1
3
Fork
You've already forked cve_checker
1
A tool for downloading, checking, and applying (CVE) patches to a repository.
This repository has been archived on 2024年12月23日. You can view files and clone it, but you cannot make any changes to its state, such as pushing and creating new issues, pull requests or comments.
  • Java 97.1%
  • Shell 2.9%
Find a file
Tavi 418b552a62
Arbitrary module patching support
Signed-off-by: Tavi <tavi@divested.dev>
2024年10月10日 14:20:01 -04:00
.settings Formatting 2020年06月14日 21:40:33 -04:00
gradle Enable strict dependency verification 2022年08月22日 14:09:40 -04:00
src Arbitrary module patching support 2024年10月10日 14:20:01 -04:00
.classpath Support downloading raw messages from lore.kernel.org 2019年05月31日 20:24:42 -04:00
.gitignore Support downloading raw messages from lore.kernel.org 2019年05月31日 20:24:42 -04:00
.gitlab-ci.yml Update .gitlab-ci.yml file 2021年07月05日 18:23:50 -04:00
.project Support downloading raw messages from lore.kernel.org 2019年05月31日 20:24:42 -04:00
build.gradle Arbitrary module patching support 2024年10月10日 14:20:01 -04:00
gradle.properties Enable strict dependency verification 2022年08月22日 14:09:40 -04:00
LICENSE Going the distance... [pt3] 2024年08月02日 13:04:28 -04:00
Linux_CVE_Patcher.eml Support downloading raw messages from lore.kernel.org 2019年05月31日 20:24:42 -04:00
Linux_CVE_Patcher.iml Fix downloading emtpy patches 2017年10月31日 13:12:56 -04:00
mk_dir_from_list.sh Add a script to create a directory of patches 2021年02月03日 19:08:09 -05:00
README.md Going the distance... [pt3] 2024年08月02日 13:04:28 -04:00

DivestOS CVE Patcher

A tool for downloading, checking, and applying (CVE) patches to a (kernel) repository.

Notes on CVE Patching

  • Patches applied may not be relevant to a device's architecture or hardware
  • Patches can make issues worse, or create new issues
  • Backported patches do not receive much review
  • Patches may not completely mitigate the issue they intend to
  • There are many security patches that do not receive CVEs
  • Linux has many known security issues that go unresolved for years
  • This is not a long-term solution
  • We need more rigorous support lifecycles from upstreams
  • This project is solely made to attempt to improve the security and by extension the lifespan of unsupported devices

Real World Use

  • This project was considered viable by end of 2017 and has been in use since then for DivestOS.
  • The corresponding CVE database is likely one of the largest with support for older kernels.
  • It is currently used for improving the security of the 160+ devices supported by DivestOS, and is tested booting on 65+ of them.
  • It is often near impossible to provide viable mainline support for many vendor altered kernel trees. We believe this project at the very least improves their situation. To ignore this is to be a defeatist. Not everyone can afford the latest shiny thing.
  • Production examples: 20.0, 19.1, 18.1, 17.1, 16.0, 15.1, 14.1

Patch Database

Prebuilts

License

  • AGPL-3.0-or-later

Credits

Quick Start

  • Clone this repo, cd into it, and compile the tool: gradle jar
  • Put the resulting jar into your .bashrc: $DOS_BINARY_PATCHER
  • Clone the patches repo, put it into your .bashrc: $DOS_PATCHES_LINUX_CVES

Adding Patches [maintenance]

Importing CIP Patches [maintenance]

  • Run: ./CIP.sh $PATH_TO_CIP_REPO
  • Run: git diff CIP.txt
  • Manually import the new patches into Kernel_CVE_Patch_List.txt

Importing Linux incremental diffs [maintenance]

  • Open kernel.org in a browser
  • Run: cd 0001-LinuxIncrementals/4.4
  • Run: java -jar $DOS_BINARY_PATCHER linuxIncrDownload 4.x 4.4. 238 > download.sh
  • Run: git diff download.sh
  • Manually run the commands shown in the diff to download the new ones

Importing Linux incremental patches [maintenance]

  • Open kernel.org in a browser
  • Run: cd 0001-LinuxIncrementals/4.4
  • Run: java -jar $DOS_BINARY_PATCHER linuxIncrGen 4.4 238 > generate.sh
  • Run: cd $somewhereElse && git clone https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git && git fetch
  • Run: export incrPath="$PATH_TO/0001-LinuxIncrementals"
  • Run: sh $PATH_TO/generate.sh

Downloading Patches [maintenance]

  • If updating an existing patchset, rm -rf it first
  • Run: java -jar patcher.jar download $DOS_PATCHES_LINUX_CVES/Kernel_CVE_Patch_List.txt

Downloading Entire Repository [maintenance]

  • This will take 1-2 hours
  • You will likely be rate-limited
  • Some patches will be missing as the links may no longer be valid
  • There are a handful of patches that have been added by hand (eg. compressed, or manually backported)
  • Pointing $DOS_PATCHER_INCLUSIVE_KERNEL to a (CIP) combined kernel repo will generate patches locally when possible

Patching

  • Key: $outputDir is where script will be saved, $repoPath is the kernel to be checked, $repoName is vanity name of kernel
  • To patch a kernel directly: java -jar $DOS_BINARY_PATCHER patch direct $DOS_PATCHES_LINUX_CVES $outputDir/ $repoPath/:repoName...
  • To patch a kernel in an AOSP workspace: java -jar $DOS_BINARY_PATCHER patch workspace $workspace/ $DOS_PATCHES_LINUX_CVES $outputDir/ $repoName...

Using the Resulting Scripts

  • This part is entirely up to you
  • They are intended to be run during build time
  • The results of them shouldn't be committed to a tree due to the automated nature

Identifying Failed Patches

  • During compile-time there is an obvious chance it will fail
  • Take the error
  • Run: cd $DOS_PATCHES_LINUX_CVES
  • Run: rg -l $snippet_of_error
  • Check to see if any of those patches were applied
  • Then look at each applied patch to narrow it down
  • Once you find it, you'll want to mark that somewhere. DivestOS has a Fix_CVE_Patchers.sh for tracking/disabling them
  • Generally if it compiles, it boots. However there are patches that can compile and absolutely break boot, see: CVE-2017-13218/4.4/0027.patch

Patch Version Matrix

Version Default Loose Extreme Reverse
3.0 3.0 3.4 3.10, 3.18, 4.4 x
3.4 3.4 3.10 3.18, 4.4 x
3.10 3.10 3.18 4.4 3.4
3.18 3.18 4.4 4.9 x
4.4 4.4 4.9 x x
4.9 4.9 4.14 4.19 x
4.14 4.14 4.19 x x

Implementation Discussions

Examples

Donate