Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp179393lqz;
        Fri, 29 Mar 2024 12:32:17 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCV5ZmdnwiqHR5QGzzhRUgqzilQXl4/UfWcXOUy7m4EPd6Dnf5S/sa2jXTOXsy2BfOfBNCtjPeFAQhhpGQ16IuI5G/sG2MAmjJkYPrE3rw==
X-Google-Smtp-Source: AGHT+IFWC6EP2w1j6RfBzjAz2pEQDcsWd9pTZH3pU8cP0N7PdVAb1qyzLIWjioLroQ2Gqt9dOfx0
X-Received: by 2002:a17:90a:de10:b0:2a0:3dc3:8a8b with SMTP id m16-20020a17090ade1000b002a03dc38a8bmr2636835pjv.47.1711740737063;
        Fri, 29 Mar 2024 12:32:17 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1711740737; cv=pass;
        d=google.com; s=arc-20160816;
        b=e83Ds7rLl3FPBGCPF9tKcNAh0HkMKmLK50BP+VqLj+5bM/TJx72+KjZ9JABYMHNDW9
         gHQl5IdMX6AHGvfV4V7o0E5EvonpiNDOJ+026zBBG261ncx3V3qXKJMrGrcv3M1mZVk2
         thoslYq6zPG0UyUBP9S7Rgi6FEU0vVXqJ4WAuYqP34t2vusYw/OdOmA/i7GhU5SFCRf5
         60l0OnwfO4s4Ev19mkA7ZwGpp2Z/AA47QgdkSNb39HUi7b+Lf+fD34fvJlTjpDQrBh3Z
         mnS38Kj1TVvIgex3I0AcIrzu2NmLKG70IAORe8gYap8b0vObKHOvuzrXPMhylvcFNHvX
         Y8YA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=98Fa2R+IhvZQEbNzhMF87WzGRorq0pNL8uG9IBYNkc8=;
        fh=dpHc/OmVDJ2dIsy7B+GlCnr5wsTN858M3A3qi9ocg2g=;
        b=qQBYLyHfuwU2QZVIYPVJHDmLNf6hwTEHbzAm0KHT0d28H3d08aTat6QbHl+vGfhoOj
         SJVEy9/IInGmIUdc12YwydlzSklUvKQCiHPeCZTo+dIeT5Sk+qw4D5M82X3qatdvFBGs
         pXZQ8Ij9TTs/U++0RYJ/ycvxqOpE4gcb5XiMu6tb55k3GZot72Ttq/4KB7aF+VMlQL3k
         wT4VXNv/dUOvCnjElN6FkbNZEyjJBS9lI8fkiiTbKfAQjYWToWFm9dElyMBJxqpDw2DD
         DloVFEcrN6/VhX4SIa0ElMm0PKSiPQUcMAMyZv/fyLm9dbZw1tqeetRlwivmCJj8mYpm
         ujiQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=BUYVZV7k;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of linux-kernel+bounces-125339-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-125339-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel+bounces-125339-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99])
        by mx.google.com with ESMTPS id e8-20020a17090ab38800b0029dd816e84fsi6101502pjr.180.2024.03.29.12.32.16
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 29 Mar 2024 12:32:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-125339-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=BUYVZV7k;
       arc=pass (i=1 spf=pass spfdomain=chromium.org dkim=pass dkdomain=chromium.org dmarc=pass fromdomain=chromium.org);
       spf=pass (google.com: domain of linux-kernel+bounces-125339-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-125339-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id BCC962820AD
	for <linux.lists.archive@gmail.com>; Fri, 29 Mar 2024 19:32:16 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 7903F139566;
	Fri, 29 Mar 2024 19:32:11 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="BUYVZV7k"
Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com [209.85.214.172])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 11CDB52F79
	for <linux-kernel@vger.kernel.org>; Fri, 29 Mar 2024 19:32:08 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.172
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1711740730; cv=none; b=d/fwbUzmKiWTXfqxPoyX+H6mihwrlQeo76u6F1iLEkpGV/Papf4n/6XBQkZafi7TvNFL5uGU8YPMSBjyGigLWCGpeCRasLsGrE7/reZ6a3J7kabhoMrfVPiHN82iQZ1FICjckOQQjkDs30asqGN/N92AXq+117BBZq3ePic68Xk=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1711740730; c=relaxed/simple;
	bh=Qg6JQU06sgKW9eYerMelYzujMyN/XjWSVwAEBQRqmN8=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=Npr0bAZtPRdGD2ab5OtQstBNZBBNKG67poOKNv8hsULmWiBJmICEbn66Hkqoor9IG454ebz9GCE1R23oxRwfGvaitlsG859GWZydMreDmRihLQOMtQJ29x5fKRwfe0rNRKM2+EryA8TdvfuwxR2hHylMElSeX10ESf1YbOdwZPw=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org; spf=pass smtp.mailfrom=chromium.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b=BUYVZV7k; arc=none smtp.client-ip=209.85.214.172
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=chromium.org
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=chromium.org
Received: by mail-pl1-f172.google.com with SMTP id d9443c01a7336-1e0b213efa3so20890805ad.0
        for <linux-kernel@vger.kernel.org>; Fri, 29 Mar 2024 12:32:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google; t=1711740728; x=1712345528; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=98Fa2R+IhvZQEbNzhMF87WzGRorq0pNL8uG9IBYNkc8=;
        b=BUYVZV7kL+fXb3JNiowRCVRnEg1sgQJNculGo7cp4bTDXu5pRVJl+yWQmXyxd1S0pa
         pH+HvXY6VecTWcqu92Nyc3BbEVcqAS1ZskoJo1Ajy0I4CX8LF8B8eL+j1E38Yt7Om5C6
         08yDO1NG8lDkZFt7DO8tPeVapm+yL0JHiBo70=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1711740728; x=1712345528;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=98Fa2R+IhvZQEbNzhMF87WzGRorq0pNL8uG9IBYNkc8=;
        b=ro+q6pXXL9tHdhPp3m8PZnI2k7bv2u9Eb75PEV5zAd4G13RGTIi7wigU3K7gOPEqwF
         8Wgou3xdYmW+vnXy3t3amkBIA+N1trSAFvckh9Kp8RejklOExemTA3qKHwAE4cNEG5il
         drpANAaPQfm3Tp8P0MCzE8jF4xE3izXNvtr7zapkMDbYtu2PQ4CplPej4dnfxeAEqfGO
         kttdLXKLLew+e6Zr6T5DqEntzgSDtpb8rIz38mP8QM9t8ijmbtRUrncaQIJdRE5GCFxx
         SraJX0s9EXtu9BPFLCPUgmInPeJ7E8KJ3xGvlMt2QtQ432nCQh/aXBmDAiDeIqe0VeB3
         001g==
X-Forwarded-Encrypted: i=1; AJvYcCXZ+WTrOEqSkdtH4395PjtFWoAPJzqwSQAtMAS0cTiNrB5YIUpNzzhJexJ8PgQE05QaxkfzDw8MW9frwuZWzU6jK0hLhHLsn/YlhWxz
X-Gm-Message-State: AOJu0YwyWvSQ+i8qKVSCpU2RauoeChyQoVxm9+JRYW57C1+3GbKawcVf
	NwAy+2VhpCNQIPNt4jGehaN+s8c5tv4mqNfgv9wEN+gahkUazul4Zj9B1p48AQ==
X-Received: by 2002:a17:902:be05:b0:1e2:2bae:90f with SMTP id r5-20020a170902be0500b001e22bae090fmr3173324pls.49.1711740728360;
        Fri, 29 Mar 2024 12:32:08 -0700 (PDT)
Received: from www.outflux.net ([198.0.35.241])
        by smtp.gmail.com with ESMTPSA id f17-20020a170902ce9100b001e0e977f655sm3790954plg.159.2024.03.29.12.32.07
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 29 Mar 2024 12:32:07 -0700 (PDT)
Date: Fri, 29 Mar 2024 12:32:07 -0700
From: Kees Cook <keescook@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Lasse Collin <lasse.collin@tukaani.org>, Jia Tan <jiat0218@gmail.com>,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 00/11] xz: Updates to license, filters, and compression
 options
Message-ID: <202403291221.124220E0F4@keescook>
References: <20240320183846.19475-1-lasse.collin@tukaani.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20240320183846.19475-1-lasse.collin@tukaani.org>

On Wed, Mar 20, 2024 at 08:38:33PM +0200, Lasse Collin wrote:
> XZ Embedded, the upstream project, switched from public domain to the
> BSD Zero Clause License (0BSD). Now matching SPDX license identifiers
> can be added.
> 
> The new ARM64 and RISC-V filters can be used by Squashfs.
> 
> Account for the default threading change made in the xz command line
> tool version 5.6.0. Tweak kernel compression options for archs that
> support XZ compressed kernel.
> 
> Documentation was revised. There are minor cleanups too.
> 
> Lasse Collin (11):
>   MAINTAINERS: Add XZ Embedded maintainers
>   LICENSES: Add 0BSD license text
>   xz: Switch from public domain to BSD Zero Clause License (0BSD)
>   xz: Documentation/staging/xz.rst: Revise thoroughly
>   xz: Fix comments and coding style
>   xz: Cleanup CRC32 edits from 2018
>   xz: Optimize for-loop conditions in the BCJ decoders
>   xz: Add ARM64 BCJ filter
>   xz: Add RISC-V BCJ filter
>   xz: Use 128 MiB dictionary and force single-threaded mode
>   xz: Adjust arch-specific options for better kernel compression
> 
>  Documentation/staging/xz.rst    | 130 ++++++++---------------
>  LICENSES/deprecated/0BSD        |  23 ++++
>  MAINTAINERS                     |  14 +++
>  include/linux/decompress/unxz.h |   5 +-
>  include/linux/xz.h              |   5 +-
>  init/Kconfig                    |   5 +-
>  lib/decompress_unxz.c           |  39 ++++---
>  lib/xz/Kconfig                  |  13 ++-
>  lib/xz/xz_crc32.c               |   7 +-
>  lib/xz/xz_dec_bcj.c             | 183 ++++++++++++++++++++++++++++++--
>  lib/xz/xz_dec_lzma2.c           |   5 +-
>  lib/xz/xz_dec_stream.c          |   5 +-
>  lib/xz/xz_dec_syms.c            |  16 +--
>  lib/xz/xz_dec_test.c            |  12 +--
>  lib/xz/xz_lzma2.h               |   5 +-
>  lib/xz/xz_private.h             |  20 ++--
>  lib/xz/xz_stream.h              |   7 +-
>  scripts/Makefile.lib            |  13 ++-
>  scripts/xz_wrap.sh              | 157 +++++++++++++++++++++++++--
>  19 files changed, 487 insertions(+), 177 deletions(-)
>  create mode 100644 LICENSES/deprecated/0BSD

Andrew (and anyone else), please do not take this code right now.

Until the backdooring of upstream xz[1] is fully understood, we should not
accept any code from Jia Tan, Lasse Collin, or any other folks associated
with tukaani.org. It appears the domain, or at least credentials
associated with Jia Tan, have been used to create an obfuscated ssh
server backdoor via the xz upstream releases since at least 5.6.0.
Without extensive analysis, we should not take any associated code.
It may be worth doing some retrospective analysis of past contributions
as well...

Lasse, are you able to comment about what is going on here?

-Kees

[1] https://www.openwall.com/lists/oss-security/2024/03/29/4

-- 
Kees Cook