Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <YIHG7sLouq+hZXr8@gmail.com>
Date: Thu, 22 Apr 2021 11:56:46 -0700
From: Eric Biggers <ebiggers@...nel.org>
To: oss-security@...ts.openwall.com
Subject: Re: Malicious commits to Linux kernel as part of
 university study

On Thu, Apr 22, 2021 at 06:49:15PM +0100, Mark Steward wrote:
> On Thu, Apr 22, 2021 at 6:23 PM Ariadne Conill <ariadne@...eferenced.org> wrote:
> ...
> > By mining the LKML archive, it may be possible to find the original set of
> > patch submissions by searching for similar keywords as the messages from
> > Aditya.  If somebody can do that, then we would be able to determine at
> > least some of the emails likely to have originated the patches.
> >
> 
> This looks like a good guess to me, and if correct, means none of the
> submissions in the paper were successful:
> 
>   https://lore.kernel.org/linux-nfs/YIEqt8iAPVq8sG+t@sol.localdomain/
> 

Note that one of the patches (the one matching Figure 11 in their paper) did get
accepted and is in mainline.  However, it doesn't actually have a bug as
intended, apparently because the author misunderstood what pci_disable_device()
does.  So I'm not sure what the story is for that patch.  Incompetence is
normally much more likely than malice, but this case would be doubly incompetent
(failing to actually write a malicious patch and then putting it in their paper
anyway, *and* failing to notice that the patch was accepted and still claiming
that none of their patches were accepted) so it's a bit strange.

It's also possible that this patch is misidentified, but it seems pretty likely
it's correct given that that email account has only submitted two patches, both
on the same day in the time frame expected for the paper, which both matched
code snippets from the paper.  The other email account also had very similar
characteristics as well as a clearly fake name.

Anyway, the apparent misconduct of this university group aside, the real story
here is that people are going to (or at least *should*) be more careful about
reviewing Linux kernel patches, which is a good thing.  But yes, it appears that
of the malicious patches that were sent, only one was accepted (even into a
maintainer tree) and that was because it was actually a correct patch.  (That's
assuming that the new patches from Aditya Pakki aren't also malicious, which I
personally think they aren't, but naturally they don't get the benefit of the
doubt anymore given that they're apparently part of the same research group.)

- Eric

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.