We've gotten five different "security reports" about the decades old USBIP protocol https://docs.kernel.org/usb/usbip_protocol.html and how it is "insecure" in the past few days.

Yes, it's only to be run between "trusted" devices, and we will gladly take patches so see the ones recently posted to the linux-usb mailing list to mitigate these issues, but this is very strange as to why all of a sudden this is being reported all at the same time by random different semi-anonymous accounts.

Is there some big usb-over-ip installation somewhere that people suddenly started caring about out there, or did some internal hacking tool that uses usbip just get leaked?

No one who we asked "why?" when they submitting these issues would give a very clear answer to that simple question so something is going on...

@gregkh could it be LLM's discovering the 'security vulnerability' and not understanding the threat model? Not sure why there would be 5 at the same time though

@gregkh someone used LLM to generate them?

@gregkh

> Is there some big usb-over-ip installation somewhere

Probably not that security sensitive because on the same machine but WSL2

https://learn.microsoft.com/en-us/windows/wsl/connect-usb

@gregkh

An attempt to get a backdoor into the kernel?

@gregkh there is a small installation of two computers at my home that works well since this was out-of-tree

@aho maybe, but at least one reporter insisted it wasn't LLM generated, which of course does not actually make it true, and pointed instead at a 10 year old presentation that they "happened" to find.

@m_berberich Adding a backdoor by reporting a bug without a patch? That seems like a very tough injection method :)

@gregkh a pattern I have seen recently is new people on kernel reporting bugs on random subsystems. I am pretty sure they just feed the code to a LLM and send whatever it found.

E.g yesterday I got a review on a patch I sent a year ago on protocol that is pretty uncommon. After talking to the reviewer, it is clearly an AI. It is by the way, the same person that sent a 22 patches series for rtl8723bs that you needed to review :/

@gregkh @aho Yeah, would not put too much trust into self-reporting LLM use, given our experiences in #curl.

I see duplicate reports more often nowadays and I suspect people use just the same review tools.

So we just need one tool add something new to their training/context/agent thing and several humans will claim a report.

Not the greatest use of everyone‘s time.

@gregkh My guess is someone made a novel prompt that made their LLM focus specifically on the USBIP protocol. It found and reported a minor issue. Now all other LLMs have the original report in their model, so they naturally focus on the USBIP protocol when presented with generic prompts, such as "find a vuln in the kernel", and now that effect is snowballing.

@gregkh I am sure there are also humans in the loop, but the LLMs are driving the snowball effect.

@gregkh @aho Hi! My name is Notllm. I'm a real human and just found a totally random presentation in notmydatabase and now I'm writing a real report on a security flaw that totally doesn't resemble five other reports already submitted.

@gregkh

Jeah :)

If you would want to infiltrate the kernel your first step would not be to provide a patch with a backdoor.
You would do a bug-report, let it linger some time, discuss a bit and finally provide a patch. Maybe split the backdoor over multiple patches.

@gregkh Maybe vulns used by commercial law enforcement malware like cellbrite?

@gregkh @m_berberich 1) Specify a new security bug,
2) Let an LLM code a backdoor according to the spec,
3) Profit!

Ok, it's now 6, something is odd is happening...

@gregkh Not that odd... I imagine random dudes talking:
- I used microslop to find bug in Linux kernel and I will have CVE/security vulnerability credits for my CV!
- oh, amazing, was it difficult?
- I just found them easily in usbip, it looks like easy pick.
- I will do the same!

I, for example, noticed that when Google Summer of Code starts, e.g. application process, there is increased amount of contributions doing the same as GSoC applicants but not being part of GSoC. It's like someone found GSoC page with "easy picks" and then hops on the same bus.

Maybe usbip is the same here.