Page 1 of 1

Huawei submitted a very poor quality Linux security patch

PostPosted: 2020-06-11 00:13
by pcalvert
Here's some news that I just saw for the first time a short while ago:
HKSP or Huawei Kernel Self Protection, as the name suggests, is a tool for kernel protection. It was submitted to the Linux Foundation for inclusion in the official Linux Kernel project through its mailing list on Sunday. The kernel protection tool was supposed to introduce a series of security-hardening options to the Linux kernel. However, on inspection, the patch was found to introduce a backdoor to the Linux kernel project.


See: androidrookies.com/huawei-dev-team-sends-a-buggy-hksp-patch-with-backdoor-to-linux-foundation/


EDIT:

The claim that the patch would have introduced a backdoor is false.


Phil

Re: Huawei submitted Linux security patch containing a backd

PostPosted: 2020-06-11 02:16
by CwF
Thank you.

Re: Huawei submitted Linux security patch containing a backd

PostPosted: 2020-06-11 09:33
by Head_on_a_Stick
Well at least they caught it. This time...

Re: Huawei submitted Linux security patch containing a backd

PostPosted: 2020-06-11 09:39
by LE_746F6D617A7A69
This case proves that open source idea just works -> think of what is happening in closed source code projects, where no one can verify the quality of code...

The code in this patch is indeed a crap, so this information is astonishing:
https://grsecurity.net/huawei_hksp_introduces_trivially_exploitable_vulnerability
Further, on information from our sources, the employee is a Level 20 Principal Security staffer, the highest technical level within Huawei.
:lol:

That code has set-but-not-used variable: the compiler will issue a warning about this fact -> the code was never compiled before it was commit (never tested), or this isn't just a mistake...

Re: Huawei submitted Linux security patch containing a backd

PostPosted: 2020-06-11 13:03
by CwF
LE_746F6D617A7A69 wrote:think of what is happening in closed source code projects, where no one can verify the quality of code...


You mean like WPS Office maybe...

Re: Huawei submitted Linux security patch containing a backd

PostPosted: 2020-06-11 14:23
by LE_746F6D617A7A69
I mean closed source in general, but WPS Office is indeed a very good example ...

Re: Huawei submitted Linux security patch containing a backd

PostPosted: 2020-06-11 21:21
by Head_on_a_Stick
Just noticed that it was Grsecurity that caught Huawei red-handed — props to Brad Spangler & crew!

Re: Huawei submitted Linux security patch containing a backd

PostPosted: 2020-07-05 13:33
by Fernando Negro
This is why it's so easy for the mass media (and others) to manipulate people...

Almost no one checks the sources, or even *demands proofs* of what it's said.

("What? Russian hackers interfered in the elections? OK, I believe that just because you say so... Hey everyone, Russian hackers interfered in the elections!")


What sense would it make for Huawei, at this time (of all) - when it's being the target of spying suspicions - to submit a backdoor in plain sight? I mean, how *stupid* would Huawei have to be, to ruin their reputation (forever) with something like this - even more, at a time when everyone is paying close attention to whatever they do? And, how could a company supposedly this stupid ever reach a top position on the market? Don't you find this supposed episode immensely convenient for those who have an interest in launching suspicions about Huawei?


If you check the source for such "article", you'll read the following:

(Pay special attention to the first update at the start of the post...)

Huawei HKSP Introduces Trivially Exploitable Vulnerability

Re: Huawei submitted Linux security patch containing a backd

PostPosted: 2020-07-05 17:33
by Head_on_a_Stick
Yes, the press coverage does seem a bit hyperbolic (or just plain hyper bollocks) but the fact remains that Huawei tried to submit code that was badly flawed and it's not the first time they've added code to the kernel.

Re: Huawei submitted a very poor quality Linux security patc

PostPosted: 2020-07-06 10:38
by pcalvert
I just changed the subject line of the original post to better reflect what actually happened.

Phil