lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20200410011134.GG45598@mit.edu>
Date:   Thu, 9 Apr 2020 21:11:34 -0400
From:   "Theodore Y. Ts'o" <tytso@....edu>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     Eric Biggers <ebiggers@...nel.org>,
        Matthew Wilcox <willy@...radead.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        Peter Xu <peterx@...hat.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Linux-MM <linux-mm@...ck.org>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        Stephen Rothwell <sfr@...b.auug.org.au>
Subject: Re: [PATCH 0/2] mm: Two small fixes for recent syzbot reports

On Thu, Apr 09, 2020 at 01:34:18PM -0700, Linus Torvalds wrote:
> > FWIW, the issue of "syzbot report sent and ignored for months/years" is actually
> > a much broader one which applies to all bugs, not just build / test breakages.
> 
> I don't  know what to do about that, but it may be that people just
> don't judge the bugs interesting or assume that they are old.

Syzkaller bugs which requuire (a) root privileges to trigger, or (b)
require a deliberately corrupted file system are things which I don't
consider super interesting.  (For the latter, I'll usually wait for
some other file system fuzzer to find it, such as Hydra, because
Syzkaller makes it painful extract out the file system image, where as
other file system fuzzers are *much* more file system developer
friendly.)

This shouldn't be a surprise to Dmitry, because I've given these
feedbacks to him before.

It would be nice if there was some way we could triage Syzkaller bugs
into different buckets (requires root, lower to P2; requires a
corrupted file system image, lower to P2).  Unfortunately, that would
require Syzkaller to have some kind of login system and way to track
state, and Dmitry doesn't want to replicate the functionality of a bug
tracker.

> That's what made bugzilla so useless - being flooded with stale bugs
> that might not be worth worrying about, and no way to really tell.

At least with Bugzilla, it becomes possible to attach priorities and
flags to them, instead of trying to assume that developers should
treat all Syzkaller bugs as the same priority.  Because when you do
insist that all bugs be treated as high priority, many people will
just treat them *all* as a P2 bug, especially when there are so many.

      	   	       	    	       	     	- Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ