General > General Technical Chat
University of Minnesota Linux code security issues; banned and to be removed
magic:
No, this whole drama proves that Linux has a rubber stamping process in place, which is not quite the same as review.
This seems to be the patch that directly triggered Greg's rage:
--- Code: ---Subject: [PATCH] SUNRPC: Add a check for gss_release_msg
Date: Tue, 6 Apr 2021 19:16:56 -0500
Message-ID: <20210407001658.2208535-1-pakki001@umn.edu> (raw)
In gss_pipe_destroy_msg(), in case of error in msg, gss_release_msg
deletes gss_msg. The patch adds a check to avoid a potential double
free.
Signed-off-by: Aditya Pakki <pakki001@umn.edu>
---
net/sunrpc/auth_gss/auth_gss.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c
index 5f42aa5fc612..eb52eebb3923 100644
--- a/net/sunrpc/auth_gss/auth_gss.c
+++ b/net/sunrpc/auth_gss/auth_gss.c
@@ -848,7 +848,8 @@ gss_pipe_destroy_msg(struct rpc_pipe_msg *msg)
warn_gssd();
gss_release_msg(gss_msg);
}
- gss_release_msg(gss_msg);
+ if (gss_msg)
+ gss_release_msg(gss_msg);
}
--- End code ---
It's pointless because gss_msg is a refcounted object and you can't double-free it by calling gss_release_msg - that's how they explained the problem on the mailing list.
If a reviewer misses that then he will miss everything. And if the actual maintainer of the code in question misses it, then what's wrong with a student missing it when he saw such suspiciously looking code in the output of a static analyzer?
ataradov:
Is this just a general grievance thread now? How incorrect setup of nginx is related to possible code review issues in the kernel?
The design issues are also not a question here. Linux is what it is. Don't like it - don't use it. I personally more concerned with Windows sending your data to Microsoft in an advertised way. That's why I don't use Windows.
There is no need to put solving all the world's problems on kernel developer's shoulders.
magic:
Lot's of your personal data are handled by Loonix servers AND desktops probably too, just so you know.
And as I said, it's not Microsoft who advertises Linux as more secure than Windows because "given enough eyes, all bugs are shallow".
bd139:
--- Quote from: ataradov on April 30, 2021, 07:35:17 am ---Is this just a general grievance thread now? How incorrect setup of nginx is related to possible code review issues in the kernel?
The design issues are also not a question here. Linux is what it is. Don't like it - don't use it. I personally more concerned with Windows sending your data to Microsoft in an advertised way. That's why I don't use Windows.
There is no need to put solving all the world's problems on kernel developer's shoulders.
--- End quote ---
The point is that the process is flawed so why should we trust it.
ataradov:
--- Quote from: magic on April 30, 2021, 07:38:25 am ---Lot's of your personal data are handled by Loonix servers AND desktops probably too, just so you know.
--- End quote ---
We get it, you hate Linux. Now move on.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version