General > General Technical Chat
University of Minnesota Linux code security issues; banned and to be removed
<< < (21/23) > >>
magic:
No, this whole drama proves that Linux has a rubber stamping process in place, which is not quite the same as review.

This seems to be the patch that directly triggered Greg's rage:

--- Code: ---Subject: [PATCH] SUNRPC: Add a check for gss_release_msg
Date: Tue,  6 Apr 2021 19:16:56 -0500
Message-ID: <20210407001658.2208535-1-pakki001@umn.edu> (raw)

In gss_pipe_destroy_msg(), in case of error in msg, gss_release_msg
deletes gss_msg. The patch adds a check to avoid a potential double
free.

Signed-off-by: Aditya Pakki <pakki001@umn.edu>
---
 net/sunrpc/auth_gss/auth_gss.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 5f42aa5fc612..eb52eebb3923 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -848,7 +848,8 @@ gss_pipe_destroy_msg(struct rpc_pipe_msg *msg)
  warn_gssd();
  gss_release_msg(gss_msg);
  }
- gss_release_msg(gss_msg);
+ if (gss_msg)
+ gss_release_msg(gss_msg);
 }
--- End code ---
It's pointless because gss_msg is a refcounted object and you can't double-free it by calling gss_release_msg - that's how they explained the problem on the mailing list.

If a reviewer misses that then he will miss everything. And if the actual maintainer of the code in question misses it, then what's wrong with a student missing it when he saw such suspiciously looking code in the output of a static analyzer?
ataradov:
Is this just a general grievance thread now? How incorrect setup of nginx is related to possible code review issues in the kernel?

The design issues are also not a question here. Linux is what it is. Don't like it - don't use it. I personally more concerned with Windows sending your data to Microsoft in an advertised way. That's why I don't use Windows.

There is no need to put solving all the world's problems on kernel developer's shoulders.
magic:
Lot's of your personal data are handled by Loonix servers AND desktops probably too, just so you know.

And as I said, it's not Microsoft who advertises Linux as more secure than Windows because "given enough eyes, all bugs are shallow".
bd139:

--- Quote from: ataradov on April 30, 2021, 07:35:17 am ---Is this just a general grievance thread now? How incorrect setup of nginx is related to possible code review issues in the kernel?

The design issues are also not a question here. Linux is what it is. Don't like it - don't use it. I personally more concerned with Windows sending your data to Microsoft in an advertised way. That's why I don't use Windows.

There is no need to put solving all the world's problems on kernel developer's shoulders.

--- End quote ---

The point is that the process is flawed so why should we trust it.
ataradov:

--- Quote from: magic on April 30, 2021, 07:38:25 am ---Lot's of your personal data are handled by Loonix servers AND desktops probably too, just so you know.

--- End quote ---
We get it, you hate Linux. Now move on.
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod