lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 6 Jun 2022 15:19:04 -0700
From:   Eric Biggers <ebiggers@...nel.org>
To:     syzkaller@...glegroups.com, Dmitry Vyukov <dvyukov@...gle.com>
Cc:     linux-kernel@...r.kernel.org
Subject: Auto-invalidating old syzbot reports?

Currently the upstream Linux kernel has 888 open syzbot reports
(https://syzkaller.appspot.com/upstream).  However, nearly two-thirds of them
(577) were reported more than 1 year ago.  Old reports are often for bugs that
were already fixed.  They can also be reports that got overlooked, forgotten
about, not sent to the right place, etc.  Kernel maintainers also change over
time, so the current maintainer(s) might never have received the original report
even if syzbot sent the original report to the correct maintainer(s).

Having these old reports open is preventing syzbot from re-reporting any bugs
with the same crash signature (where a crash signature is something like
"KASAN: null-ptr-deref Read in percpu_ref_exit") if it is still being seen.

syzbot does auto-invalidate some old bugs, but only ones without a reproducer.

Given that humans aren't keeping up with these reports, has it been considered
to auto-invalidate all old syzbot reports -- not just ones without a reproducer?

- Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ