lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 16 Dec 2022 13:45:47 -0500
From:   "Theodore Ts'o" <tytso@....edu>
To:     Aleksandr Nogikh <nogikh@...gle.com>
Cc:     Lee Jones <lee@...nel.org>,
        syzbot <syzbot+15cd994e273307bf5cfa@...kaller.appspotmail.com>,
        adilger.kernel@...ger.ca, gregkh@...uxfoundation.org,
        lczerner@...hat.com, linux-ext4@...r.kernel.org,
        linux-kernel@...r.kernel.org, sashal@...nel.org,
        stable@...r.kernel.org, syzkaller-android-bugs@...glegroups.com,
        tadeusz.struk@...aro.org
Subject: Re: kernel BUG in ext4_free_blocks (2)

On Fri, Dec 16, 2022 at 06:14:50PM +0100, Aleksandr Nogikh wrote:
> > Thanks for the clarification; stupid question, though -- I see
> > "upstream" is listed on the dashboard link above.  Assuming that
> > "usptream" is "Linus's tree", why was it still saying, "I can't find
> > this patch in any of my trees"?  What about the upstream tree?
> 
> Bugs from different namespaces are treated independently, so in this
> particular case syzbot was expecting the fixing commit to reach the
> Android trees that it fuzzes.

Is there a way someone can look at the dashboard link to determine
which (a) what namespace a particular syzkaller report is in, and (b)
what trees are included in a particular namespace?

Adding a link to the e-mail to the dashboard page may not help if it's
not obvious why the dashboard mentions "upstream" and yet it's not in
"any of the trees".  Maybe the e-mail should explicitly list the trees
that syzkaller will be searching?

And it would seem that it would be a *feature* if looking at a syzbot
dashboard from Android namespace could expose the fact that particular
patch is in any of the LTS trees or Linus's upstream tree, no?

Also, what is the reason for Android for being in a separate
namespace?  Is it running on a separate syzbot VM?  I can understand
why from a feature perspective, that Fuschia and OpenBSD should be in
separate namespaces; but what are the reasons that there are separate
namespaces for Android versus the upstream kernel?  Especially since
the Android dashboard is apparently referencing the upstream kernel?
What's up with that?

Put another way, while I think it's super useful to have a link to
Syzbot dashboard page, in the e-mail, I'm not sure it's going to be a
complete solution to the confusion that was inspired by this case.

That being said, in general I think a link to the Dashboard is useful;
in fact, it might be nice if we could encourage upstream developers
put in the commit trailer:

Link: https://syzkaller.appspot.com/bug?id=5266d464285a03cee9dbfda7d2452a72c3c2ae7c

in addition to, or better yet, instead of:

Reported-by: syzbot+15cd994e273307bf5cfa@...kaller.appspotmail.com

... and have Syzbot be able to translate from the Link: tag as being
equivalent to the Reported-by: link.  That's becase the Link is going
to be much more useful to humans than the Reported-by --- we've had a
number of cases where as part of the patch review, we really wanted to
get back to the Dashboard page, and it's not easy to get to the
Dashboard from the Reported-by tag.

Thanks,

						- Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ