A tool for reviewing downstream Linux kernel repositories for CVE patches.
- Clone the git repository with your Linux kernel and checkout the branch
you want to review. For example:
$ git clone https://github.com/OE4T/linux-tegra-4.9.git -b oe4t-patches-l4t-r32.6 - Add linux-stable as a git remote and fetch it:
$ git remote add stable git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git $ git fetch stable - In a different directory, clone the linux_kernel_cves repository:
$ git clone https://github.com/nluedtke/linux_kernel_cves.git cdto where you checked out your kernel repo and runkernel-cve-tool:$ kernel-cve-tool -P /path/to/linux_kernel_cves
The upstream stable kernel repo is needed for locating commits for fixes that may not be present in your local repository. The linux_kernel_cves repository is a data set that maps CVEs to upstream kernel commits.
Note that the script assumes that your branch is derived from one of the existing
stable kernel labels (e.g., 'v4.9') - in other words, it must contain commits from
one of the linux-X.Y branches in the stable repository, and have other commits
added it to it.
The script parses the top-level makefile to determine the base kernel version, parses the JSON data files in linux_kernel_cves, and builds a list of CVEs to look for.
Initially:
- CVEs listed as fixed in versions earlier than the current SUBLEVEL are assumed to be present.
- CVEs fixed in versions after the current SUBLEVEL or listed in the data set as 'outstanding' are assumed to be unfixed.
The script then searches for commits that contain either the git hash corresponding to the reported fix (if present in the data set) for each of the CVEs in the 'unfixed' list, and/or the exact subject line for the fix commit. If found in the current branch, the CVE is moved to the 'fixed' list.
Note that this processing can take several minutes.
When the scan is complete, two files are created in the current directory:
PATCHED-CVES: lists the CVEs in the 'fixed' listNO-FIXES-AVILABLE: lists the CVEs that have no patches availablecherry-picks.list: lists the git hashes for manual cherry-picking with:For CVEs that are not (yet) fixed upstream in the version of the kernel on which your tree is based, but have commits for some other (presumably later) version, the entries in the cherry-pick list will be tagged with the legend$ cut -d: -f1 cherry-picks.list | git cherry-pick -x --stdin(NOT THIS VERSION). Applying those patches will likely be more difficult.
Using the same setup as described above, the kernel-cve-vercheck tool can be used
to get information about a specific CVE, based on the information in the database.
For each CVE number specified on the command line, the tool will determine if it
is applicable by comparing the current kernel version to the "stream" data in the
database for that version, and classify the CVE as patchable (fix available in a
later version), outstanding (no patch available for the current kernel version),
or not applicable (patch not applicable to the current version, or already patched).
Only the database information is used; this tool does not search the local git
repository for patches that may have been applied. It does examine the local
Makefile to determine the kernel version, however.
This code comes with no warranties or assurances as to its suitability for any particular purpose. Use at your own risk.