On 13.02.21 22:54, Fam Zheng wrote:
On 2021-02-11 15:26, Philippe Mathieu-Daudé wrote:
The null-co driver doesn't zeroize buffer in its default config,
because it is designed for testing and tests want to run fast.
However this confuses security researchers (access to uninit
buffers).
I'm a little surprised.
Is changing default the only way to fix this? I'm not opposed to
changing the default but I'm not convinced this is the easiest way.
block/nvme.c also doesn't touch the memory, but defers to the device
DMA, why doesn't that confuse the security checker?
Cannot we just somehow annotate it in a way that the checker can
understand (akin to how we provide coverity models) and be done?
The question is, why wouldn’t we change the default? read-zeroes=true
seems the better default to me. I consider silencing valgrind warnings
and the like a nice side effect.
Max
