lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180406013741.GA7345@thunk.org>
Date:   Thu, 5 Apr 2018 21:37:41 -0400
From:   "Theodore Y. Ts'o" <tytso@....edu>
To:     Eric Biggers <ebiggers@...gle.com>
Cc:     Dave Chinner <david@...morbit.com>,
        Matthew Wilcox <willy@...radead.org>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        syzbot <syzbot+dc5ab2babdf22ca091af@...kaller.appspotmail.com>,
        linux-fsdevel <linux-fsdevel@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        syzkaller-bugs@...glegroups.com, Al Viro <viro@...iv.linux.org.uk>
Subject: Re: WARNING in up_write

On Thu, Apr 05, 2018 at 05:13:25PM -0700, Eric Biggers wrote:
> Well, ultimately a human needed to investigate the syzbot bug report to figure
> out what was really going on.  In my view, the largest problem is that there are
> simply too many bugs, so many are getting ignored.  If there were only a few
> bugs, then Dmitry would investigate each one and send a "real" bug report of
> better quality than the automated system can provide, or even send a fix
> directly.  But in reality, on the same day this bug was reported, syzbot also
> found 10 other bugs, and in the previous 2 days it had found 38 more.  No single
> person can keep up with that.  You can see the current bug list, which has 172
> open bugs, on the dashboard at https://syzkaller.appspot.com/.  Yes, the kernel
> really is that broken.  Though, of course most bugs are in specific modules, not
> the core kernel.

There are a lot of bugs, so it needs to be easier for humans to figure
out which ones they should care about.  And not all bugs are created
equal.  Some are WARN_ON's that aren't all that important.  Others
will hard crash the kernel, but are not likely to be something that
can be turned into a privilege escalation attack.  Some bugs are
trivially reproducible, and some take a lot more effort.  Making it
easier for humans to decide which ones should be looked at first would
certainly be helpful.y

For me the prioritization goes as follows.

1)  Is it a regression?  If it's a regression, I want to fix it fast.

2)  Is it something that can be easily escalated to a privilege escalation attack?
    Again, if so, I want to fix it fast.

3)  Is it going to get in the way of my development process?  Things
    that trigger new xfstests failures are important, because it's how I
    detect (1).

So I ignored the Syzkaller reports this week because it's hard to
differentiate important bugs from less important ones, and after the
merge window, I want to make sure that I have not introduced any
regressions, and I also want to make sure that commits getting merged
by others have not introduced any regressions in the testing suite
that I use, which is xfstests.

This is why I've been asking for the bisection feature --- not to find
out when a bug has been fixed, but to find out when a bug has been
*introduced*.  If I know that this a bug which has recently
introduced, especially if it has been recently introduced by commits
in my tree, or which I have recently pushed to Linus, I'm going to
care a lot more.  If I can't make that determination, I'm going to
deprioritize that bug in favor of those that definitely do meet these
criteria.

It's not a matter of waiting for someone else to fix it (although I
won't complain if someone does :-).  It's that I'm overloaded, and I
have to prioritize the work that I do.  If syzbot reports are hard to
parse or hard to prioritize, then I may end up prioritizing other work
as being more important.   Sorry, but that's just the way that it is.

Note that I haven't just been complaining about it.  I've been working
on ways so that the gce-xfstests and kvm-xfstests test appliances can
more easily be used to work on Syzbot reports.  If I can make myself
more efficient, or help other people be more efficient, that's
arguably more important than trying to fix some of the 174 currently
open Syzbot issues --- unless you can tell me that certain ones are
super urgent because they (for example) result in CVSS score > 8.

Cheers,

					- Ted

Powered by blists - more mailing lists