University of Minnesota Linux code security issues; banned and to be removed

[magic]

No, this whole drama proves that Linux has a rubber stamping process in place, which is not quite the same as review.

This seems to be the patch that directly triggered Greg's rage:

Code: [Select]

Subject: [PATCH] SUNRPC: Add a check for gss_release_msg
Date: Tue,  6 Apr 2021 19:16:56 -0500
Message-ID: <20210407001658.2208535-1-pakki001@umn.edu> (raw)

In gss_pipe_destroy_msg(), in case of error in msg, gss_release_msg
deletes gss_msg. The patch adds a check to avoid a potential double
free.

Signed-off-by: Aditya Pakki <pakki001@umn.edu>
---
 net/sunrpc/auth_gss/auth_gss.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 5f42aa5fc612..eb52eebb3923 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -848,7 +848,8 @@ gss_pipe_destroy_msg(struct rpc_pipe_msg *msg)
  warn_gssd();
  gss_release_msg(gss_msg);
  }
- gss_release_msg(gss_msg);
+ if (gss_msg)
+ gss_release_msg(gss_msg);
 }It's pointless because gss_msg is a refcounted object and you can't double-free it by calling gss_release_msg - that's how they explained the problem on the mailing list.

If a reviewer misses that then he will miss everything. And if the actual maintainer of the code in question misses it, then what's wrong with a student missing it when he saw such suspiciously looking code in the output of a static analyzer?

[ataradov]

Is this just a general grievance thread now? How incorrect setup of nginx is related to possible code review issues in the kernel?

The design issues are also not a question here. Linux is what it is. Don't like it - don't use it. I personally more concerned with Windows sending your data to Microsoft in an advertised way. That's why I don't use Windows.

There is no need to put solving all the world's problems on kernel developer's shoulders.

[magic]

Lot's of your personal data are handled by Loonix servers AND desktops probably too, just so you know.

And as I said, it's not Microsoft who advertises Linux as more secure than Windows because "given enough eyes, all bugs are shallow".

[bd139]

Is this just a general grievance thread now? How incorrect setup of nginx is related to possible code review issues in the kernel?

The design issues are also not a question here. Linux is what it is. Don't like it - don't use it. I personally more concerned with Windows sending your data to Microsoft in an advertised way. That's why I don't use Windows.

There is no need to put solving all the world's problems on kernel developer's shoulders.

The point is that the process is flawed so why should we trust it.

[ataradov]

Lot's of your personal data are handled by Loonix servers AND desktops probably too, just so you know.

We get it, you hate Linux. Now move on.

[ataradov]

The point is that the process is flawed so why should we trust it.

You should not. But there is no place where a non-flawed version of the process is implemented. So you pick whichever you consider better and move on with your life.

[magic]

No, I hate Greg and all those other "peace, love and open sores" hippie idiots who are surely turning it into cancer.

I know bd139 will say it's always been cancer, but I used to be younger so maybe I just didn't see it

[ataradov]

If a reviewer misses that then he will miss everything. And if the actual maintainer of the code in question misses it, then what's wrong with a student missing it when he saw such suspiciously looking code in the output of a static analyzer?

There is nothing wrong with missing it. Admitting to intentionally submitting a buggy code and writing an article about is wrong.

At the time of that response it was not known what patches were intentionally buggy and what not. All the non-intentionally buggy patches will be returned to the code.

[bd139]

The point is that the process is flawed so why should we trust it.

You should not. But there is no place where a non-flawed version of the process is implemented. So you pick whichever you consider better and move on with your life.

Ok I’m going to buy a Mac and start writing zOS stuff 

[bd139]

No, I hate Greg and all those other "peace, love and open sores" hippie idiots who are surely turning it into cancer.

I know bd139 will say it's always been cancer, but I used to be younger so maybe I just didn't see it

Those dudes were always a joke. I come from a commercial Unix background (Sun) and there’s two types of Unix hippies:

1. The traditional bell labs guys. Those guys were engineers through and through despite the lore.
2. The rest.

The rest are the vocal majority.

If you look at the remaining old school engineers they tend to be working on Go and using macs at Google. YMMV but inside with strong engineering not conspicuous moral values.

This is why I’ve got a commercial Unix machine on my wrist and in my pocket…

[Ed.Kloonk]

The cathedral and the bazaar.

[bd139]

Commercial open source is a winner for me on that basis.

Oh look https://opensource.apple.com

[magic]

You have never built anything from those sources.
I thought the era of pretending that there is something open source about Darwin has ended decade ago

I can't even find launchd anymore, have they migrated to systemd or what