lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5513CD49.30803@nod.at>
Date:	Thu, 26 Mar 2015 10:11:37 +0100
From:	Richard Weinberger <richard@....at>
To:	Brian Norris <computersforpeace@...il.com>
CC:	Artem Bityutskiy <dedekind1@...il.com>,
	linux-mtd@...ts.infradead.org, linux-kernel@...r.kernel.org,
	kernel-janitors@...r.kernel.org
Subject: Re: [PATCH 0/5] UBI: Coverity-inspired fixes

Am 06.03.2015 um 03:04 schrieb Brian Norris:
> On Thu, Mar 05, 2015 at 11:33:14AM +0100, Richard Weinberger wrote:
>> Brian,
>>
>> Am 28.02.2015 um 11:23 schrieb Brian Norris:
>>> Except for the last one, these were inspired by Coverity Scan results.
>>>
>>> These fixes have barely been tested, but they are pretty straightforward
>>> logically. As they've been sitting in my dust pile too long, I thought I'd at
>>> least get them out there.
>>>
>>> Brian Norris (5):
>>>   UBI: account for bitflips in both the VID header and data
>>>   UBI: fix out of bounds write
>>>   UBI: initialize LEB number variable
>>>   UBI: fix check for "too many bytes"
>>>   UBI: align comment for readability
>>
>> Nice work!
>> I'll test them later today.
>> Just a quick question, no patch has a stable tag, is this by design?
>> From a first look most of them look like stable material.
> 
> Two reasons:
> 
>  1. I hadn't tested them heavily, and I definitely didn't try to target
>  their codepaths much.
> 
>  2. Given #1 and the fact that these were just found by static analysis,
>  I don't think they pass this test from
>  Documentation/stable_kernel_rules.txt:
> 
>  " - It must fix a real bug that bothers people (not a, "This could be a
>     problem..." type thing)."
> 
> So, I expected they would only be sent to stable if somebody (perhaps
> me) is able to trigger something real, or at least gets some significant
> testing on them.
> 
> Maybe this is a case where you send the fixes, and then send the commit
> IDs to Greg after they have been proven stable and/or can be exploited
> in some way through testing. (Option 2 in the updated
> stable_kernel_rules.txt.)
> 
> But really, it's your/Artem's call.

Applied, thanks a lot Brian!
I've marked patches 1 to 4 as stable material.

Thanks,
//richard
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ