Mastodawn

Jason Jul 15, 2025

Days since an "AI found security bug" turned out to be totally false due to the inability of the tool to actually parse C code: 0

I'm seeing multiple of these type of "reports" per week now for Linux. Why do people think that an LLM can somehow do better than a compiler and also not even test their proposed changes to verify they even do anything?

{sigh}

Petr Tesařík Jul 15, 2025

@gregkh Some people simply lack the skill, but they'd like to add “contribution to the Linux kernel” to their CVs.
Disclaimer: I've no idea if that was actually the case here.

Greg K-H Jul 15, 2025

@ptesarik That's what `drivers/staging/` is for, we just took 10+ patches for that subsystem from new submitters yesterday. That's much easier to accomplish than trying to parse the output of an "AI tool" :)

Petr Tesařík Jul 15, 2025

@gregkh Yes, let's promote staging (again)! Sounds like a good plan to me.

Yrjänä Rankka 🌻Jul 15, 2025

@gregkh ban early - ban often.

tizilogic Jul 15, 2025

@gregkh so you're implying that those people actually "think" before submitting such reports...

that is very generous of you

Tisha Tiger / Neliger Jul 15, 2025

@gregkh And don't understand why these people are submitting garbage AI report.

What's the goal of it?

Jernej Simončič �Jul 15, 2025

@tisha @gregkh Bug bounties usually (and I've seen a report where it showed that some large companies pay out often enough even though the report is bogus).

@gregkh this seems to be a very active topic right now

Advanced Persistent Teapot Jul 15, 2025

@gregkh you know the adage that as soon as a measure becomes a target it stops being a useful measure? I think something like that has happened with bugs and bounties

sotolf Jul 15, 2025

@gregkh I kind of doubt that they are capable of even testing it, or else they wouldn't use the lying machine in the first place.

Christoph Schmees Jul 15, 2025

Full ACK.

Sad but true. 🤢

Glenn Jul 15, 2025

@gregkh Some people easily fall for marketing pitches.

🇺🇦 haxadecimal 🚫👑Jul 15, 2025

@gregkh
We've spent billions of dollars on AI! You MUST use it, and believe its every pronouncement!

m_eiman Jul 15, 2025

@gregkh I wonder if LLMs are going to cause more problems under authoritarian regimes, where people are conditioned to do what they're told without question. Seems like perfect conditions for modern "AI" to cause all sorts of havoc, with all of it being excusable with "the computer told me to".

Rihards Olups Jul 15, 2025

@mikaeleiman @gregkh ...and/or some companies?

Jernej Simončič �Jul 15, 2025

@gregkh Maybe "Days" should be changed to "Hours"?

Pavel Machek Jul 15, 2025

@gregkh Perhaps someone should tell that to Sasha Levin, as he applies bad patches to AUTOSEL based on LLM output? :-(.

Free Pietje 🇵🇸 🍉Jul 15, 2025

@gregkh
To test it requires actual work?

CounterPillow Jul 15, 2025

@gregkh fwiw, curl just bans these types of people https://hackerone.com/reports/3230082

curl disclosed on HackerOne: Stack-based Buffer Overflow in TELNET...

**Title:** Stack-based Buffer Overflow in TELNET NEW_ENV Option Handling **Vulnerability Description:** **Summary:** A stack-based buffer overflow vulnerability exists in the `libcurl` TELNET handler. When `libcurl` connects to a malicious TELNET server, the server can trigger an overflow by sending a `NEW_ENVIRON SEND` request. This causes the client to construct a response that overwrites...

HackerOne

Michael K Johnson Jul 15, 2025

@gregkh I suspect you've already seen this slide from @badger but just in case, or for anyone else reading this who doesn't (yet) follow him...

https://mastodon.social/@bagder/114856434115222517

pivotman319 🦊

@gregkh linters literally do their job better than a speculation machine

Epic Null Jul 15, 2025

@winload_exe @gregkh Almost, but not quite, as if linters and other tools were carefully designed to do a particular job, and thus do it well.

Rupert Reynolds Jul 15, 2025

@gregkh This is the grotty side of #LLMs, of course. There is a good side. Sometimes.

But mostly what I see is #AIslop, and because of that I give It about as much respect as I did the #BoredApe bubble.

If LLMs are to be taken seriously, their act needs clearing up!

John Breen Jul 19, 2025

@gregkh Fun story... One month, it was my job to run Klokwork (static code analysis) against our own code, because somebody in management had decided it's important to fix all "vulnerabilities" that an automated tool can find. An expensive tool, mind you.
Two senior engineers and lots of build resources, for a month, and we changed hundreds of thousands of lines of code (some by script).
1/x

John Breen Jul 19, 2025

@gregkh After all that, the Product Manager did not want to merge it into production/main, because "too many lines of code changes".
I learned a lesson - when tasked, always ask "if I do this, will you ship it" of your Product Manager. Or just take the money to waste time...
But for fun, I ran Klokwork against the linux kernel source (we were cross-compiling an ARM kernel and rootfs/dist of our own) and the "violations" were voluminous.
But somehow nobody was worried about that.
2/x

John Breen Jul 19, 2025

@gregkh I don't think of LLM-based coding "assistants" any differently - in the hands of experts, probably useful. In the hands of ignorant, lazy people seeking quick solutions, dangerously untrustworthy results nobody wants.
And a distraction from efforts that could really improve your software or service.
3/3