lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 6 Jun 2021 08:06:05 +0300
From:   Leon Romanovsky <leon@...nel.org>
To:     Greg KH <gregkh@...uxfoundation.org>
Cc:     SyzScope <syzscope@...il.com>, davem@...emloft.net,
        johan.hedberg@...il.com, kuba@...nel.org,
        linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org,
        marcel@...tmann.org, netdev@...r.kernel.org,
        syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in hci_chan_del

On Sat, Jun 05, 2021 at 09:43:43AM +0200, Greg KH wrote:
> On Fri, Jun 04, 2021 at 10:11:03AM -0700, SyzScope wrote:
> > Hi Greg,
> > 
> > > Who is working on and doing this "reseach project"?
> > We are a group of researchers from University of California, Riverside (we
> > introduced ourselves in an earlier email to security@...nel.org if you
> > recall).
> 
> I do not recall that, sorry, when was that?
> 
> > Please allow us to articulate the goal of our research. We'd be
> > happy to hear your feedback and suggestions.
> > 
> > > And what is it
> > > doing to actually fix the issues that syzbot finds?  Seems like that
> > > would be a better solution instead of just trying to send emails saying,
> > > in short "why isn't this reported issue fixed yet?"
> > From our limited understanding, we know a key problem with syzbot bugs is
> > that there are too many of them - more than what can be handled by
> > developers and maintainers. Therefore, it seems some form of prioritization
> > on bug fixing would be helpful. The goal of the SyzScope project is to
> > *automatically* analyze the security impact of syzbot bugs, which helps with
> > prioritizing bug fixes. In other words, when a syzbot bug is reported, we
> > aim to attach a corresponding security impact "signal" to help developers
> > make an informed decision on which ones to fix first.
> 
> Is that really the reason why syzbot-reported problems are not being
> fixed?  Just because we don't know which ones are more "important"?
> 
> As someone who has been managing many interns for a year or so working
> on these, I do not think that is the problem, but hey, what do I know...

My 2 cents, as the one who is fixing these external and internal syzkaller bugs
in RDMA. I would say that the main reason is lack of specific knowledge to fix
them or/and amount of work to actually do it.

Many of such failures are in neglected parts of code.

And no, I personally won't care if someone adds security score or not to
syzkaller report, all reports should be fixed.

Thanks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ