Conversation

Notices

1. Embed this notice
   Rich Felker (dalias@hachyderm.io)'s status on Monday, 25-Mar-2024 10:27:32 JST Rich Felker

   in reply to

   • Damien Miller

   @djm Have you seen the musl ones? They were sent off list but I cc'd the list & quoted on replies. All were wrong, most completely broke the functions they purported to fix. And the static analysis was erroneous.

   • Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Damien Miller (djm@cybervillains.com)'s status on Monday, 25-Mar-2024 10:27:33 JST Damien Miller

     in reply to

     @dalias we've received a few that haven't been terrible

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 25-Mar-2024 10:27:34 JST Rich Felker

     Heads-up FOSS maintainers!

     There is a person sending bulk patches/PRs to FOSS projects for supposed issues "Found by RASU JSC" (not sure if that's a static analysis tool itself, or some org).

     The patches I've received are all very, VERY wrong formulatic changes, maybe even LLM-generated, doing things as stupid as replacing sprintf(s, fmt, ...) with snprintf(s, sizeof s, fmt, ...) where s has pointer type.

     If you've accepted any such patches, review carefully & possibly revert!

     Haelwenn /элвэн/ :triskell: and Pleroma-tan like this.
     Haelwenn /элвэн/ :triskell: repeated this.
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 25-Mar-2024 10:50:53 JST Rich Felker

     in reply to

     • Damien Miller

     @djm The most dangerous part is the combination of really low quality static analysis like that with authoritative sounding "this is the fix for this issue" formulatic patches.

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Monday, 25-Mar-2024 10:50:54 JST Rich Felker

     in reply to

     • Damien Miller

     @djm One was "this pointer is dereferenced later so return early if it's null" when the deref was conditional and not reachable if null, but where returning early made the common case completely non operational.

   • Embed this notice
     Amber (puppygirlhornypost@transfem.social)'s status on Tuesday, 26-Mar-2024 02:42:52 JST Amber

     in reply to

     @dalias@hachyderm.io https://www.reddit.com/r/HobbyDrama/comments/nku6bt/kernel_development_that_time_linux_banned_the/ reminds me of things like supply chain attack proof of concepts. Could be part of a study, could be intentionally malicious etc.

     Haelwenn /элвэн/ :triskell: likes this.