The technical council of the Linux Foundation recently released a consolidated report on the incident related to researchers from the University of Minnesota which became quite a scandal, since they made attempts to introduce patches in the kernel that contain hidden errors that lead to vulnerabilities.
The kernel developers confirmed the published information previously, out of 5 patches prepared in the course of the «Hypocrite Commits» investigation, 4 patches with vulnerabilities were discarded immediately and at the initiative of the maintainers and did not enter the kernel repository.
Moreover, 435 confirmations were analyzed, including fixes submitted by developers from the University of Minnesota and not related to an experiment to promote hidden vulnerabilities.
On April 20, 2021, given the perception that a group of researchers at the University of Minnesota (UMN) had resumed shipping code compromising the Linux kernel.
Greg Kroah-Hartman asked the community to stop accepting patches from UMN and started a new review of all previously accepted University submissions.
This report summarizes the events that led to this point, reviews andthe "Hypocrite Commits" document that had been submitted for publication, and reviews all known previous kernel commits from UMN article authors that has been accepted into our source repository. Conclude with some suggestions on how the community, including UMN, can move
forward. Contributors to this document include Linux members
Foundation Technical Advisory Board (TAB), with the help of patch review from
many other members of the Linux kernel developer community.
And since 2018, a team of researchers from the University of Minnesota has been quite active in correcting errors. The new review did not reveal any malicious activity in these commits, but it did reveal some unintentional errors and shortcomings.
As well 349 confirmations are reported to have been deemed correct and unchanged. In 39 commits, problems requiring repair were found; these commits have been canceled and will be replaced by more correct fixes before kernel 5.13 is released.
The errors in 25 commits were fixed in subsequent changes and 12 commits lost their relevance, since they affected legacy systems that have already been removed from the kernel. One of the correct confirmations was canceled at the request of the author. 9 correct confirmations were sent from @ umn.edu addresses long before the formation of the analyzed research team.
To regain confidence in the University of Minnesota team and regain the opportunity to participate in kernel development, the Linux Foundation has proposed a number of requirements, most of which have already been met.
Due diligence required an audit to identify which authors participated in different research projects of the UMN, identify the intention of any patch and remove faulty patches regardless of intention. With this, the restoration of lThe community's trust in research groups is also important, since itThis incident could have a far-reaching impact on confidence in both addresses that could cool any researcher's participation in the kernel and in the developing.
For example, the researchers have already withdrawn the publication of "Hypocrite Commits" and canceled their talk at the IEEE Symposium, in addition to publicly disclosing the full chronology of events and providing details of the changes submitted during the study.
You have to remember that Greg Kroah-Hartman, who is responsible for maintaining the stable branch of the Linux kernel noticed the event and took the decision to deny any changes from the University of Minnesota to the Linux kernel, and revert all previously accepted patches and recheck them.
The reason for the blockade was the activities of a research group that studies the possibility of promoting hidden vulnerabilities in the code of open source projects, since this group has sent patches that include errors of various types.