Huawei submitted a very poor quality Linux security patch

If it doesn't relate to Debian, but you still want to share it, please do it here
Post Reply
Message
Author
pcalvert
Posts: 1924
Joined: 2006-04-21 11:19
Location: Sol Sector

Huawei submitted a very poor quality Linux security patch

#1 Post by pcalvert »

Here's some news that I just saw for the first time a short while ago:
HKSP or Huawei Kernel Self Protection, as the name suggests, is a tool for kernel protection. It was submitted to the Linux Foundation for inclusion in the official Linux Kernel project through its mailing list on Sunday. The kernel protection tool was supposed to introduce a series of security-hardening options to the Linux kernel. However, on inspection, the patch was found to introduce a backdoor to the Linux kernel project.
See: androidrookies.com/huawei-dev-team-sends-a-buggy-hksp-patch-with-backdoor-to-linux-foundation/


EDIT:

The claim that the patch would have introduced a backdoor is false.


Phil
Last edited by pcalvert on 2020-07-13 00:47, edited 2 times in total.
“It is better to believe than to disbelieve; in doing so, it brings
everything into the realm of possibility.” — Albert Einstein

CwF
Posts: 1124
Joined: 2018-06-20 15:16
Has thanked: 1 time
Been thanked: 4 times

Re: Huawei submitted Linux security patch containing a backd

#2 Post by CwF »

Thank you.

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Huawei submitted Linux security patch containing a backd

#3 Post by Head_on_a_Stick »

Well at least they caught it. This time...
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

LE_746F6D617A7A69
Posts: 517
Joined: 2020-05-03 14:16

Re: Huawei submitted Linux security patch containing a backd

#4 Post by LE_746F6D617A7A69 »

This case proves that open source idea just works -> think of what is happening in closed source code projects, where no one can verify the quality of code...

The code in this patch is indeed a crap, so this information is astonishing:
https://grsecurity.net/huawei_hksp_intr ... nerability
Further, on information from our sources, the employee is a Level 20 Principal Security staffer, the highest technical level within Huawei.
:lol:

That code has set-but-not-used variable: the compiler will issue a warning about this fact -> the code was never compiled before it was commit (never tested), or this isn't just a mistake...
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed

CwF
Posts: 1124
Joined: 2018-06-20 15:16
Has thanked: 1 time
Been thanked: 4 times

Re: Huawei submitted Linux security patch containing a backd

#5 Post by CwF »

LE_746F6D617A7A69 wrote:think of what is happening in closed source code projects, where no one can verify the quality of code...
You mean like WPS Office maybe...

LE_746F6D617A7A69
Posts: 517
Joined: 2020-05-03 14:16

Re: Huawei submitted Linux security patch containing a backd

#6 Post by LE_746F6D617A7A69 »

I mean closed source in general, but WPS Office is indeed a very good example ...
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Huawei submitted Linux security patch containing a backd

#7 Post by Head_on_a_Stick »

Just noticed that it was Grsecurity that caught Huawei red-handed — props to Brad Spangler & crew!
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

User avatar
Fernando Negro
Posts: 129
Joined: 2013-11-24 01:29
Location: Portugal

Re: Huawei submitted Linux security patch containing a backd

#8 Post by Fernando Negro »

This is why it's so easy for the mass media (and others) to manipulate people...

Almost no one checks the sources, or even *demands proofs* of what it's said.

("What? Russian hackers interfered in the elections? OK, I believe that just because you say so... Hey everyone, Russian hackers interfered in the elections!")


What sense would it make for Huawei, at this time (of all) - when it's being the target of spying suspicions - to submit a backdoor in plain sight? I mean, how *stupid* would Huawei have to be, to ruin their reputation (forever) with something like this - even more, at a time when everyone is paying close attention to whatever they do? And, how could a company supposedly this stupid ever reach a top position on the market? Don't you find this supposed episode immensely convenient for those who have an interest in launching suspicions about Huawei?


If you check the source for such "article", you'll read the following:

(Pay special attention to the first update at the start of the post...)

Huawei HKSP Introduces Trivially Exploitable Vulnerability
I just *love* the stability, much more bug-free nature, and modular installation options of Debian. Apart from the unfortunate adoption of "systemd" (viewtopic.php?f=20&t=129881&start=165#p671030) this distribution is *great*.

User avatar
Head_on_a_Stick
Posts: 13450
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Huawei submitted Linux security patch containing a backd

#9 Post by Head_on_a_Stick »

Yes, the press coverage does seem a bit hyperbolic (or just plain hyper bollocks) but the fact remains that Huawei tried to submit code that was badly flawed and it's not the first time they've added code to the kernel.
Black Lives Matter

Debian buster-backports ISO image: for new hardware support

pcalvert
Posts: 1924
Joined: 2006-04-21 11:19
Location: Sol Sector

Re: Huawei submitted a very poor quality Linux security patc

#10 Post by pcalvert »

I just changed the subject line of the original post to better reflect what actually happened.

Phil
“It is better to believe than to disbelieve; in doing so, it brings
everything into the realm of possibility.” — Albert Einstein

Post Reply