lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAGXu5jKftdZdGxkxv6t_maoG2uDqCdBJHvzZoM=Noiakrkyb6Q@mail.gmail.com>
Date:   Sat, 6 Oct 2018 08:51:16 -0700
From:   Kees Cook <keescook@...omium.org>
To:     Fengguang Wu <fengguang.wu@...el.com>
Cc:     Joel Fernandes <joel@...lfernandes.org>,
        Greg KH <gregkh@...uxfoundation.org>,
        LKML <linux-kernel@...r.kernel.org>, LKP <lkp@...el.com>
Subject: Re: [PATCH v4.19-rc7] treewide: Replace more open-coded allocation
 size multiplications

On Sat, Oct 6, 2018 at 1:49 AM, Fengguang Wu <fengguang.wu@...el.com> wrote:
> On Fri, Oct 05, 2018 at 08:14:34PM -0700, Joel Fernandes wrote:
>>
>> On Fri, Oct 05, 2018 at 05:22:35PM -0700, Greg KH wrote:
>>> And do we have a way to add a rule to 0-day to catch these so that they
>>> get a warning when they are added again?
>>
>>
>> They could just be added to scripts/coccinelle and 0-day will report them?
>>
>> For example, 0-day ran scripts/coccinelle/api/platform_no_drv_owner.cocci
>> on
>> a recently submitted patch and reported it here:
>>
>> https://lore.kernel.org/lkml/201808301856.vMNJerSs%25fengguang.wu@intel.com/
>>
>> But I'm not sure if 0-day runs make coccicheck on specific semantic
>> patches,
>> or runs all of them (CC'd Fengguang).
>
> 0-day runs all coccinelle scripts. However only auto report out
> warnings that are known to have low false positives.
>
> So if you add new coccinelle scripts that emit accurate enough
> warnings, it'd be good to inform the LKP team to add the new
> warnings to our auto-report-out white list.

It runs with MODE=report by default, yes? I'd need to expand the cases
to cover that (it is patch-only currently) so that would be a roughly
10,000 line Coccinelle script. :)

-Kees

-- 
Kees Cook
Pixel Security

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ