On Sat, Jun 05, 2021 at 09:43:43AM +0200, Greg KH wrote: > On Fri, Jun 04, 2021 at 10:11:03AM -0700, SyzScope wrote: > > Hi Greg, > > > > > Who is working on and doing this "reseach project"? > > We are a group of researchers from University of California, Riverside (we > > introduced ourselves in an earlier email to security@xxxxxxxxxx if you > > recall). > > I do not recall that, sorry, when was that? > > > Please allow us to articulate the goal of our research. We'd be > > happy to hear your feedback and suggestions. > > > > > And what is it > > > doing to actually fix the issues that syzbot finds? Seems like that > > > would be a better solution instead of just trying to send emails saying, > > > in short "why isn't this reported issue fixed yet?" > > From our limited understanding, we know a key problem with syzbot bugs is > > that there are too many of them - more than what can be handled by > > developers and maintainers. Therefore, it seems some form of prioritization > > on bug fixing would be helpful. The goal of the SyzScope project is to > > *automatically* analyze the security impact of syzbot bugs, which helps with > > prioritizing bug fixes. In other words, when a syzbot bug is reported, we > > aim to attach a corresponding security impact "signal" to help developers > > make an informed decision on which ones to fix first. > > Is that really the reason why syzbot-reported problems are not being > fixed? Just because we don't know which ones are more "important"? > > As someone who has been managing many interns for a year or so working > on these, I do not think that is the problem, but hey, what do I know... My 2 cents, as the one who is fixing these external and internal syzkaller bugs in RDMA. I would say that the main reason is lack of specific knowledge to fix them or/and amount of work to actually do it. Many of such failures are in neglected parts of code. And no, I personally won't care if someone adds security score or not to syzkaller report, all reports should be fixed. Thanks
