XPost: linux.debian.ports.arm, linux.debian.maint.dpkg

Package: dpkg-dev
Version: 1.22.18
Severity: normal
X-Debbugs-Cc: debian-arm@lists.debian.org
User: debian-arm@lists.debian.org
Usertags: armhf

You're listed as the maintainers for this package on Raspberry Pi OS.
gcc lets you set `-fstack-clash-protection` on Pi armhf bookworm,
but doing so causes valgrind errors even in trivial programs:

$ gcc -fstack-clash-protection -x c - <<EOF
void empty_function() {}
int main() {
empty_function();
return 0;
}
EOF
$ valgrind ./a.out
==19138== Memcheck, a memory error detector
==19138== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al. ==19138== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info ==19138== Command: ./a.out
==19138==
==19138== Invalid write of size 4
==19138== at 0x1041C: main (in /home/andrew/a.out)
==19138== Address 0x7db5f2a0 is on thread 1's stack
==19138== 8 bytes below stack pointer
==19138==
==19138==
==19138== HEAP SUMMARY:
==19138== in use at exit: 0 bytes in 0 blocks
==19138== total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==19138==
==19138== All heap blocks were freed -- no leaks are possible
==19138==
==19138== For lists of detected and suppressed errors, rerun with: -s
==19138== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

The above may not be reproducible on Debian armhf, because Debian's "armhf" builds use ARMv7, while Raspberry Pi OS builds use ARMv6.

dpkg-dev passes `-fstack-clash-protection` by default on Raspberry Pi armhf, creating binaries that fail valgrind tests.

Please disable `-fstack-clash-protection` on Pi armhf (and Debian armhf if
the issue can be replicated there).

Could you also let me know whether `HARDENING=+all` should enable unsupported features like this? dpkg-dev(1) implies it would, and the option is therefore harmful. But it's featured prominently on the "Hardening" wiki page, which implies that option should do something useful?


-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.17-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dpkg-dev depends on:
ii binutils 2.44-3
ii bzip2 1.0.8-6
ii libdpkg-perl 1.22.18
ii make 4.4.1-1
ii patch 2.7.6-7
ii perl 5.40.1-2
ii tar 1.35+dfsg-3.1
ii xz-utils 5.6.4-1

Versions of packages dpkg-dev recommends:
ii build-essential 12.12
ii clang-16 [c-compiler] 1:16.0.6-27+b1
ii clang-17 [c-compiler] 1:17.0.6-21+b1
ii clang-19 [c-compiler] 1:19.1.7-3
ii fakeroot 1.37.1-1
ii gcc [c-compiler] 4:14.2.0-1
ii gcc-12 [c-compiler] 12.4.0-5
ii gcc-13 [c-compiler] 13.3.0-13
ii gcc-14 [c-compiler] 14.2.0-19
ii gnupg 2.2.46-5
ii gpgv 2.2.46-5
ii libalgorithm-merge-perl 0.08-5

Versions of packages dpkg-dev suggests:
ii debian-keyring 2024.09.22

-- no debconf information

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)