lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 7 Sep 2022 15:49:14 +0800
From:   Oliver Sang <oliver.sang@...el.com>
To:     "Gustavo A. R. Silva" <gustavoars@...nel.org>
CC:     Kees Cook <keescook@...omium.org>, <lkp@...ts.01.org>,
        <lkp@...el.com>, <linux-hardening@...r.kernel.org>,
        Arnd Bergmann <arnd@...db.de>,
        "Greg Kroah-Hartman" <gregkh@...uxfoundation.org>,
        Shuah Khan <shuah@...nel.org>,
        Nathan Chancellor <nathan@...nel.org>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Tom Rix <trix@...hat.com>, <linux-kernel@...r.kernel.org>,
        <linux-kselftest@...r.kernel.org>, <llvm@...ts.linux.dev>
Subject: Re: [fortify]  728833277d:
 WARNING:at_net/netlink/af_netlink.c:#netlink_ack

Hi Gustavo,

On Wed, Sep 07, 2022 at 08:39:19AM +0100, Gustavo A. R. Silva wrote:
> On Wed, Sep 07, 2022 at 01:42:16PM +0800, kernel test robot wrote:
> 
> Hi!
> 
> > 
> > Hi Kees Cook,
> > 
> > the patch "[PATCH 1/2] fortify: Add run-time WARN for cross-field memcpy()"
> > raises a persistent WARNING as below report in our tests.
> > 
> > according to commit message, we understand this is kind of expected. but
> > we don't have enough knowledge if it reveals a real issue in kernel source
> > code and what the next step could be.
> > 
> > so we still report FYI.
> > 
> > if you think it's unnecessary for us to make out this kind of report, please
> > let us know. we will consider how to refine our report rules. Thanks a lot!
> > 
> > below is the full report.
> 
> It seems that the idea is to continue reporting these warnings, as they
> help us identify the places that need to be audited and determine how to
> refactor the code (in case it's a false positive), or how to properly fix
> it (in case it's an actual bug).

thanks a lot! very glad our report is helpful :)

> 
> In this case, it seems that the issue was already addressed by this patch:
> 
> https://lore.kernel.org/linux-hardening/20220903043749.3102675-1-keescook@chromium.org/
> 
> Thanks
> --
> Gustavo

Powered by blists - more mailing lists