lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 16 May 2024 12:20:19 -0700
From: Kees Cook <keescook@...omium.org>
To: "Manthey, Norbert" <nmanthey@...zon.de>
Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"Woodhouse, David" <dwmw@...zon.co.uk>,
	"Stieger, Andreas" <astieger@...zon.de>,
	"linux-hardening@...r.kernel.org" <linux-hardening@...r.kernel.org>,
	"Hemdan, Hagar Gamal Halim" <hagarhem@...zon.de>
Subject: Re: Extending Linux' Coverity model and also cover aarch64

On Thu, May 16, 2024 at 03:28:16PM +0000, Manthey, Norbert wrote:
> we published an extension for the Coverity model that is used by the
> CoverityScan setup for the Linux kernel [1]. We have been using this
> extension to analyze the 6.1 kernel branch, and reported some fixes to
> the upstream code base that are based on this model [2]. Feel free to
> merge the pull request, and update the model in the CoverityScan setup.
> We do not have access to that project to perform these updates
> ourselves.

Thanks for this! I'll get it loaded into the Linux-Next scanner.

> To increase the analysis coverage to aarch64, we analyzed a x86 and a
> aarch64 configuration. The increased coverage is achieved by using re-
> configuration and cross-compilation during the analysis build. If you
> are interested in this setup we can share the Dockerfile and script we
> used for this process.

We've only got access to the free Coverity scanner, but it would be nice
to see if there was anything specific to arm64.

> To prevent regressions in backports to LTS kernels, we wondered whether
> the community is interested in setting up CoverityScan projects for
> older kernel releases. Would such an extension be useful to show new
> defects in addition to the current release testing?

The only one we (lightly) manage right now is the linux-next scanner. If
other folks want to host scanners for -stable kernels, that would be
interesting, yes.

-Kees

-- 
Kees Cook

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ