lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160809031832.GD8668@yexl-desktop>
Date:	Tue, 9 Aug 2016 11:18:32 +0800
From:	Ye Xiaolong <xiaolong.ye@...el.com>
To:	Al Viro <viro@...IV.linux.org.uk>
Cc:	Valdis.Kletnieks@...edu, Nicholas Krause <xerofoify@...il.com>,
	0day robot <fengguang.wu@...el.com>,
	LKML <linux-kernel@...r.kernel.org>, lkp@...org
Subject: Re: [lkp] [fs] 45ec18d5c7: BUG: KASAN: user-memory-access on address
 00007f90291c7ec0

On 08/09, Al Viro wrote:
>On Tue, Aug 09, 2016 at 09:17:58AM +0800, Ye Xiaolong wrote:
>> On 08/08, Valdis.Kletnieks@...edu wrote:
>> >On Sun, 07 Aug 2016 22:02:42 +0800, kernel test robot said:
>> >
>> >> FYI, we noticed the following commit:
>> >>
>> >> https://github.com/0day-ci/linux
>> >> Nicholas-Krause/fs-Fix-kmemleak-leak-warning-in-getname_flags-about-working-on-unitialized-memory/20160804-055054
>> >> commit 45ec18d5c713bccb9807782f0dca29b92ba99784 ("fs:Fix kmemleak leak warning in getname_flags about working on unitialized memory")
>> >
>> >The real question here is why the 0day system was even bothering to try
>> >compiling and booting a patch from somebody who has a long record of failing
>> >to do so with patches before submission.  Actually looking at the patch
>> >in question shows that little or no thought or testing was done (hint:
>> >look at it, and wonder in amazement why there's a dump_stack() call where
>> >it is....)
>> >
>> >In other words - how did this patch get into a tree that 0day listens to?
>> 
>> 0Day has a service to automatically capture every patchset sent to LKML, and convert
>> email patchset to git branches by applying them on top of different
>> trees heuristically.
>
>*raised eyebrows*
>
>I really hope they are doing both builds and testing in a heavily isolated
>environments, then.  Because you've just described an attack vector it's
>vulnerable to...

Yes, they are doing test in a heavily isolated environments with chroot,
no suid and isolated network.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ