Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Brad Spengler Profile picture
@spendergrsec
Jun 9 13 tweets 3 min read Read on X
Vibe coding has no place in Linux kernel maintenance. The vulnerability inserted into 5 LTS kernels at once apparently without any review is yet another instance of AUTOSEL fallout, here with the "new" LLM-powered version. Sources: lwn.net/Articles/10202… lore.kernel.org/all/2025050522…
I think good questions to ask when someone reports a vulnerability or regression caused by an incorrect backport are: can you articulate a reason why you backported this change? what review did you perform on the change to ensure it's appropriate for the kernel it's applied to?
I've reported a number of issues, and it feels like I'm just subsidizing broken processes because these two questions never get asked, so the root of the problem is never solved. It's boggling to me even that the person involved never even chimes in to suggest a revert...
knowing full well the amount of non-automated effort that went into the backport and that the reason for its selection was automated.
Like, when you know the only effort you put into the backport was "git cherry-pick <id>", didn't even check to see if the config option was present, lacked the awareness/memory of changes to these mitigations, what are you doing making changes to the code?
Further, I imagine AUTOSEL questions are asked once to select candidates, and then the results are used via cherry-pick globally back as far as it can go cleanly absent any other metadata restricting it. Wrong design that will keep producing wrong results.
I've seen lots of complaints about it from other kernel devs, but it doesn't seem like anything's fundamentally changed, and this new version seems even worse than before (and even worse than that if the results are just blindly trusted).
There seems to be a message communicated by stable policies that backports are "safe" and don't require involvement of someone knowledgeable with the code being modified if clean cherry-picks are possible. The only involvement knowledgeable people would have is being CC'd...
on a mail about the patch being queued for some stable kernel, with a few days given for review before the kernels are published. But importantly, the people CC'd on these mails haven't necessarily signed up for doing anything related to stable kernels, so no response...
doesn't necessarily mean review was done, and the CC list is limited to the people identified by the commit.
This isn't a new discussion by any stretch, it keeps coming up because the problems keep cropping up. See for instance here: social.kernel.org/notice/AmeaMpX…
@Dave_Maynor it's necessarily job security for anyone who has to clean up the mess, it's just an understaffed group that knowing it can't force unpaid people to review things they didn't ask for in kernels they didn't sign up for, has to get "creative" by "moving fast and breaking things"...
@Dave_Maynor that others clean up.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Brad Spengler

Brad Spengler Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @spendergrsec

Brad Spengler Profile picture
Dec 17, 2022
"one kernel developer mentioned to me that this was definitely not the intent and might have been a regression" I'd be very shocked if that developer had anything to do with the code, because this behavior was basically documented even when the PCID-enabled variant was written
Not in any user-visible way of course, but even the PCID variant was only described as "a little more secure" wrt global pages, and the mapping of entry text and it being part of the kernel image was evident from the code all along.
In other words, you basically only ever believed KPTI was useful against KASLR if you believed Linus' pre-Meltdown words or got your regurgitated news from LWN
Read 8 tweets
Brad Spengler Profile picture
Sep 23, 2020
This is the right response: openwall.com/lists/kernel-h… For the same reason that NX is necessary even if it doesn't stop ROP, or that CFI is necessary even if it doesn't stop data-only attacks. They each serve their own purpose (and you'd be hard-pressed to have useful CFI w/o NX)
When the pieces are defined in advance and there's a clear path to achieving them that doesn't involve unrealistic assumptions (as is the case here) there should be no debate. At this point it's just useless posturing on the part of the upstream dev.
Same hazing I mentioned in my talk, to where most people would learn to be a brown-noser if this kind of "collaboration" was required for their career, or would just do whatever silly watered-down version upstream wanted if they just needed something for a resume...
Read 10 tweets
Brad Spengler Profile picture
Sep 23, 2020
Some more history: marc.info/?l=openbsd-mis… "unless the application requests it, of course..." cf. openwall.com/lists/kernel-h… "W^X is not supposed to protect you from attackers that can already do
system calls."
then many years later ("A W^X refinement"): marc.info/?l=openbsd-tec… "I wish to block direct system calls from those areas"
From the NetBSD end, they've been using a port of PAX_MPROTECT for some time: netbsd.org/gallery/presen… Image
Read 4 tweets
Brad Spengler Profile picture
Aug 26, 2020
Bruce Perens gives a talk where he mentions in passing the "Red Hat loophole" -- archive.is/laW2p Why doesn't he call Red Hat a GPL violator in a blog post published worldwide on news sites? The "information" he talks about (for the kernel) are split-out GPL'd patches
No copyright holder contacted us with concerns prior to Bruce's post, and none have contacted us after. This is likely because everyone (including Bruce himself) knows it's perfectly legal (otherwise Bruce wouldn't be calling it a "loophole": i.e. something legal he doesn't like)
The archived link above demonstrates Bruce knows we have the same subscription policies Red Hat has had in place for two decades. That he hasn't either 1) published a similar blog about Red Hat that tries to destroy their business or 2) published a public apology as widespread..
Read 8 tweets
Brad Spengler Profile picture
Jul 15, 2020
25 days since a trivially-reproduced warning at boot was introduced in KVM affecting an L1TF backport, a volunteer provided the same fix we applied to our 4.14 kernel 25 days ago: spinics.net/lists/stable/m… Image
Some things we've learned from this: there is apparently no even basic upstream boot testing happening that would cause a release to be delayed for newly-introduced warnings in extremely common functionality like KVM. The policy of reverting problematic commits wasn't followed..
nor was the claimed goal met of not shipping new stable kernels with known regressions (this one was reported by a user after release, by us on Twitter, and by syzkaller repeatedly). Finally, this wasn't caught by anyone I'm aware of in the week period allowed for stable testing
Read 4 tweets
Brad Spengler Profile picture
Jul 4, 2020
Did you know? Linux started out with a license different from the GPL: mirrors.edge.kernel.org/pub/linux/kern… As early as 2000, Linus Torvalds was claiming the GPL license on Linux meant "If you make changes, you have to send the changes back to me." cnn.com/TRANSCRIPTS/00…
He's repeated this claim multiple times at conferences: The problem is, that language doesn't exist in the GPL at all, as pointed out to him by the Vice President of the FSF in 2007: lkml.org/lkml/2007/6/14…
Linus:
"I just ask that you give the software back in a usable form. That's all I ask for."

FSF:
"I'm afraid that's not what the GPLv2 says. There's no provision whatsoever about giving anything back. Not in the spirit, not in the legal terms."
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(