Huawei submitted a very poor quality Linux security patch

If it doesn't relate to Debian, but you still want to share it, please do it here

Huawei submitted a very poor quality Linux security patch

Postby pcalvert » 2020-06-11 00:13

Here's some news that I just saw for the first time a short while ago:
HKSP or Huawei Kernel Self Protection, as the name suggests, is a tool for kernel protection. It was submitted to the Linux Foundation for inclusion in the official Linux Kernel project through its mailing list on Sunday. The kernel protection tool was supposed to introduce a series of security-hardening options to the Linux kernel. However, on inspection, the patch was found to introduce a backdoor to the Linux kernel project.


See: androidrookies.com/huawei-dev-team-sends-a-buggy-hksp-patch-with-backdoor-to-linux-foundation/


EDIT:

The claim that the patch would have introduced a backdoor is false.


Phil
Last edited by pcalvert on 2020-07-13 00:47, edited 2 times in total.
“Property is the fruit of labor; property is desirable; it is a positive good
in the world. That some should be rich shows that others may become
rich, and hence is just encouragement to industry and enterprise.”
— Abraham Lincoln
pcalvert
 
Posts: 1906
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: Huawei submitted Linux security patch containing a backd

Postby CwF » 2020-06-11 02:16

Thank you.
CwF
 
Posts: 814
Joined: 2018-06-20 15:16

Re: Huawei submitted Linux security patch containing a backd

Postby Head_on_a_Stick » 2020-06-11 09:33

Well at least they caught it. This time...
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12804
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Huawei submitted Linux security patch containing a backd

Postby LE_746F6D617A7A69 » 2020-06-11 09:39

This case proves that open source idea just works -> think of what is happening in closed source code projects, where no one can verify the quality of code...

The code in this patch is indeed a crap, so this information is astonishing:
https://grsecurity.net/huawei_hksp_introduces_trivially_exploitable_vulnerability
Further, on information from our sources, the employee is a Level 20 Principal Security staffer, the highest technical level within Huawei.
:lol:

That code has set-but-not-used variable: the compiler will issue a warning about this fact -> the code was never compiled before it was commit (never tested), or this isn't just a mistake...
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
LE_746F6D617A7A69
 
Posts: 414
Joined: 2020-05-03 14:16

Re: Huawei submitted Linux security patch containing a backd

Postby CwF » 2020-06-11 13:03

LE_746F6D617A7A69 wrote:think of what is happening in closed source code projects, where no one can verify the quality of code...


You mean like WPS Office maybe...
CwF
 
Posts: 814
Joined: 2018-06-20 15:16

Re: Huawei submitted Linux security patch containing a backd

Postby LE_746F6D617A7A69 » 2020-06-11 14:23

I mean closed source in general, but WPS Office is indeed a very good example ...
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed
LE_746F6D617A7A69
 
Posts: 414
Joined: 2020-05-03 14:16

Re: Huawei submitted Linux security patch containing a backd

Postby Head_on_a_Stick » 2020-06-11 21:21

Just noticed that it was Grsecurity that caught Huawei red-handed — props to Brad Spangler & crew!
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12804
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Huawei submitted Linux security patch containing a backd

Postby Fernando Negro » 2020-07-05 13:33

This is why it's so easy for the mass media (and others) to manipulate people...

Almost no one checks the sources, or even *demands proofs* of what it's said.

("What? Russian hackers interfered in the elections? OK, I believe that just because you say so... Hey everyone, Russian hackers interfered in the elections!")


What sense would it make for Huawei, at this time (of all) - when it's being the target of spying suspicions - to submit a backdoor in plain sight? I mean, how *stupid* would Huawei have to be, to ruin their reputation (forever) with something like this - even more, at a time when everyone is paying close attention to whatever they do? And, how could a company supposedly this stupid ever reach a top position on the market? Don't you find this supposed episode immensely convenient for those who have an interest in launching suspicions about Huawei?


If you check the source for such "article", you'll read the following:

(Pay special attention to the first update at the start of the post...)

Huawei HKSP Introduces Trivially Exploitable Vulnerability
I just *love* the stability, much more bug-free nature, and also modular installation options, of Debian. Apart from the unfortunate adoption of "systemd" (viewtopic.php?f=20&t=129881&start=165#p671030) this distribution is *great*.
User avatar
Fernando Negro
 
Posts: 129
Joined: 2013-11-24 01:29
Location: Portugal

Re: Huawei submitted Linux security patch containing a backd

Postby Head_on_a_Stick » 2020-07-05 17:33

Yes, the press coverage does seem a bit hyperbolic (or just plain hyper bollocks) but the fact remains that Huawei tried to submit code that was badly flawed and it's not the first time they've added code to the kernel.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support
User avatar
Head_on_a_Stick
 
Posts: 12804
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Huawei submitted a very poor quality Linux security patc

Postby pcalvert » 2020-07-06 10:38

I just changed the subject line of the original post to better reflect what actually happened.

Phil
“Property is the fruit of labor; property is desirable; it is a positive good
in the world. That some should be rich shows that others may become
rich, and hence is just encouragement to industry and enterprise.”
— Abraham Lincoln
pcalvert
 
Posts: 1906
Joined: 2006-04-21 11:19
Location: Sol Sector


Return to Offtopic

Who is online

Users browsing this forum: No registered users and 16 guests

fashionable