Confused on Steam Play and Proton? Be sure to check out our guide.
We do often include affiliate links to earn us some pennies. See more here.

Linux Kernel dev bans University of Minnesota for sending malicious patches

By -
Last updated: 22 Apr 2021 at 8:44 am UTC

Here is your daily dose of WTF. Linux Kernel developer Greg Kroah-Hartman has called out "researchers" from the University of Minnesota and banned them from submitting code to the Linux Kernel.

This story is pretty wild and completely ridiculous. In the name of some apparent research and a written paper titled, "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits", the people involved have now been called out on "sending known-buggy patches to see how the kernel community would react to them".

Part of it goes further, as patches have continued to roll in after the paper was published so they are "continuing to experiment on the kernel community developers by sending such nonsense patches" with the patches not actually doing anything at all. Kroah-Hartman certainly wasn't holding back:

Our community does not appreciate being experimented on, and being "tested" by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.

Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems.

In a further post Kroah-Hartman sent in a patch to revert a bunch of changes done from the group, so they can go over them fully to ensure they're safe and actually do something.

From a certain point of view, it's nice to know that the Kernel team are good at picking up malicious code and attempts to introduce bugs - but doing this to such a huge important project, live and in the open in the name of research? That's just not right.

Update: so the plot thickens it seems! Sarah Jamie Lewis, the Executive Director of Open Privacy, pointed out on Twitter (be sure to read the thread) that they and others expressed concerns about it in 2020 in a co-signed letter to the IEEE S&P (IEEE Symposium on Security and Privacy). It really doesn't look good.

Update 2: Leadership in the University of Minnesota Department of Computer Science & Engineering department released a statement on Twitter, noting that it has suspended the research and will be looking into how it got approved in the first place.

Article taken from GamingOnLinux.com.
Tags: Kernel, Misc
39 Likes
About the author -
author picture
I am the owner of GamingOnLinux. After discovering Linux back in the days of Mandrake in 2003, I constantly checked on the progress of Linux until Ubuntu appeared on the scene and it helped me to really love it. You can reach me easily by emailing GamingOnLinux directly. You can also follow my personal adventures on Bluesky.
See more from me
The comments on this article are closed.
All posts need to follow our rules. For users logged in: please hit the Report Flag icon on any post that breaks the rules or contains illegal / harmful content. Guest readers can email us for any issues.
43 comments Subscribe
Page: «2/3»
  Go to:

whizse 21 Apr 2021
View PC info
  • Supporter
What do you call foreign when the subject at hand is Linux kernel development?
The BSD crowd.
Lofty 21 Apr 2021
foreign interference ?
What do you call foreign when the subject at hand is Linux kernel development?

Actually a good point. I hadn't thought of it like that.

il stick with my first thought on the matter.


Last edited by Lofty on 21 Apr 2021 at 9:46 pm UTC
Purple Library Guy 21 Apr 2021
I have a research proposition: let's get ourselves a pharmaceutical company and force this company to introduce poison in some of its medications and distribute those poisoned drugs trough common distribution network. In the name of research, of course! I think we must determine the pharmaceutical industry's ability to identify and block malicious drugs!

HINT: That was a sarcasm.
Wasn't that Oxycontin?
(No, my mistake--they did that one deliberately)


Last edited by Purple Library Guy on 21 Apr 2021 at 11:04 pm UTC
slaapliedje 21 Apr 2021
Everyday we step closer to the brink of idiocracy.
https://www.youtube.com/watch?v=v435y5TNMjQ

Pretty sure it's already confirmed...
slaapliedje 21 Apr 2021
I have a research proposition: let's get ourselves a pharmaceutical company and force this company to introduce poison in some of its medications and distribute those poisoned drugs trough common distribution network. In the name of research, of course! I think we must determine the pharmaceutical industry's ability to identify and block malicious drugs!

HINT: That was a sarcasm.
Wasn't that Oxycontin?
(No, my mistake--they did that one deliberately)

This is where the software used for gamingonlinux needs to have different things besides just a 'like'. As I'd like, laugh, cry and praise this comment!
kokoko3k 22 Apr 2021
If i understood well,there are 2, distinct facts here:

1) Researchers did it wrong.
2) Linux needs more code quality control in the first place, since the malicious code made its way into mainline and stayed there unnoticed for a long time.

Personally, i don't care much about the former, but the latter scares me and still i notice that everyone is focusing on #1.
Phlebiac 22 Apr 2021
Linux needs more code quality control in the first place

I think good code reviews are under-appreciated. As someone who spends quite a bit of time reviewing other people's code submissions to see what they need to improve/fix, I can tell you it's way less "fun" than writing code yourself. Sometimes it's interesting to see how someone does something clever, but most of the time it's "should I just rewrite this myself, or take the time to explain why it's wrong?"
jens 22 Apr 2021
  • Supporter
If i understood well,there are 2, distinct facts here:

1) Researchers did it wrong.
2) Linux needs more code quality control in the first place, since the malicious code made its way into mainline and stayed there unnoticed for a long time.

Personally, i don't care much about the former, but the latter scares me and still i notice that everyone is focusing on #1.

I think it is both. A reviewer approaches reviews with the mindset that the requester wanted to help and (at least partially) did their home work. Assuming that the general intention is wrong, gives a very different angle to reviews.
kokoko3k 22 Apr 2021
Linux needs more code quality control in the first place

I think good code reviews are under-appreciated. [..]

Quite the contrary, your work is very appreciated, but obviously it is now evident that Linux needs more people like you.
kokoko3k 22 Apr 2021
[..] A reviewer approaches reviews with the mindset that the requester wanted to help and (at least partially) did their home work. Assuming that the general intention is wrong, gives a very different angle to reviews.
Unfortunately, that was the point of the research itself.
Putting that way, it is a form of successful social hacking.
jens 22 Apr 2021
  • Supporter
[..] A reviewer approaches reviews with the mindset that the requester wanted to help and (at least partially) did their home work. Assuming that the general intention is wrong, gives a very different angle to reviews.
Unfortunately, that was the point of the research itself.
Putting that way, it is a form of successful social hacking.

Yes. Actually I would even go further. This _was_ a fully executed social hack done “in the name of research”. Really disgusting.
kokoko3k 22 Apr 2021
Yet hacking is not necessarily a bad thing, the way they made it, is.
Nanobang 22 Apr 2021
View PC info
  • Supporter
The power of FOSS in action, baby.

The bad-ol'-puddycats at the U o' Monty were stopped by the bazaar I work in and a paradigm I believe in

I furiously fill with a sense of pride when I see my Community respond to a threat. The Community is so egalitarian and sharing, it's often easy to forget that it has real teeth. So, yeah, let's hold UoM accountable in a meaningful way: exile and hopefully, possibly, litigation. (also, it'll be interesting to see what, if any, reaction Anonymous-types have to this debacle.)

Researchers like these, without an atom of a jot of scruples, flouting the very notion of ethics, deserve exile at the very least. Personally, I'd love to see these "researchers" drummed from the scientific community forever. They're either too unethical or too sack-of-hammers ignorant to continue in academia.

So huzzah, brethren, sistren, et al of the Community. Raise your metaphorical glasses and join me in a toast to FOSS and another successful blow to the Cathedral!

** Ok, I need to take a cold shower now, before my sense of drama carries me yet further away. **


Last edited by Nanobang on 22 Apr 2021 at 12:56 pm UTC
Linux needs more code quality control in the first place

I think good code reviews are under-appreciated. As someone who spends quite a bit of time reviewing other people's code submissions to see what they need to improve/fix, I can tell you it's way less "fun" than writing code yourself. Sometimes it's interesting to see how someone does something clever, but most of the time it's "should I just rewrite this myself, or take the time to explain why it's wrong?"

I'm grateful that we have the manpower to actually do this work in the Linux world, although it may not be appreciated as much as it should be.

FreeBSD had quite an ordeal with the Wireguard port to their kernel recently; and the defective code probably slipped through because they don't have enough 'eyeballs' on the code in the first place:
https://arstechnica.com/gadgets/2021/03/buffer-overruns-license-violations-and-bad-code-freebsd-13s-close-call/


Last edited by walther von stolzing on 22 Apr 2021 at 12:43 pm UTC
Mohandevir 22 Apr 2021
Correct me if I'm wrong, but the code that was submitted, in the name of "research" did nothing really bad, in fact... Even nothing at all in many cases... How was this a real threat? That's probabbly why it slipped through; nothing bad could come out of it. We don't know if they would have been caught if they had tried to implement a real backdoor or a major security flaw... From what I understand by GKH's reaction, it was useless pieces of code, so not really relevent to determine if they could implement "evil dormant code". Wouldn't this make the study a waste of time without any semblant of relevant conclusions?

Sorry if I'm wrong to think so.


Last edited by Mohandevir on 22 Apr 2021 at 12:58 pm UTC
Nanobang 22 Apr 2021
View PC info
  • Supporter
Sorry if I'm wrong to think so.

Please, friend Mohandevir, don't ever apologize for what you think. Ideas are the last bastion of freedom, a cornerstone of democracy, and the fuel of all that is Open Source, don't you think? ;)

I, for one, thank you for sharing your thoughts with us. :)
Mohandevir 22 Apr 2021
Sorry if I'm wrong to think so.

Please, friend Mohandevir, don't ever apologize for what you think. Ideas are the last bastion of freedom, a cornerstone of democracy, and the fuel of all that is Open Source, don't you think? ;)

I, for one, thank you for sharing your thoughts with us. :)

Nice answer from you. Thanks. What I really meant it's that it's possible that I'm being off the track and I'd like to be educated, if possible. It's just a first impression that might be based on false assumptions, from my part.
slembcke 22 Apr 2021
View PC info
  • Supporter Plus
Uff. My cousin-in-law is an engineering prof there and seems pretty mad that the IRB allowed this. His words had more swearing though... Not clear if he knows more details than the article above though.

Just in case people aren't familiar, an IRB, or Institutional Review Board, is the group that review research proposals and get to say "no that's silly and/or unethical".
soulsource 22 Apr 2021
Uff. My cousin-in-law is an engineering prof there and seems pretty mad that the IRB allowed this. His words had more swearing though... Not clear if he knows more details than the article above though.

Just in case people aren't familiar, an IRB, or Institutional Review Board, is the group that review research proposals and get to say "no that's silly and/or unethical".

I can understand the swearing. This shines a pretty bad light on the whole university and everyone who graduated/works there. It wouldn't surprise me if this had consequences outside the kernel development, like editors of journals double-checking submissions from the University of Minnesota due to ethical concerns. Those guys probably hurt their own University more than the Linux project...
14 24 Apr 2021
View PC info
  • Supporter Plus
This is a shame.
While you're here, please consider supporting GamingOnLinux on:

Reward Tiers: Patreon. Plain Donations: PayPal.

This ensures all of our main content remains totally free for everyone! Patreon supporters can also remove all adverts and sponsors! Supporting us helps bring good, fresh content. Without your continued support, we simply could not continue!

You can find even more ways to support us on this dedicated page any time. If you already are, thank you!
The comments on this article are closed.