On Wed, May 29, 2013 at 10:27:50AM +0900, Greg Kroah-Hartman wrote: > On Fri, May 24, 2013 at 05:42:52PM -0700, Sarah Sharp wrote: > > This patchset address some (but not all) of the security issues found > > with the Klockwork static analysis tool. I have not reviewed these in > > detail to see if these could be used by attackers, so someone with more > > security experience may want to look these over. > > A lot of these changes are just to add checks to functions that you are > calling yourself. How can those pointers be "not valid" when you > control what you pass to them?
It's purely paranoia. It's entirely possible we'll add new code later that would accidentally trigger these checks. That's especially true of, say, the device speeds, since "USB 3.1" (10Gbps) is in the works. > Those seems over-eager, and not really needed. Or am I missing > somewhere that could change the pointer without the driver knowing it? In all honesty, these patches are the result of a bureaucratic push for "code quality". We switched static analysis tools from Coverity to Klockwork, and the QA folks pushed us to fix the "issues" that Klockwork discovered. If you don't think they're appropriate, let me know, and I'll push back. Sarah Sharp -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
