Is @gregkh saying #linux kernel is at the point where testing it and reporting more security bugs does not have any value anymore? I am concerned.
"We are drowning in syzkaller reports and just throwing them at us doesn't really help anyone here anymore"
https://lore.kernel.org/dri-devel/20200710103910.GD1203263@kroah.com/ …
-
-
It’s a matter of degree. While every crash from user space is an issue that should be fixed, it’s worth asking who is benefiting by calling it a security issue. It’s much more beneficial to everyone if a report gives a fix which was the real point.
2 odpowiedzi 0 podanych dalej 13 polubionych -
Maybe useful to know 'this interface (USB, netlink, io_uring...) is full of holes maybe correct those before opening seven hundred more? I mean those big reports come with a reproducer. It's not like static analysis where there's false positives. It crashes and here's why.
2 odpowiedzi 0 podanych dalej 3 polubione -
W odpowiedzi do to @touisteur@openlabbott i jeszcze
Or some other analysis about common patterns in the reports that could help with figuring out what’s wrong, something to help with the scale.
1 odpowiedź 0 podanych dalej 1 polubiony -
W odpowiedzi do to @broonie@openlabbott i jeszcze
@dvyukov is there some kind of bisect applied on crashes in syzkaller? Would be interesting to gather 'all' crash-inducing commits, delta-reduced and have a Cyber Grand Challenge for automatic Linux kernel patching ;-)2 odpowiedzi 0 podanych dalej 0 polubionych
syzkaller does do some bisection, but it seems to be limited at the moment with a number of false-positives. I'm sure they could use help in making it more robust.
Wydaje się, że ładowanie zajmuje dużo czasu.
Twitter jest przeciążony lub wystąpił chwilowy problem. Spróbuj ponownie lub sprawdź status Twittera, aby uzyskać więcej informacji.