lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 5 May 2023 00:01:34 -0400
From:   "Theodore Ts'o" <tytso@....edu>
To:     Tudor Ambarus <tudor.ambarus@...aro.org>
Cc:     Herbert Xu <herbert@...dor.apana.org.au>,
        Dmitry Vyukov <dvyukov@...gle.com>,
        syzbot <syzbot+726dc8c62c3536431ceb@...kaller.appspotmail.com>,
        davem@...emloft.net, linux-crypto@...r.kernel.org,
        linux-kernel@...r.kernel.org, olivia@...enic.com,
        syzkaller-bugs@...glegroups.com, Jason Wang <jasowang@...hat.com>,
        "Michael S. Tsirkin" <mst@...hat.com>,
        Laurent Vivier <lvivier@...hat.com>,
        Rusty Russell <rusty@...tcorp.com.au>,
        Aleksandr Nogikh <nogikh@...gle.com>
Subject: Re: [PATCH] hwrng: virtio - Fix race on data_avail and actual data

On Thu, May 04, 2023 at 09:10:43AM +0100, Tudor Ambarus wrote:
> > The syzbot ID is already present in the in the Reported-by tag.
> > There is no reason to clutter up the commit message with redundant
> > information.
> 
> As you prefer. Theodore Ts'o encourages to add a dashboard link, here's
> his reasoning:
> https://github.com/google/syzkaller/issues/3393#issuecomment-1347476434

The reason why I've requested having both the Link and Reported-by is
because you don't know the secret incantation:

s;Reported-by: syzbot\+\([0-9a-z]+\)@syzkaller.appspotmail.com;https://syzkaller.appspotmail.com/extid?=\1;

... you can't easily get from a "Reported-by:" e-mail address to a URL
link that will actually get you to the syzkaller page.  What I used to
do was to go to https://groups.google.com/g/syzkaller-bugs and then
enter into the Google Groups searech box:

   Reported-by: syzbot+726dc8c62c3536431ceb@...kaller.appspotmail.com

which is a ***super*** clunky way to get to the syzkaller page.  What
would be nice is if there was an easy way that didn't rely on kernel
developers knowing the internal URL structure of Syzbot to be able to
enter the Reported-by link on some convenient web page, perhaps in a
search box found in the front page of https://syzkaller.appspot.com,
and be able to find the syzbot report web page that way.

Since that doesn't exist today, I include both the Reported-by: and
Link: in my commit descriptions, out of consideration to the reviewer
who might want to be able to find the Syzbot page and don't know the
secret trick to calculate the URL from the Reported-by: e-mail
address.


Another gotcha with Syzbot is that there are two id's, the "extid" and
the "id" which makes thing ***super*** confusing.  For example, both
of these URL's go the same Syzbot report:

https://syzkaller.appspot.com/bug?extid=726dc8c62c3536431ceb
https://syzkaller.appspot.com/bug?id=eec08eb3763c9ec749fd565e70cfe6e485af7ed7

The Reported-by e-mail address uses the extid.  So for example, this
case, it would be syzbot+726dc8c62c3536431ceb@...kaller.appspotmail.com.

However, all of the links in the Syzbot web pages use the id form of
the URL.  So if you were browsing the syzbot reports assigned to the
crypto subsystem via https://syzkaller.appspot.com/upstream/s/crypto,
you would find the id-style link, and then the commit fixing the bug
might have something like this:

Reported-by: syzbot+726dc8c62c3536431ceb@...kaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=eec08eb3763c9ec749fd565e70cfe6e485af7ed7

In that case, there is no (obvious) relationship between the hex
string found in the Reported-by line and the Link line.


One additional unfortunate fallout from syzbot having an "extid" and
"id", is that depending on how the syzbot entry initially found by the
contributor sending in a patch to address a syzbot report, either URL
can be found in mailing list archives.  So if you search for
"extid=726dc8c62c3536431ceb" you won't find references to
"id=eec08eb3763c9ec749fd565e70cfe6e485af7ed7" even though they are
both referring to same Syzbot report.

<<< sigh >>>>   As they say, the hardest problem to solve in the
C.S. world is naming, and syzbot has two names for every single syzbot
report, and both are exposed to the poor user.   :-(

					- Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ