The Linux kernel is one of the largest software projects in the modern history; with a gigantic 28 millions lines of code.
Contributors from all over the world and from different fields submit a large number of patches each day to the Linux kernel maintainers, so that they get reviewed before being officially merged to the official Linux kernel tree.
These patches could help fix a bug or a minor issue in the kernel, or introduce a new feature.
However, some contributors have been caught today trying to submit patches stealthily containing security vulnerabilities to the Linux kernel, and they were caught by the Linux kernel maintainers.
Researchers from the
US University of Minnesota were doing a research paper about the ability to submit patches to open source projects that contain hidden security vulnerabilities in order to scientifically measure the probability of such patches being accepted and merged. Which could make the open source projects vulnerable to various attacks.
They used the Linux kernel as one of their main experiments, due to its well-known reputation and adaptation around the world.
These researchers submitted patches which didn’t seem to completely fix the related issues in the kernel, but also didn’t right away seem to introduce a security vulnerability. A number of these patches they submitted to the kernel were indeed successfully merged to the Linux kernel tree.
However, today, they were caught by Linux kernel maintainers, and were publicly humiliated. In
an email by Greg Kroah-Hartman, one of the major Linux kernel maintainers, their approach was disclosed and their so-called “newbie patches” were thrown under the bus:
Apparently, Greg and a number of other maintainers were not happy about this, as these experiments consume their time and efforts and make people engage by bad faith in the Linux kernel development:
Finally, Greg announced that the Linux kernel will ban all contributions from the University of Minnesota, and that all the patches they previously submitted are going to be removed from the kernel, and no new patches will be accepted from them in the future:
The research paper they worked on
was published back in February, 2021; around two months ago. In the paper, they disclose their approach and methods that they used to get the vulnerabilities inserted to the Linux kernel and other open source projects.
They also claim that the majority of the vulnerabilities they secretly tried to introduce to various open source projects, were successful in being inserted by around an average of %60:
It is still unclear at this moment what other open source projects they tried to hijack, and what is the actual number of vulnerabilities they succeeded in inserting to various open source projects.
Greg has sent
another email in which he reverts most patches from the University of Minnesota from the Linux kernel, and puts some of them on hold.