lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain>
Date: Fri, 6 Feb 2026 16:38:09 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: linux-kernel <linux-kernel@...r.kernel.org>, ksummit@...ts.linux.dev,
	Bill Fletcher <bill.fletcher@...aro.org>,
	Randy Linnell <randy.linnell@...aro.org>,
	Brad Spengler <brad.spengler@...nsrcsec.com>
Cc: vincent.guittot@...aro.org, lina.iyer@...aro.org
Subject: Re: Support needed to continue Smatch work

I need to post an update on the current situation with Smatch.

First of all, I want to start by thanking Brad Spengler from grsecurity
who reached out to me on this, offered some funding, and has been
trying to push the Smatch work forward.  It really means a lot to me.

Unfortunately, we haven't been able to raise enough support to continue
my Smatch work.  I have still been filtering zero day bot warnings and
I am a bit worried that people have the impression that I'm reviewing
static checker warnings when I am not.

The situation isn't great.  The zero day bot can't do cross function
analsysis and it only looks at checks with a low false positive rate.
We're missing out on a bunch of bugs.  I'm going to add some of the
those missed warnings to this thread so people have a better picture of
what we're missing.  There are some buffer overflows in there.  A bunch
of off by one bugs.  A missing error code in fork().  And random other
minor things as well.

https://lore.kernel.org/all/caa37f28-a2e8-4e0a-a9ce-a365ce805e4b@stanley.mountain/

I am still trying to figure out a way to restart Smatch checking.  The
funding model would be that several companies would support this project
by paying a proportion of my salary.  Part of that goes to reporting
bugs like the ones above and part of that goes to developing Smatch and
writing new checks.  Please, contact
Bill Fletcher <bill.fletcher@...aro.org> if you would like to support
this work.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ