lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a1a0046c-f47f-4e8a-ae3c-85db58a6cb2f@suswa.mountain>
Date: Wed, 6 Aug 2025 17:39:04 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Stefan Metzmacher <metze@...ba.org>
Cc: Steve French <sfrench@...ba.org>, Paulo Alcantara <pc@...guebit.org>,
	Ronnie Sahlberg <ronniesahlberg@...il.com>,
	Shyam Prasad N <sprasad@...rosoft.com>, Tom Talpey <tom@...pey.com>,
	Bharath SM <bharathsm@...rosoft.com>, linux-cifs@...r.kernel.org,
	samba-technical@...ts.samba.org, linux-kernel@...r.kernel.org,
	kernel-janitors@...r.kernel.org
Subject: Re: [PATCH next] smb: client: Fix use after free in send_done()

On Wed, Aug 06, 2025 at 04:17:41PM +0200, Stefan Metzmacher wrote:
> > > What was the test that triggered the problem?
> > > Or did you only noticed it by looking at the code?
> > 
> > This was a Smatch static checker warning.  You need to have the cross
> > function DB to detect it.
> 
> Ok, I'll try to integrate it into my build flow...
> 
> Does it replace sparse or does it run in addition?

In addition.  I find the Sparse endianness checks especially useful.

> If it replaces sparse I guess a small script would
> run them both?
> 
> $ cat mychecker.sh:
> #!/bin/bash
> set -e
> sparse $@
> smatch $@
> 
> And maybe all others from
> https://gautammenghani.com/linux,/c/2022/05/19/static-analysis-tools-linux-kernel.html
> 
> How often do I need to run smatch_scripts/build_kernel_data.sh on the whole kernel?

The cross function database is really useful for just information
purposes and looking at how functions are called.  You probably
would need to rebuild it four or five times to get useful
information, unfortunately.  I rebuild my every night on the latest
linux-next.

But for other people, I normally say don't bother with the cross
function DB.  It takes a long time to build and it only slightly
improves the output.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ