| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 4 Dec 2017 16:10:15 -0500
From: Paul Moore <pmoore@...hat.com>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Stephen Smalley <sds@...ho.nsa.gov>,
Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
syzbot
<bot+015afdb01dbf2abb6a6bfdd5430b72e5503fca6d@...kaller.appspotmail.com>,
linux-security-module@...r.kernel.org, selinux@...ho.nsa.gov,
syzkaller-bugs@...glegroups.com,
LKML <linux-kernel@...r.kernel.org>, dledford@...hat.com,
Matthias Kaehlcke <mka@...omium.org>, junil0814.lee@....com,
kyeongdon kim <kyeongdon.kim@....com>
Subject: Re: KASAN: slab-out-of-bounds Read in strcmp
On Mon, Dec 4, 2017 at 11:29 AM, Dmitry Vyukov <dvyukov@...gle.com> wrote:
> On Mon, Dec 4, 2017 at 2:59 PM, Paul Moore <pmoore@...hat.com> wrote:
> Hi Paul,
>
> We are just rolling in the process. Feedback is much appreciated!
>
> The idea is that we need to know the title as it will appear in Linus
> tree and in other tested trees. It's also possible to override the
> title later, if there is any mess with it. So sending "#syz fix" as
> soon as it is merged into any tree looks like the best option (to not
> require you to keep in mind that you also need to do that tiny bit in
> a month).
>
> Are the following changes look good to you?
> For email footer:
>
> -Once a fix for this bug is committed, please reply to this email with:
> +Once a fix for this bug is merged into any tree, reply to this email with:
> #syz fix: exact-commit-title
>
> And for the https://github.com/google/syzkaller/blob/master/docs/syzbot.md page:
>
> to attach a fixing commit to the bug:
> #syz fix: exact-commit-title
> +It's enough that the commit is merged into any tree, in particular,
> +you don't need to wait for the commit to be merged into upstream tree.
> +syzbot only needs to know the title by which it will appear in tested trees.
> +In case of an error or a title change, you can override the commit simply
> +by sending another #syz fix command.
That is an improvement, yes. I might also mention that you would
prefer if the syzkaller-bugs list is CC'd on the commands; that wasn't
clear to me until I got a message back from syzbot just now.
>> For the record, I did see that part of the syzbot mail but I was
>
> Then sorry for pinging. We are trying to establish the process, and
> some developers don't notice that part, so I just wanted to make sure.
I would *strongly* suggest spending some time trying to find a
mechanism that doesn't rely on developers needing to send special
commands to your system to register fixes; that seems prone to failure
if you want my honest opinion.
At the very least you might consider moving the instructions to the
top of the message.
>> waiting until I merged that patch; v2 was posted late in the week and
>> I was giving it a few days in case someone saw something
>> objectionable.
>
> In such case you can do either way. You can wait, or you can post
> commit title as soon as you have enough assurance that that's the
> title with which it will appear in trees. We don't want to put too
> much burden on developers. As I said, it's possible to override it
> later, or we will notice that there is a commit that bot is waiting
> for too long.
>
> Thanks
--
paul moore
security @ redhat
Powered by blists - more mailing lists