The Linux Foundation Technical Council has published a summary report analyzing an incident with researchers from the University of Minnesota associated with an attempt to push patches into the kernel that contain hidden bugs that lead to vulnerabilities. The kernel developers have confirmed previously published information that out of 5 patches prepared during the Hypocrite Commits study, 4 patches with vulnerabilities were rejected immediately and at the initiative of the maintainers and did not get into the kernel repository. One patch was accepted, but it corrected the problem correctly and contained no bugs.
435 commits were also analyzed, including fixes submitted by developers from the University of Minnesota and not related to the experiment to promote hidden vulnerabilities. Since 2018, a group of researchers from the University of Minnesota has been quite actively involved in correcting errors. The re-review did not reveal malicious activity in these commits, but revealed some unintentional errors and shortcomings.
349 commits were recognized as correct and left unchanged. There are 39 commits that have issues that require fixing - these commits have been reverted and will be replaced with more correct fixes before the release of the 5.13 kernel. Bugs in 25 commits were fixed in subsequent changes. 12 commits have lost their relevance, as they affected obsolete systems already removed from the kernel. One of the correct commits was canceled at the request of the author. The 9 valid commits were sent from @umn.edu addresses well before the formation of the research group being analyzed.
To restore confidence in the team at the University of Minnesota and return the opportunity to participate in the development of the kernel, the Linux Foundation put forward a number of requirements, most of which have already been met. For example, researchers have already retracted the Hypocrite Commits publication and canceled their presentation at the IEEE Symposium conference, as well as publicly disclosed the entire chronology of events and provided detailed information about the changes submitted during the study.
Source: opennet.ru