Huawei Says Controversial Linux Kernel Patch Wasn’t Their Idea
- Someone working for Huawei has tried to contribute to the Linux kernel.
- The proposed patch contained a trivially exploitable vulnerability, so it introduced security risks.
- Huawei denied having any involvement in this, saying that the employee did what he did on his own.
A Huawei engineer has decided to contribute a patch to the Linux kernel, trying to help bolster the security of the widely deployed open source project. The patch was called “Huawei kernel self protection” (HKSP), and it allegedly featured various security-hardening options for the Linux kernel. Thinking that this is coming from a controversial entity, the Linux kernel team thoroughly scrutinized the patch and found that it contains a “trivially exploitable vulnerability.” The discovery of that was the work of “GRSecurity,” an entity that has been contributing security hardening patches on Linux kernel for a long time now.
GRSecurity has even provided a proof of concept (PoC) code on how to exploit the vulnerability as an unprivileged user. They called the HKSP patch a risk that creates new attack surface and introduces more problems than those it attempts to solve in the first place. Naturally, this discovery sparked rumors about the intention of the contributor, Huawei’s long-shot goal to try and weaken the security of the Linux kernel, and more. Huawei responded to this by saying that their employee contributed on his own and that the company had no involvement in this action whatsoever. As they added, the HKSP code isn’t even used in their own products.
PoC, Source: GRSecurity
Following this, the author of HKSP was forced to remove Huawei strings from the code and declared that this is a personal work and not an official project backed by his employer on his private GitHub repository. Still, the community is somewhat divided, with many believing the author, while others are maintaining that Huawei has indeed attempted to introduce vulnerabilities and backdoors onto the Linux kernel. If we were to comment on this, we’d say the conspiracy theories are doubtful.
First, it would be overly blatant for Huawei to test out the waters on the Linux kernel project this way, and also extremely naive for them to think that Linus Torvalds and his team would simply accept whatever they threw at them. Secondly, if they tried to sneak a backdoor in the kernel, wouldn’t they try to make it less apparent? Thirdly, they could have used a contributor who isn’t officially working for them for this purpose. And finally, Huawei’s engineers have a documented history of screwing up security when they write code, so this story isn’t exactly unprecedented.