| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z3piAiLGWgsegpy6@visitorckw-System-Product-Name>
Date: Sun, 5 Jan 2025 18:42:10 +0800
From: Kuan-Wei Chiu <visitorckw@...il.com>
To: Tanya Agarwal <tanyaagarwal25699@...il.com>
Cc: paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com,
kees@...nel.org, yuehaibing@...wei.com,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org,
matthewgarrett@...gle.com, skhan@...uxfoundation.org,
anupnewsmail@...il.com
Subject: Re: [PATCH V3] lockdown: Initialize array before use
Hi Tanya,
On Sun, Jan 05, 2025 at 12:35:38PM +0530, Tanya Agarwal wrote:
> From: Tanya Agarwal <tanyaagarwal25699@...il.com>
>
> The static code analysis tool "Coverity Scan" pointed the following
> details out for further development considerations:
> CID 1486102: Uninitialized scalar variable (UNINIT)
> uninit_use_in_call: Using uninitialized value *temp when calling
> strlen.
>
> Conclusion:
> Initialize array before use in lockdown_read() to satisfy the static
> analyzer.
>
> Fixes: 000d388ed3bb ("security: Add a static lockdown policy LSM")
> Signed-off-by: Tanya Agarwal <tanyaagarwal25699@...il.com>
I don't believe this is a real bug. The lockdown_reasons array is a
non-empty constant, so temp is guaranteed to be written to by sprintf
before being passed to strlen.
When submitting patches in the future, could you also include an
analysis of the conditions that might lead to the bug, along with the
coverity scan report?
Regards,
Kuan-Wei
Powered by blists - more mailing lists