lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20151012083447.GA11437@wfg-t540p.sh.intel.com>
Date:	Mon, 12 Oct 2015 16:34:47 +0800
From:	Fengguang Wu <fengguang.wu@...el.com>
To:	Ingo Molnar <mingo@...nel.org>
Cc:	Peter Zijlstra <peterz@...radead.org>,
	kernel test robot <ying.huang@...ux.intel.com>,
	LKML <linux-kernel@...r.kernel.org>, lkp@...org,
	Thomas Gleixner <tglx@...utronix.de>,
	Linus Torvalds <torvalds@...ux-foundation.org>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [LKP] [lkp] [string] 5f6f0801f5: BUG: KASan: out of bounds
 access in strlcpy+0xc8/0x250 at addr ffff88011a666ee0

On Mon, Oct 12, 2015 at 10:17:14AM +0200, Ingo Molnar wrote:
> 
> * Fengguang Wu <fengguang.wu@...el.com> wrote:
> 
> > On Mon, Oct 12, 2015 at 03:51:04PM +0800, Fengguang Wu wrote:
> > > On Mon, Oct 12, 2015 at 09:33:55AM +0200, Ingo Molnar wrote:
> > > > 
> > > > * kernel test robot <ying.huang@...ux.intel.com> wrote:
> > > > 
> > > > > FYI, we noticed the below changes on
> > > > > 
> > > > > git://internal_mailing_list_patch_tree Ingo-Molnar/string-Improve-the-generic-strlcpy-implementation
> > > > > commit 5f6f0801f5fdfce4984c6a14f99dbfbb417acb66 ("string: Improve the generic strlcpy() implementation")
> > > > 
> > > > Hm, there's no such commit ID anywhere I can see - did you rebase my tree perhaps?
> > > 
> > > Ingo, all applied patches will be uploaded to github from now on.
> 
> Thanks!
> 
> You might want to move that to korg instead, because many people don't like to 
> pull from github.

That'd be good, however github would match its security level better
-- it's a robot doing git upload, so the ssh private key must be kept
in a server where several team members can see it.

> > > Here is the exact commit:
> > > 
> > > https://github.com/0day-ci/linux/commits/Ingo-Molnar/string-Improve-the-generic-strlcpy-implementation
> > 
> > Sorry that's already the rebased commit.. The old version was applied
> > to 4.3-rc4 while the new one is applied to 4.3-rc5.
> 
> So as long as you have the tested sha1 mentioned in the bug report, and that sha1 
> can be pulled from somewhere on korg, I'm a happy camper: in this particular case 
> it would have told me whether your testing tree had upstream fix 990486c8af or 
> not.
> 
> Rebasing and applying email patches for testing purposes is otherwise perfectly 
> OK, as long as the precise Git tree used for testing can be fetched.

FYI I've just added timestamp to the branch name -- which helps make
the reported URL consistent and immutable over time.

You are nice and easy to work with, however it'll have to work well
with lots of people in all kinds of situations. :)

Thanks,
Fengguang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ