Greg Kroa Hartman (Greg Kroah Hartman), which is responsible for supporting the stable branch of the Linux kernel, made a decision To prohibit the reception in the Linux kernel of any changes coming from the University of Minnesota, as well as roll back all previously accepted patches. The cause of the blocking was the activity of the research group, studying The ability to promote hidden vulnerabilities in the code open projects. The specified group sent patches, including various errors, watched the community response and studied the path of deception of the process of reviewing changes. Opinion Greg Conducting such experiments on the implementation of malicious changes is unacceptable and unethical.
The reason for the lock served Sending Participants of this group of patch, which added a pointer check to eliminate a possible double function call “FREE”. Taking into account the context of using the pointer to the check was is meaningless . The purpose of sending a patch was to study whether the erroneous change will pass the reference to the kernel developers. In addition to the specified patch, other attempts of developers from the University of Minnesota will also have dubious changes in the nucleus, including those associated with by adding Hidden vulnerabilities.
The participant who sent patches tried to justify the fact that he was experiencing a new static analyzer and the change was prepared on the basis of the test results in it. But Greg drew attention to the fact that the proposed corrections are not typical for errors identified by static analyzers, and all sent patches are not corrected at all. Considering the fact that the considered group of researchers has already tried in the past to promote corrections with hidden vulnerabilities “use-after-free”, it is obvious that they continued their experiments on the core developer community.
Interestingly, in the past, the head of the conductive experiments of the group took part in legitimate correction of vulnerabilities, for example, revealed Information leaks in the USB stack (CVE-2016-4482) and the network subsystem (CVE-2016-4485).