lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sun, 7 Oct 2018 09:27:40 +0800
From:   Fengguang Wu <fengguang.wu@...el.com>
To:     Kees Cook <keescook@...omium.org>
Cc:     Joel Fernandes <joel@...lfernandes.org>,
        Greg KH <gregkh@...uxfoundation.org>,
        LKML <linux-kernel@...r.kernel.org>, LKP <lkp@...el.com>
Subject: Re: [PATCH v4.19-rc7] treewide: Replace more open-coded allocation
 size multiplications

On Sat, Oct 06, 2018 at 08:51:16AM -0700, Kees Cook wrote:
>On Sat, Oct 6, 2018 at 1:49 AM, Fengguang Wu <fengguang.wu@...el.com> wrote:
>> On Fri, Oct 05, 2018 at 08:14:34PM -0700, Joel Fernandes wrote:
>>>
>>> On Fri, Oct 05, 2018 at 05:22:35PM -0700, Greg KH wrote:
>>>> And do we have a way to add a rule to 0-day to catch these so that they
>>>> get a warning when they are added again?
>>>
>>>
>>> They could just be added to scripts/coccinelle and 0-day will report them?
>>>
>>> For example, 0-day ran scripts/coccinelle/api/platform_no_drv_owner.cocci
>>> on
>>> a recently submitted patch and reported it here:
>>>
>>> https://lore.kernel.org/lkml/201808301856.vMNJerSs%25fengguang.wu@intel.com/
>>>
>>> But I'm not sure if 0-day runs make coccicheck on specific semantic
>>> patches,
>>> or runs all of them (CC'd Fengguang).
>>
>> 0-day runs all coccinelle scripts. However only auto report out
>> warnings that are known to have low false positives.
>>
>> So if you add new coccinelle scripts that emit accurate enough
>> warnings, it'd be good to inform the LKP team to add the new
>> warnings to our auto-report-out white list.
>
>It runs with MODE=report by default, yes? I'd need to expand the cases
>to cover that (it is patch-only currently) so that would be a roughly
>10,000 line Coccinelle script. :)

It first runs with "-D report", then with "-D patch" to create
possible patches.

Thanks,
Fengguang

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ