[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YLxXvfi1P8qZdQH3@unreal>
Date: Sun, 6 Jun 2021 08:06:05 +0300
From: Leon Romanovsky <leon@...nel.org>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: SyzScope <syzscope@...il.com>, davem@...emloft.net,
johan.hedberg@...il.com, kuba@...nel.org,
linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org,
marcel@...tmann.org, netdev@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in hci_chan_del
On Sat, Jun 05, 2021 at 09:43:43AM +0200, Greg KH wrote:
> On Fri, Jun 04, 2021 at 10:11:03AM -0700, SyzScope wrote:
> > Hi Greg,
> >
> > > Who is working on and doing this "reseach project"?
> > We are a group of researchers from University of California, Riverside (we
> > introduced ourselves in an earlier email to security@...nel.org if you
> > recall).
>
> I do not recall that, sorry, when was that?
>
> > Please allow us to articulate the goal of our research. We'd be
> > happy to hear your feedback and suggestions.
> >
> > > And what is it
> > > doing to actually fix the issues that syzbot finds? Seems like that
> > > would be a better solution instead of just trying to send emails saying,
> > > in short "why isn't this reported issue fixed yet?"
> > From our limited understanding, we know a key problem with syzbot bugs is
> > that there are too many of them - more than what can be handled by
> > developers and maintainers. Therefore, it seems some form of prioritization
> > on bug fixing would be helpful. The goal of the SyzScope project is to
> > *automatically* analyze the security impact of syzbot bugs, which helps with
> > prioritizing bug fixes. In other words, when a syzbot bug is reported, we
> > aim to attach a corresponding security impact "signal" to help developers
> > make an informed decision on which ones to fix first.
>
> Is that really the reason why syzbot-reported problems are not being
> fixed? Just because we don't know which ones are more "important"?
>
> As someone who has been managing many interns for a year or so working
> on these, I do not think that is the problem, but hey, what do I know...
My 2 cents, as the one who is fixing these external and internal syzkaller bugs
in RDMA. I would say that the main reason is lack of specific knowledge to fix
them or/and amount of work to actually do it.
Many of such failures are in neglected parts of code.
And no, I personally won't care if someone adds security score or not to
syzkaller report, all reports should be fixed.
Thanks
Powered by blists - more mailing lists