Last week, senior Linux kernel developer Greg Kroah-Hartman announced that all University of Minnesota Linux patches would be summarily rejected by default.
This policy change came as a result of three University of Minnesota researchers — Qiushi Wu, Kangjie Lu, and Aditya Pakki — embarking on a program to test the Linux kernel development community’s resistance to what the group called “hypocritical commitments.”
Testing the Linux Kernel Community
The trio’s scheme involved finding three easy-to-fix, low-priority bugs in the Linux kernel and then fixing them — but fixing them in such a way that what the UMN researchers called an “immature vulnerability,” was completed:
We use a static analysis tool to identify three “immature vulnerabilities” in Linux, and accordingly detect three real minor bugs that should be fixed. The “immature vulnerabilities” are not real vulnerabilities because one condition (such as using a freed object) is still missing […] We are constructing three incorrect or incomplete minor patches to fix the three bugs. However, these minor patches introduce the missing conditions of the “immature vulnerabilities”.
The three researchers would then email their Trojan horse patches to Linux kernel administrators to see if the administrators discovered the more serious problem the researchers had introduced while fixing a minor bug. After the admins responded to the submitted patch, the UMN researchers pointed to the bug introduced by their patch and offered a “correct” patch — one that didn’t introduce a new exploitable condition — instead.
Lu, Wu and Pakki published their findings at the 42nd IEEE Symposium on Security and Privacy in February.
Last week, in response to these “hypocritical promises,” senior Linux kernel developer Greg Kroah-Hartman rolled back 68 patches submitted by people with umn.edu email addresses. In addition to rolling back these 68 existing patches, Kroah-Hartman announced a “default rejection” policy for future patches from anyone with a
Kroah-Hartman went on to allow exceptions for such future patches as “they provide the evidence and you can verify it,” but he went on to ask, “why waste your time on that extra work?”
The University of Minnesota’s Department of Computer Science and Engineering responded to the ban by immediately “suspending”[ing] this line of research,” promising to examine the researchers’ method — and the process by which it was approved.
Apologies not accepted
This Saturday, the UMN research team apologized to the Linux community via an open letter on the Linux Kernel Mailing List. The nearly 800-word open letter comes across as more of a “wait, you don’t understand” than an apology:
We just want you to know that we would never intentionally hurt the Linux kernel community and never introduce security vulnerabilities. Our work is done with the best of intentions and revolves around finding and fixing security vulnerabilities.
The “hypocritical commits” work was done in August 2020; it was intended to improve the security of the patching process in Linux. As part of the project, we studied potential issues with the Linux patching process, including the causes of the issues and suggestions for addressing them.
Kroah-Hartman acknowledged the letter Sunday, but was clearly less impressed:
As you know, the Linux Foundation and the Linux Foundation’s Technical Advisory Board sent a letter to your university on Friday outlining the specific actions to be taken to ensure that your group and your university can work towards regaining the trust of the Linux kernel community.
Until those measures are taken, we have nothing to discuss on this matter.
We don’t know at this point exactly what actions Kroah-Hartman and the Linux Foundation are asking for from the group and its university.