"Full disclosure" from the University of Minnesota
"Full disclosure" from the University of Minnesota
Posted Apr 29, 2021 8:45 UTC (Thu) by error27 (subscriber, #8346)Parent article: "Full disclosure" from the University of Minnesota
The accidentally submitted a "valid" patch #5, but that was ignored and it was buggy. It is a double free.
I was the reviewer for #3. They next printk is fine. It's not a use after free as they claim. Their patch did fix a resource leak but I asked them to fix a more serious use after free and clean up the code.cause it is a double free.
Posted Apr 29, 2021 11:23 UTC (Thu)
by ledow (guest, #11753)
[Link] (5 responses)
They could have done anything from crashing systems to trashing filesystems to corrupting data to damaging hardware, and they were TRYING to put those bugs in, it's not like it was an unfortunate accident.
I have to agree with GregKH that this can't be tolerated.
If they want to do this, co-operate with higher-level maintainers to make sure they know exactly what patches are trying to do this, so they can make sure they don't hit production kernels, and they are then just a test of how far things can get through the process while having such bugs.
Posted Apr 29, 2021 12:47 UTC (Thu)
by mpg (subscriber, #70797)
[Link] (4 responses)
I'm surprised to read that. My understanding is that they only tried to see if the bugs would be accepted, but then withdrew each bug before it was merged. That is, they never had any intention of putting bugs in production code. If you have any evidence to the contrary, could you please quote a precise source for that?
Posted Apr 29, 2021 14:04 UTC (Thu)
by nedu (guest, #50951)
[Link] (2 responses)
It is my understanding that on or about Nov 21, 2020, Kangjie Lu posted a tweet announcing acceptance of the paper for the upcoming IEEE S&P symposium. In that tweet, he published a screenshot of the first page of that paper.[1][2]
It is also my understanding that on or before Nov 22, 2020, Kangjie Lu deleted that tweet, with a statement that, "it created many confusions".[3]
I have seen what has been represented to me as a copy of that screenshot, in which an abstract of the paper is reproduced.[4]
In that version of the abstract, I read the sentence, "As a proof of concept, we successfully introduce multiple exploitable use-after-free in the latest linux kernel (in a safe way)."[2]
Do also note, that besides the withdrawal of the tweet, that original sentence in the abstract was revised in a currently available version of the now-withdrawn paper.[5][6]
[1] https://pbs.twimg.com/media/End-XVOUUAA7gZ-?format=png&...
In discussion: again, you asked for "any evidence to the contrary".
And, I would concede that the original statement in the accepted abstract may have been puffery. It may have been confusion. It may have required further explanation.
But I also have to think "the latest linux kernel" may easily and naturally be read as referring to software running on other people's computers. And I can read that sentence as a cold, factual claim of an accomplished deed.
Posted Apr 29, 2021 22:28 UTC (Thu)
by mpg (subscriber, #70797)
[Link] (1 responses)
*I'll note that if we scroll down a bit on [3] they already tried to clarify that the malicious commits never got into the kernel, and in [4] the commenter already notes the contradiction.
Still, considering the full set of data we have today, I don't think it's justified to state that "they were deliberately trying to put bugs into production code", as the recent comment I was replying to did.
They did several things they shouldn't have done, such as experimenting on human subjects without their consent, making a paper with IMO weak methodology and relatively poor execution (I think we can hardly draw useful conclusions from their experiment) and communicating poorly about it (which again, would have been less of a problem if they had sought informed consent beforehand), but I don't think "deliberately trying to put bugs into production code" was one of them.
Posted Apr 30, 2021 21:56 UTC (Fri)
by rgmoore (✭ supporter ✭, #75)
[Link]
Not exactly. They say they never intended for their bugs to make it into a released kernel, but they said that only after the whole thing blew up and they were in damage control mode. We don't know what their true intent was. Maybe they intended to stop the bugs from ever being released. Maybe they thought it would be good to get one into a released version and then stealthily patch it in the next version, and that would be safe because it would be fixed by the time they told the world what they had done. We simply can't know what they would have done in the hypothetical world in which one of their patches had made it into the mainline kernel. We have only their word for it, and honestly their word isn't very good with a lot of people right now.
Posted Apr 29, 2021 17:35 UTC (Thu)
by HenrikH (subscriber, #31152)
[Link]
"Full disclosure" from the University of Minnesota
"Full disclosure" from the University of Minnesota
"Full disclosure" from the University of Minnesota
[2] https://pbs.twimg.com/media/End-YlwVoAADi1r?format=png&...
[2(a)] https://web.archive.org/web/20210429134044/https://pbs.tw...
[3] https://archive.is/SBpHn
[4] https://archive.is/iUdX0
[5] https://web.archive.org/web/20210427031705/https://raw.gi...
[6] https://web.archive.org/web/20210427062206/https://www-us...
"Full disclosure" from the University of Minnesota
"Full disclosure" from the University of Minnesota
I quickly learned that they tried to make sure the commits didn't get into the kernel.
"Full disclosure" from the University of Minnesota