lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 15 Feb 2019 08:11:18 +0100
From:   Markus Elfring <Markus.Elfring@....de>
To:     Julia Lawall <julia.lawall@...6.fr>,
        Wen Yang <wen.yang99@....com.cn>
Cc:     Gilles Muller <Gilles.Muller@...6.fr>,
        Nicolas Palix <nicolas.palix@...g.fr>,
        Michal Marek <michal.lkml@...kovi.net>,
        Yi Wang <wang.yi59@....com.cn>,
        Masahiro Yamada <yamada.masahiro@...ionext.com>,
        Wen Yang <yellowriver2010@...mail.com>,
        Cheng Shengyu <cheng.shengyu@....com.cn>,
        cocci@...teme.lip6.fr, linux-kernel@...r.kernel.org,
        kernel-janitors@...r.kernel.org
Subject: Re: [v4] coccinelle: semantic patch for missing put_device()

>>>> In a function, for variables returned by calling of_find_device_by_node(),
>>> Do variables really get returned?
>>> The provided pointer should usually be stored somewhere.
>>
>> Thank you very much, we will consider this situation and  submit a next version to fix it.
>
> I don't know what Markus is talking about here,

I find that my feedback contained details for two items.

1. I suggested another adjustment for a wording in the evolving
   commit description.

2. Should any more case distinctions be taken into account for the data
   storage of function return values so that the shown source code search
   approach can become safer?


> so I'm not sure that a change is needed.

I am curious if there is a need for further clarifications then.


>>>> + "ERROR: missing put_device;"
>>> Will change confidence considerations result in another fine-tuning for this message?
>>
>> Thank you, we will change "ERROR" to "WARNING".
>
> I think ERROR is fine.

I have got a different software development view for the possible
severity information.


> If it is a real positive than it is a real problem.

I can agree to this information.

You specified also a precondition.
How should be achieved that the source code analysis will not point
false positives out?


> Warning is for things that look ugly,

I am also curious on how views will evolve around such ugliness.


> but don't have any impact on the execution.

I find such a restriction questionable.


Would you like to share any more ideas for safe data flow analysis
(eventually also together with your software)?

Regards,
Markus

Powered by blists - more mailing lists