Quotes of the week

[Posted October 3, 2012 by corbet]

It's not a very advanced regular expression, but I still find this a bit alarming in the Linux kernel:

    $ git log --no-merges v3.5..v3.6 | \
	  egrep -i '(integer|counter|buffer|stack|fix) (over|under)flow' | \
	  wc -l
    31

How many were security relevant? How many got CVEs?

— Kees Cook

I chose SHA-512 because everyone knows it's 512 times more secure than SHA-1.

— Rusty Russell

A familiar test case that makes 5 million random accesses to a 1GB memory area goes from 20 seconds down to 0.43 seconds with THP enabled on my SPARC T4-2 box.

— minor performance improvements from David Miller

I added "having no life" as a skill on my Linked In profile. Please endorse me!

— Jon Masters

Quotes of the week - Kees Cook

Posted Oct 4, 2012 20:30 UTC (Thu) by jnareb (subscriber, #46500) [Link]

It's not a very advanced regular expression, but I still find this a bit alarming in the Linux kernel:
$ git log --no-merges v3.5..v3.6 | \ egrep -i '(integer|counter|buffer|stack|fix) (over|under)flow' | \ wc -l 31
How many were security relevant? How many got CVEs?

As Junio C Hamano wrote on his blog (in response to said G+ post) there are only 23 such commits (in which commits there are 31 occurrences, in some commits more than one).

Quotes of the week

Posted Oct 8, 2012 10:59 UTC (Mon) by ssam (guest, #46587) [Link] (1 responses)

but that does not tell you if the patch adds or removes the buffer overflow :-)

Quotes of the week

Posted Oct 10, 2012 19:39 UTC (Wed) by speedster1 (guest, #8143) [Link]

*chuckle* It would be so nice if people made a habit of warning of new bugs in commit messages.