lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAPdGtUzwUdahFMmmjsjw_Gf9gsNvfB1Qj6aMh0eW7y0oDvNeDg@mail.gmail.com>
Date: Sun, 5 Jan 2025 11:37:56 +0530
From: Tanya Agarwal <tanyaagarwal25699@...il.com>
To: Paul Moore <paul@...l-moore.com>
Cc: jmorris@...ei.org, serge@...lyn.com, kees@...nel.org, 
	yuehaibing@...wei.com, linux-security-module@...r.kernel.org, 
	linux-kernel@...r.kernel.org, matthewgarrett@...gle.com, 
	skhan@...uxfoundation.org, anupnewsmail@...il.com
Subject: Re: [PATCH v2] lockdown: Initialize array before use

On Sun, Jan 5, 2025 at 9:45 AM Paul Moore <paul@...l-moore.com> wrote:
>
> On Jan  4, 2025 Tanya Agarwal <tanyaagarwal25699@...il.com> wrote:
> >

> > -     char temp[80];
> > +     char temp[80] = {0};
> >       int i, offset = 0;
>
> Since @temp is a string, it reads a bit better if we initialize it with
> double quotes, e.g. 'char temp[80] = ""'.

Hi Paul,

Thanks for the review.
I agree to change it to double quotes and will send it in a revision patch.

>
> This is also a case where the static analysis is a bit misleading.  The
> @temp variable is uninitialized only if the @lockdown_levels array is
> empty and seeing as the @lockdown_levels array is a constant array
> defined in the source, this isn't a real issue we need to worry about.
> However, if you wanted to fix this simply to quiet Coverity, I think
> that would be okay, especially since this isn't a hot code path.

I understand that is likely a false positive. However, as you
mentioned this is not a hot path, making initialization explicit could
help silence the static analyzer without any real downside.

Thanks,
Tanya

>
> >       for (i = 0; i < ARRAY_SIZE(lockdown_levels); i++) {
> > --
> > 2.39.5
>
> --
> paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ