Huawei submitted Linux security patch containing a backdoor

If it doesn't relate to Debian, but you still want to share it, please do it here

Huawei submitted Linux security patch containing a backdoor

Postby pcalvert » 2020-06-11 00:13

Here's some news that I just saw for the first time a short while ago:
HKSP or Huawei Kernel Self Protection, as the name suggests, is a tool for kernel protection. It was submitted to the Linux Foundation for inclusion in the official Linux Kernel project through its mailing list on Sunday. The kernel protection tool was supposed to introduce a series of security-hardening options to the Linux kernel. However, on inspection, the patch was found to introduce a backdoor to the Linux kernel project.


See: Huawei dev team sends a buggy HKSP patch with backdoor to Linux Foundation


Phil
“Property is the fruit of labor; property is desirable; it is a positive good
in the world. That some should be rich shows that others may become
rich, and hence is just encouragement to industry and enterprise.”
— Abraham Lincoln
pcalvert
 
Posts: 1894
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: Huawei submitted Linux security patch containing a backd

Postby CwF » 2020-06-11 02:16

Thank you.
CwF
 
Posts: 691
Joined: 2018-06-20 15:16

Re: Huawei submitted Linux security patch containing a backd

Postby Head_on_a_Stick » 2020-06-11 09:33

Well at least they caught it. This time...
User avatar
Head_on_a_Stick
 
Posts: 12132
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Huawei submitted Linux security patch containing a backd

Postby LE_746F6D617A7A69 » 2020-06-11 09:39

This case proves that open source idea just works -> think of what is happening in closed source code projects, where no one can verify the quality of code...

The code in this patch is indeed a crap, so this information is astonishing:
https://grsecurity.net/huawei_hksp_introduces_trivially_exploitable_vulnerability
Further, on information from our sources, the employee is a Level 20 Principal Security staffer, the highest technical level within Huawei.
:lol:

That code has set-but-not-used variable: the compiler will issue a warning about this fact -> the code was never compiled before it was commit (never tested), or this isn't just a mistake...
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
LE_746F6D617A7A69
 
Posts: 160
Joined: 2020-05-03 14:16

Re: Huawei submitted Linux security patch containing a backd

Postby CwF » 2020-06-11 13:03

LE_746F6D617A7A69 wrote:think of what is happening in closed source code projects, where no one can verify the quality of code...


You mean like WPS Office maybe...
CwF
 
Posts: 691
Joined: 2018-06-20 15:16

Re: Huawei submitted Linux security patch containing a backd

Postby LE_746F6D617A7A69 » 2020-06-11 14:23

I mean closed source in general, but WPS Office is indeed a very good example ...
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
LE_746F6D617A7A69
 
Posts: 160
Joined: 2020-05-03 14:16

Re: Huawei submitted Linux security patch containing a backd

Postby Head_on_a_Stick » 2020-06-11 21:21

Just noticed that it was Grsecurity that caught Huawei red-handed — props to Brad Spangler & crew!
User avatar
Head_on_a_Stick
 
Posts: 12132
Joined: 2014-06-01 17:46
Location: /dev/chair


Return to Offtopic

Who is online

Users browsing this forum: No registered users and 10 guests

fashionable