-1.9.9.orig/configure.ac
++++ sudo-1.9.9/configure.ac
+@@ -4860,10 +4860,10 @@ if test "$enable_hardening" != "no"; the
+     AX_APPEND_FLAG([-fstack-clash-protection], [SSP_CFLAGS])
+     AX_APPEND_FLAG([-Wc,-fstack-clash-protection], [SSP_LDFLAGS])
+     ])
+-    AX_CHECK_LINK_FLAG([-fcf-protection], [
+-    AX_APPEND_FLAG([-fcf-protection], [SSP_CFLAGS])
+-    AX_APPEND_FLAG([-Wc,-fcf-protection], [SSP_LDFLAGS])
+-    ])
++dnl     AX_CHECK_LINK_FLAG([-fcf-protection], [
++dnl    AX_APPEND_FLAG([-fcf-protection], [SSP_CFLAGS])
++dnl    AX_APPEND_FLAG([-Wc,-fcf-protection], [SSP_LDFLAGS])
++dnl    ])
+     AX_CHECK_LINK_FLAG([-Wl,-z,relro],
[AX_APPEND_FLAG([-Wl,-z,relro], [LDFLAGS])])
+     AX_CHECK_LINK_FLAG([-Wl,-z,now], [AX_APPEND_FLAG([-Wl,-z,now],
[LDFLAGS])])
+     AX_CHECK_LINK_FLAG([-Wl,-z,noexecstack],
[AX_APPEND_FLAG([-Wl,-z,noexecstack], [LDFLAGS])])
diff -Nru sudo-1.9.9/debian/patches/series sudo-1.9.9/debian/patches/series
--- sudo-1.9.9/debian/patches/series    2022-01-31 21:19:55.000000000 +0200
+++ sudo-1.9.9/debian/patches/series    2022-02-16 18:56:31.000000000 +0200
@@ -1,3 +1,4 @@
 paths-in-samples.diff
 Whitelist-DPKG_COLORS-environment-variable.diff
 sudo-ldap-docs
+remove-fcf-protection.patch

Martin-Éric

That would be an upstream issue, I think. Upstream uses bugzilla, so you
need an account to submit a bug. Would you want to do that, or can you
help me with the wording of a bug report?

So it still doesn't build on Geode LX.

How about your i386 build chroot?

Greetings
Marc

On Wed, Feb 16, 2022 at 10:31 PM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

Builds fine on my i386 chroot (amd64 host) and the resulting binary
doesn't dump core when installed on the Geode. Assuming there's no
uncovered corner case due to other optimizations, I think we've got a
winner.

Martin-Éric

Triggered build on a fresh sid install on my Alix board and obtained the
attached log file. AFAICT, the compile itself did not produce any
errors, but fuzz_sudo_conf causes the known illegal opcode exception.

best regards
Henning

Am 18.02.22 um 15:21 schrieb Henning Paul:

root@alix:~# lscpu
Architecture:           i586
   CPU op-mode(s):       32-bit
   Address sizes:        32 bits physical, 32 bits virtual
   Byte Order:           Little Endian
CPU(s):                 1
   On-line CPU(s) list:  0
Vendor ID:              AuthenticAMD
   Model name:           Geode(TM) Integrated Processor by AMD PCS
     CPU family:         5
     Model:              10
     Thread(s) per core: 1
     Core(s) per socket: 1
     Socket(s):          1
     Stepping:           2
     BogoMIPS:           996.02
     Flags:              fpu de pse tsc msr cx8 sep pge cmov clflush mmx
mmxext 3
                         dnowext 3dnow cpuid 3dnowprefetch vmmcall
Caches (sum of all):
   L1d:                  57 KiB (1 instance)
   L1i:                  57 KiB (1 instance)
   L2:                   128 KiB (1 instance)
Vulnerabilities:
   Itlb multihit:        Not affected
   L1tf:                 Not affected
   Mds:                  Not affected
   Meltdown:             Not affected
   Spec store bypass:    Vulnerable
   Spectre v1:           Mitigation; usercopy/swapgs barriers and __user
pointer
                         sanitization
   Spectre v2:           Mitigation; Full generic retpoline, STIBP
disabled, RSB
                         filling
   Srbds:                Not affected
   Tsx async abort:      Not affected

best regards
Henning

Should that not explicitly say "Geode LX"? And, afaik, the Geode LX is a
i686 not an i586 machine?

Martin-Éric, what does your lscpu say?

Greetings
Marc

Hello,

Am 19.02.22 um 06:30 schrieb Marc Haber:

I can send you photos of the processor as proof, it says LX on it.

IIRC, it doesn't implement all of the i686 instruction set (hence the
illegal opcode).

regards
Henning

Control: tags -1 wontfix
Control: severity -1 minor
thanks

I apologize, but it looks like the Geode LX is no longer among the CPUs
supported in Debian. FWIW, the stretch release notes still mentioned the
Geode LX explicitly in chapters 2.1 and 5.1.7:

2.1:
Support for 32-bit PCs no longer covers vanilla i586

    The 32-bit PC support (known as the Debian architecture i386) now no
    longer covers a plain i586 processor. The new baseline is the i686,
    although some i586 processors (e.g. the “AMD Geode”) will remain
    supported.

    Please refer to Section 5.1.7, “Minimum requirement for 32-bit Intel
    is now i686 (with a minor exception)” for more information.

5.1.7. Minimum requirement for 32-bit Intel is now i686 (with a minor exception)

The 32-bit PC support (known as the Debian architecture i386) now no
longer covers a plain i586 processor. The new baseline is the i686,
although some i586 processors (e.g. the “AMD Geode”) will remain
supported.

Both mentions have vanished from the Release Notes for buster and
bullseye. It looks like this non-support has now manifested itself in
our toolchains using the full i686 instruction set including the opcodes
that the Geode LX does not have.

I therefore apologize for marking this bug wontfix.

If you find any evidence in our docs that the Geode LX should still be
supported in Debian 12, please let me know and I'll happily resume
pursuing this issue.

Greetings
Marc

Control: tags -1 wontfix
Control: severity -1 minor
thanks

I apologize, but it looks like the Geode LX is no longer among the CPUs
supported in Debian. FWIW, the stretch release notes still mentioned the
Geode LX explicitly in chapters 2.1 and 5.1.7:

2.1:
Support for 32-bit PCs no longer covers vanilla i586

    The 32-bit PC support (known as the Debian architecture i386) now no
    longer covers a plain i586 processor. The new baseline is the i686,
    although some i586 processors (e.g. the “AMD Geode”) will remain
    supported.

    Please refer to Section 5.1.7, “Minimum requirement for 32-bit Intel
    is now i686 (with a minor exception)” for more information.

5.1.7. Minimum requirement for 32-bit Intel is now i686 (with a minor exception)

The 32-bit PC support (known as the Debian architecture i386) now no
longer covers a plain i586 processor. The new baseline is the i686,
although some i586 processors (e.g. the “AMD Geode”) will remain
supported.

Both mentions have vanished from the Release Notes for buster and
bullseye. It looks like this non-support has now manifested itself in
our toolchains using the full i686 instruction set including the opcodes
that the Geode LX does not have.

I therefore apologize for marking this bug wontfix.

If you find any evidence in our docs that the Geode LX should still be
supported in Debian 12, please let me know and I'll happily resume
pursuing this issue.

Greetings
Marc

On Mon, Mar 14, 2022 at 4:21 PM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

The Geode LX is not a vanilla 586. It is a vanilla 686. The reported
CPU variant has simply remained at 586 for reasons only known to AMD.

Martin-Éric

On Mon, Mar 14, 2022 at 4:21 PM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

The Geode LX is not a vanilla 586. It is a vanilla 686. The reported
CPU variant has simply remained at 586 for reasons only known to AMD.

Martin-Éric

On Mon, Mar 14, 2022 at 4:21 PM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

The Geode LX is not a vanilla 586. It is a vanilla 686. The reported
CPU variant has simply remained at 586 for reasons only known to AMD.

Martin-Éric

According to all docs available to me, it is a vanilla 686 sans
multi-byte NOP ("NOPL").

Greetings
Marc

According to all docs available to me, it is a vanilla 686 sans
multi-byte NOP ("NOPL").

Greetings
Marc

According to all docs available to me, it is a vanilla 686 sans
multi-byte NOP ("NOPL").

Greetings
Marc

On Mon, Mar 14, 2022 at 4:30 PM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

That's correct. No PAE and no NOPL.

Martin-Éric

The only piece of evidence I have is that:

- Debian explicitly mentioned NOPL-less i686 processors as being
  supported in stretch AND
- this mention vanishing in buster and bullseye

Not being a native speaker of English, is there any other possible
interpretation of this removal than the retraction of support for
NOPL-less i686 processors?

I have never seen Debian issue release notes like "the frobnication
processor is no longer supported", and i386 being the former mainstream
architecture, there is no explicit porter group to talk to.

I am afraid that my time resources are limited. If you want continued
action on this but report, please talk to the gcc and/or linux
maintainers in Debian and have them tell me that the Geode LX is still
supported.

I apologize, but I do not intend at the moment to reduce sudo's
hardening level just to have it run on Geode LX.

Greetings
Marc

The only piece of evidence I have is that:

- Debian explicitly mentioned NOPL-less i686 processors as being
  supported in stretch AND
- this mention vanishing in buster and bullseye

Not being a native speaker of English, is there any other possible
interpretation of this removal than the retraction of support for
NOPL-less i686 processors?

I have never seen Debian issue release notes like "the frobnication
processor is no longer supported", and i386 being the former mainstream
architecture, there is no explicit porter group to talk to.

I am afraid that my time resources are limited. If you want continued
action on this but report, please talk to the gcc and/or linux
maintainers in Debian and have them tell me that the Geode LX is still
supported.

I apologize, but I do not intend at the moment to reduce sudo's
hardening level just to have it run on Geode LX.

Greetings
Marc

On Mon, Mar 14, 2022 at 4:30 PM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

That's correct. No PAE and no NOPL.

Martin-Éric

On Mon, Mar 14, 2022 at 4:39 PM Marc Haber <mh+debian-packages@zugschlus.de> wrote:

Possibly. Dropping support for non-PAE i686 has been randomly
discussed on mailing lists. However, the base kernel on i386 still is
configured for a Geode LX.

That's incorrect. Every now and then, architectures drop support for
earlier CPU variants and that tends to be mentioned in the release
notes.

In CC.

Martin-Éric

On Mon, Mar 14, 2022 at 4:45 PM Martin-Éric Racine <martin-eric.racine@iki.fi> wrote:

FYI, I reported this upstream at:

https://github.com/sudo-project/sudo/issues/140

Upstream commented that this seems to really be a GCC issue:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104713

The GCC bug report refers to this Debian bug as an example of what
this GCC bug causes.

Martin-Éric

Please retry with sudo from trixie and from bookworm-proposed-updates.
There might be patches in those versions that might help with this
issue.

Greetings
Marc

Please retry with sudo from trixie and from bookworm-proposed-updates.
There might be patches in those versions that might help with this
issue.

Greetings
Marc

to 1.1.2026 klo 23.22 Marc Haber (mh+debian-packages@zugschlus.de) kirjoitti:

1.9.13p3-1+deb12u3 seems to fix it. Thanks!

Martin-Éric

Version: 1.9.13p3-1+deb12u3

Thank you for reporting back.

Greetings
Marc

Version: 1.9.13p3-1+deb12u3

Thank you for reporting back.

Greetings
Marc

On Fri, 2 Jan 2026 07:48:40 +0100 Marc Haber <mh+debian-packages@zugschlus.de> wrote:

Just to check, is the same fix included in more recent releases
current sitting in Testing/Sid or, even better, upstream?

Martin-Éric

* Martin-Éric Racine <martin-eric.racine@iki.fi> [260103 15:47]:

to 1.1.2026 klo 23.22 Marc Haber (mh+debian-packages@zugschlus.de) kirjoitti:
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^

This CPU is unsupported by the entire distro since trixie.

Chris

As far as I know it is upstream. But since i386 is in trixie only for
chroots and containers any more, people are unlikely to run a 32bit sudo
from younger than bookworm. So, from the Debian point of view, that's
just a bookworm only fix.

Greetings
Marc

la 3.1.2026 klo 17.10 Marc Haber (mh+1828mail@zugschlus.de) kirjoitti:

Also adding the fix to Trixie would be extremely welcome. Looking at
upstream, it seems to have been committed for the upcoming 1.9.18
release, which would take care of Flaky, but leave Trixie unfixed.

Martin-Éric

Trixie is not broken. It doesn't support your CPU. Can you install
bookworm's sudo, just in the same way you must be using boookworm's
kernel?

Greetings
Marc

la 3.1.2026 klo 23.17 Marc Haber (mh+debian-packages@zugschlus.de) kirjoitti:

This is not a Geode-specific issue. I have the same problem with a
plain old 686-PAE host. As whoever produced the patch pointed out
elsewhere, the problem is that without this patch, the binaries use
instructions that were introduced a good 20 years after the i686
target architecture. This also affected his VIA hardware that support
the full i686 instruction set. Basically, the sudo in Trixie's i386
port won't work on anything but very late 32-bit hardware such as my
old Core-based laptop running Testing with Bookworm kernels.

Martin-Éric

Please provide CPU details, cat /proc/cpuinfo, lscpu, etc.

For trixie, your hardware must support at least the amd64 baseline.

Chris

su 4.1.2026 klo 3.15 Chris Hofstaedtler (zeha@debian.org) kirjoitti:

$ cat /proc/cpuinfo
processor    : 0
vendor_id    : GenuineIntel
cpu family    : 6
model        : 8
model name    : Pentium III (Coppermine)
stepping    : 6
microcode    : 0x8
cpu MHz        : 865.425
cache size    : 256 KB
physical id    : 0
siblings    : 1
core id        : 0
cpu cores    : 1
apicid        : 0
initial apicid    : 0
fdiv_bug    : no
f00f_bug    : no
coma_bug    : no
fpu        : yes
fpu_exception    : yes
cpuid level    : 2
wp        : yes
flags        : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge
mca cmov pse36 mmx fxsr sse cpuid pti
bugs        : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass
l1tf mds swapgs itlb_multihit mmio_unknown
bogomips    : 1730.85
clflush size    : 32
cache_alignment    : 32
address sizes    : 36 bits physical, 32 bits virtual
power management:

There IS an i386 port. It is built for a known 32-bit x86 target.
AFAIK that target is i686.

Martin-Éric

Please take this to the ctte after reading the discussion in #1113774.

Greetings
Marc

Okay, as suspected this is unsupported.

You are mistaken. See the release notes explaining the new
requirements for the "i386 partial architecture":
https://www.debian.org/releases/trixie/release-notes/issues.en.html#reduced-support-for-i386

Best,
Chris

su 4.1.2026 klo 15.36 Chris Hofstaedtler (zeha@debian.org) kirjoitti:

Noted.
hardware. Fair enough. That explains why everything still works out of
the box on my old Core laptop.

One point in that section doesn't make sense:  The suggestion to
reinstall the host as amd64. For obvious reasons, this won't work on
actual 32-bit hardware.

Martin-Éric

That suggestion applies to persons who used to run a 32bit Debian on
64bit hardware, for example when the actual installation was once ported
to 64bit hardware, or for people who thought that 32bit i386 is more
efficient to run on 64bit hardware because "it consume less memory".

Greetings
Marc

baseline is amd64. Hardware not fulfilling this is unsupported and
running Debian in any form on it is unsupported.
As such there is no "upgrade advice" for non-amd64 hardware.

Bests,
Chris

Es gibt eine Familienspende in Höhe von 1.850.000,00 USD von Cheng Charlie
Saephan. Bitte antworten Sie für weitere Informationen. Denken Sie daran,
Ihrer Familie und den Bedürftigen in Ihrer Umgebung Gutes zu tun.

Dies ist bereits der zweite Versuch, Sie zu erreichen. Bitte antworten Sie
für weitere Details.

Es gibt eine Familienspende in Höhe von 1.850.000,00 USD von Cheng Charlie
Saephan. Bitte antworten Sie für weitere Informationen. Denken Sie daran,
Ihrer Familie und den Bedürftigen in Ihrer Umgebung Gutes zu tun.

Dies ist bereits der zweite Versuch, Sie zu erreichen. Bitte antworten Sie
für weitere Details.

Es gibt eine Familienspende in Höhe von 1.850.000,00 USD von Cheng Charlie
Saephan. Bitte antworten Sie für weitere Informationen. Denken Sie daran,
Ihrer Familie und den Bedürftigen in Ihrer Umgebung Gutes zu tun.

Dies ist bereits der zweite Versuch, Sie zu erreichen. Bitte antworten Sie
für weitere Details.

Es gibt eine Familienspende in Höhe von 1.850.000,00 USD von Cheng Charlie
Saephan. Bitte antworten Sie für weitere Informationen. Denken Sie daran,
Ihrer Familie und den Bedürftigen in Ihrer Umgebung Gutes zu tun.

Dies ist bereits der zweite Versuch, Sie zu erreichen. Bitte antworten Sie
für weitere Details.

Es gibt eine Familienspende in Höhe von 1.850.000,00 USD von Cheng Charlie
Saephan. Bitte antworten Sie für weitere Informationen. Denken Sie daran,
Ihrer Familie und den Bedürftigen in Ihrer Umgebung Gutes zu tun.

Dies ist bereits der zweite Versuch, Sie zu erreichen. Bitte antworten Sie
für weitere Details.