Last week, senior Linux kernel developer Greg Kroah-Hartman announced that all Linux patches coming from the University of Minnesota would be summarily rejected by default.
This policy change came as a result of three University of Minnesota researchers—Qiushi Wu, Kangjie Lu, and Aditya Pakki—embarking on a program to test the Linux kernel dev community’s resistance to what the group called “Hypocrite Commits.”
Testing the Linux kernel community
The trio’s scheme involved first finding three easy-to-fix, low-priority bugs in the Linux kernel and then fixing them—but fixing them in such a way as to complete what the UMN researchers called an “immature vulnerability”:
We employ a static-analysis tool to identify three “immature vulnerabilities” in Linux, and correspondingly detect three real minor bugs that are supposed to be fixed. The “immature vulnerabilities” are not real vulnerabilities because one condition (such as a use of a freed object) is still missing […] We construct three incorrect or incomplete minor patches to fix the three bugs. These minor patches however introduce the missing conditions of the “immature vulnerabilities.”
The three researchers would then email their Trojan-horse patches to Linux kernel maintainers, to see if the maintainers detected the more serious problem the researchers had introduced in the course of fixing a minor bug. Once the maintainers responded to the submitted patch, the UMN researchers pointed out the bug introduced by their patch and offered a “proper” patch—one which did not introduce a newly exploitable condition—in its place.
Lu, Wu, and Pakki published their findings in February at the 42nd IEEE Symposium on Security and Privacy.
Last week, senior Linux kernel dev Greg Kroah-Hartman reverted 68 patches submitted by folks with umn.edu email addresses in response to these “Hypocrite Commits.” Along with reverting these 68 existing patches, Kroah-Hartman announced a “default reject” policy for future patches coming from anyone with an
Kroah-Hartman went on to allow exceptions for such future patches if “they provide proof and you can verify it,” but he went on to ask “really, why waste your time doing that extra work?”
The University of Minnesota Department of Computer Science and Engineering responded to the ban by immediately “suspend[ing] this line of research,” promising to investigate the researchers’ method—and the process by which it was approved.
Apology not accepted
This Saturday, the UMN research team apologized to the Linux community via an open letter posted to the Linux Kernel Mailing List. The nearly 800-word open letter comes across as more “wait, you don’t understand” than apology:
We just want you to know that we would never intentionally hurt the Linux kernel community and never introduce security vulnerabilities. Our work was conducted with the best of intentions and is all about finding and fixing security vulnerabilities.
The “hypocrite commits” work was carried out in August 2020; it aimed to improve the security of the patching process in Linux. As part of the project, we studied potential issues with the patching process of Linux, including causes of the issues and suggestions for addressing them.
Kroah-Hartman acknowledged the letter Sunday but was clearly less than impressed:
As you know, the Linux Foundation and the Linux Foundation’s Technical Advisory Board submitted a letter on Friday to your University outlining the specific actions which need to happen in order for your group, and your University, to be able to work to regain the trust of the Linux kernel community.
Until those actions are taken, we do not have anything further to discuss about this issue.
We do not know at this time what actions, exactly, Kroah-Hartman and the Linux Foundation require from the group and its university.