←back to thread

Kernel-hack-drill and exploiting CVE-2024-50264 in the Linux kernel

(a13xp0p0v.github.io)
239 points r4um | 2 comments | 03 Sep 25 06:58 UTC | HN request time: 0s | source
Show context
charcircuit ◴[03 Sep 25 09:05 UTC] No.45113673[source]
>Convinced the path forward would be painful, I shelved the bug.

As opposed to fixing the bug? Either the incentives are broken for security researchers to fix bugs, contributing fixes to Linux is broken, or both.

A rewrite of these user interactable subsystems in Rust can't come soon enough.

replies(4): >>45113715 #>>45113831 #>>45113876 #>>45114005 #
ch3 ◴[03 Sep 25 09:10 UTC] No.45113715[source]
The author is Russian and seems to work for Positive Technologies, which is on the sanctions list.
replies(2): >>45113836 #>>45114504 #
Arch-TK ◴[03 Sep 25 09:33 UTC] No.45113836[source]
Interesting side effect of the sanctions.
replies(1): >>45114211 #
shmel ◴[03 Sep 25 10:38 UTC] No.45114211[source]
Is it really a side effect though? I think the entire point of these sanctions (or their implementation by Linux Foundation more specifically) is to prevent developers working for Russian companies from contributing to Linux. It isn't a side effect, it's the intended effect, wouldn't you say so?
replies(1): >>45115318 #
1. Ygg2 ◴[03 Sep 25 13:10 UTC] No.45115318[source]
I thought the idea is to prevent Russian hackers from introducing exploits. Not prevent Russian hackers from fixing exploits.
replies(1): >>45127262 #
2. cyphar ◴[04 Sep 25 13:49 UTC] No.45127262[source]
No, the point is to stop Amercian technology companies from providing technology to Russian entities.

From the perspective of sanction laws, accepting patches (or arguably even replying to emails) from sanctioned entities is effectively providing technology to them because you are telling them that the patch solves the issue (i.e., you are providing them technical expertise) and are making it easier for them to use the patch in the future (i.e., no need to rebase and shipping software that they have indicated that they will find particularly useful).

The Linux Foundation provided some guidance about this earlier this year[1]. Basically, it is incredibly easy to inadvertently violate sanctions if you are involved in an open source project.

[1]: https://www.linuxfoundation.org/blog/navigating-global-regul...