From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthew Hall <mhall@mhcomputing.net>
Subject: Re: Coverity policy for upstream (base) drivers.
Date: Thu, 12 Nov 2015 17:55:11 -0500
Message-ID: <20151112225511.GA10012@mhcomputing.net>
References: <20151112140508.79489210@xeon-e3>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: dev@dpdk.org
To: Stephen Hemminger <shemming@brocade.com>
Return-path: <dev-bounces@dpdk.org>
Received: from mail.mhcomputing.net (master.mhcomputing.net [74.208.228.170])
 by dpdk.org (Postfix) with ESMTP id 729699223
 for <dev@dpdk.org>; Thu, 12 Nov 2015 23:55:12 +0100 (CET)
Content-Disposition: inline
In-Reply-To: <20151112140508.79489210@xeon-e3>
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

On Thu, Nov 12, 2015 at 02:05:08PM -0800, Stephen Hemminger wrote:
> Looking at the Coverity scan for DPDK, it looks like all the base
> drivers are marked to be ignored.
> 
> Although the changes to base drivers should not be done directly through
> DPDK list. I think it is still valuable to have these driver scanned and
> notify (badger) the vendors to fix there code.
> 
> Since lots of the bugs could be there, just blindly ignoring warnings
> and issues is being naive.

I am with Stephen. Ignoring base driver vulns is a bad practice.

With these L1-L4 bugs the chances are good somebody could trigger these and 
find 0days using tools as old and simple as this one:

http://isic.sourceforge.net/

Matthew.