lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160714030812.GT6239@wotan.suse.de>
Date:	Thu, 14 Jul 2016 05:08:12 +0200
From:	"Luis R. Rodriguez" <mcgrof@...nel.org>
To:	Fengguang Wu <fengguang.wu@...el.com>
Cc:	"Luis R. Rodriguez" <mcgrof@...nel.org>, ming.lei@...onical.com,
	akpm@...ux-foundation.org, mmarek@...e.com,
	gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org,
	markivx@...eaurora.org, stephen.boyd@...aro.org,
	zohar@...ux.vnet.ibm.com, broonie@...nel.org, tiwai@...e.de,
	johannes@...solutions.net, chunkeey@...glemail.com,
	hauke@...ke-m.de, jwboyer@...oraproject.org,
	dmitry.torokhov@...il.com, dwmw2@...radead.org, jslaby@...e.com,
	torvalds@...ux-foundation.org, luto@...capital.net,
	rpurdie@...ys.net, j.anaszewski@...sung.com,
	Abhay_Salunke@...l.com, Julia.Lawall@...6.fr,
	Gilles.Muller@...6.fr, nicolas.palix@...g.fr, teg@...m.no,
	dhowells@...hat.com, martin.blumenstingl@...glemail.com,
	nbd@....name, mark.rutland@....com, robh+dt@...nel.org,
	arend.vanspriel@...adcom.com, dev@...sin.me, kvalo@...eaurora.org,
	Philip Li <philip.li@...el.com>
Subject: Re: [PATCH v2 0/5] firmware: add SmPL grammar to avoid issues

On Thu, Jul 14, 2016 at 10:23:36AM +0800, Fengguang Wu wrote:
> On Thu, Jul 14, 2016 at 04:15:01AM +0200, Luis R. Rodriguez wrote:
> >On Thu, Jul 14, 2016 at 07:52:07AM +0800, Fengguang Wu wrote:
> >>Hi Luis,
> >>
> >>On Thu, Jul 07, 2016 at 02:56:44AM +0200, Luis R. Rodriguez wrote:
> >>>On Thu, Jun 16, 2016 at 03:54:16PM -0700, Luis R. Rodriguez wrote:
> >>>>The firmware API has had some issues a while ago, some of this is
> >>>>not well documented, and its still hard to grasp. This documents
> >>>>some of these issues, adds SmPL grammar rules to enable us to hunt
> >>>>for issues, and annotations to help us with our effort to finally
> >>>>compartamentalize that pesky usermode helper.
> >>>>
> >>>>Previously this was just one patch, the grammar rule to help
> >>>>find request firmware API users on init or probe, this series
> >>>>extends that effort with usermode helper grammar rules, and some
> >>>>annotations and documentation on the firmware_class driver to
> >>>>avoid further issues. Documenting the usermode helper and making
> >>>>it clear why we cannot remove it is important for analysis for
> >>>>the next series which adds the new flexible sysdata firmware API.
> >>>>
> >>>>This series depends on the coccicheck series which enables
> >>>>annotations on coccinelle patches to require a specific
> >>>>version of coccinelle [0], as such coordination with Michal is
> >>>>in order.
> >>>
> >>>Michal is out until July 11, and upon further thought such coordination
> >>>is not need, the annotation is in place as comments and as such
> >>>merging this now won't have any negative effects other than the version
> >>>check. Also the patches in question for the coccicheck change are all
> >>>acked now and I expect them to be merged anyway.
> >>>
> >>>Which tree should firmware changes go through ?
> >>
> >>>>This series is also further extended next with the new sydata
> >>>>API, the full set of changes is available on my linux-next tree [1].
> >>>>
> >>>>Perhaps now a good time to discuss -- if 0-day should enable the rule
> >>>>scripts/coccinelle/api/request_firmware-usermode.cocci to be called on
> >>>>every 0-day iteration, it runs rather fast and it should help police
> >>>>against avoiding futher explicit users of the usermode helper.
> >>>
> >>>And if we are going to merge this anyone oppose enabling hunting
> >>>for further explicit users of the usermode helper using grammar through
> >>>0-day ?
> >>
> >>When *.cocci scripts lands upstream they'll be auto picked up by the
> >>0-day bot to guard new patches/commits.
> >
> >Great thanks!
> >
> >>Are there further steps 0-day should do for request_firmware-upstream.cocci?
> >
> >It just requires coccinelle >= 1.0.5.
> 
> That looks easy. 

Nice!

> When do you estimate the script will land upstream?

Well, this series has gone by a while now without any complaints, so
I was poking to see if they can be merged now.

> So we can make sure upgrade coccinelle before that time.

There is another series which modernizes coccicheck [0] for which I just poked
at as a well [1], one change which may be of importance to you is groks the
Requires: tag on top of an SmPL patch, with that we simply just skip an SmPL
patch if the version of coccinelle is older than the one specified, with that
in place you can just upgrade when you want -- you'd just gain support for more
SmPL patches when you do. Without that coccinelle would not work (fail) on the
SmPL patch when tried. For this reason I originally had suggested perhaps
this series should be carried by Michal.

[0] https://lkml.kernel.org/r/1467238499-10889-1-git-send-email-mcgrof@kernel.org
[1] https://lkml.kernel.org/r/20160713214539.GE6239@wotan.suse.de

  Luis

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ