Date: Thu, 22 Apr 2021 11:56:46 -0700 From: Eric Biggers <ebiggers@...nel.org> To: oss-security@...ts.openwall.com Subject: Re: Malicious commits to Linux kernel as part of university study On Thu, Apr 22, 2021 at 06:49:15PM +0100, Mark Steward wrote: > On Thu, Apr 22, 2021 at 6:23 PM Ariadne Conill <ariadne@...eferenced.org> wrote: > ... > > By mining the LKML archive, it may be possible to find the original set of > > patch submissions by searching for similar keywords as the messages from > > Aditya. If somebody can do that, then we would be able to determine at > > least some of the emails likely to have originated the patches. > > > > This looks like a good guess to me, and if correct, means none of the > submissions in the paper were successful: > > https://lore.kernel.org/linux-nfs/YIEqt8iAPVq8sGemail@example.com/ > Note that one of the patches (the one matching Figure 11 in their paper) did get accepted and is in mainline. However, it doesn't actually have a bug as intended, apparently because the author misunderstood what pci_disable_device() does. So I'm not sure what the story is for that patch. Incompetence is normally much more likely than malice, but this case would be doubly incompetent (failing to actually write a malicious patch and then putting it in their paper anyway, *and* failing to notice that the patch was accepted and still claiming that none of their patches were accepted) so it's a bit strange. It's also possible that this patch is misidentified, but it seems pretty likely it's correct given that that email account has only submitted two patches, both on the same day in the time frame expected for the paper, which both matched code snippets from the paper. The other email account also had very similar characteristics as well as a clearly fake name. Anyway, the apparent misconduct of this university group aside, the real story here is that people are going to (or at least *should*) be more careful about reviewing Linux kernel patches, which is a good thing. But yes, it appears that of the malicious patches that were sent, only one was accepted (even into a maintainer tree) and that was because it was actually a correct patch. (That's assuming that the new patches from Aditya Pakki aren't also malicious, which I personally think they aren't, but naturally they don't get the benefit of the doubt anymore given that they're apparently part of the same research group.) - Eric
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.