[RFE] Automated Kernel CVE Patching

[SkewedZeppelin]

Description of the feature

I created/maintain a CVE patcher program and repository of Linux CVE patches.
It is primarily for use with my project DivestOS.
However it can with little changes be used with any similar projects.

This is more to start a discussion about possible implementation.
Questions/Feedback welcome.

Links:
Program (GPLv3): https://github.com/Divested-Mobile/cve_checker
Patches (GPLv2): https://github.com/Divested-Mobile/kernel_patches
Patch List (GPLv2): https://raw.githubusercontent.com/Divested-Mobile/kernel_patches/master/Kernel_CVE_Patch_List.txt
Known Patch Incompatibilities (GPLv3): https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Fix_CVE_Patchers.sh

Illustrations

https://gist.github.com/SkewedZeppelin/ad292d9e7dd3cd873805d2587670717a
https://gitlab.com/divested-mobile/divestos-build/-/tree/master/Scripts/LineageOS-14.1/CVE_Patchers
https://gitlab.com/divested-mobile/divestos-build/-/tree/master/Scripts/LineageOS-15.1/CVE_Patchers
https://gitlab.com/divested-mobile/divestos-build/-/tree/master/Scripts/LineageOS-16.0/CVE_Patchers
https://gitlab.com/divested-mobile/divestos-build/-/tree/master/Scripts/LineageOS-17.1/CVE_Patchers
https://gitlab.com/divested-mobile/divestos-build/-/tree/master/Scripts/LineageOS-18.1/CVE_Patchers
https://gitlab.com/divested-mobile/divestos-build/-/tree/master/Scripts/LineageOS-19.1/CVE_Patchers
https://divestos.org/index.php?page=patch_levels#devices

Other Discussions:

• https://gitlab.com/calyxos/calyxos/-/issues/205
• Automated Kernel CVE Patching hashbang/os#43
• https://gitlab.com/postmarketOS/pmbootstrap/-/issues/1746

[Flohack74]

I don´t think this will work on Android kernels, you will get a ton of conflicts each time. Google chose to diverge from mainline kernels a lot, then on top vendors did apply incomplete patches, or applied them wrongly, in the end even with simple patches one does already struggle with manual patching. I cannot imagine any automatic thing being able to sort all of this out.
Also, automatic things could introduce issues for a device that go undetected for some time. Our QA team would need to test each device manually for the sake of stability after every time the patcher kicked in.
I can see there are scripts for each device, that's a lot of maintenance. I can see the motivation for this idea but honestly this will be too much for our small project.

[SkewedZeppelin]

It very much does work because I've been using it in my DivestOS project for the past three years. The program has explicit support for AOSP workspaces. The patch database contains a vast amount of AOSP and Qualcomm specific patches in addition to mainline Linux ones.

[Flohack74]

Ok please demonstrate against this 2 kernel repos: https://github.com/ubports/android_kernel_oneplus_msm8974 and https://github.com/Flohack74/android_kernel_huawei_angler :)

[SkewedZeppelin]

There are 4 UBPorts repos here including oneplus_msm8974. https://gist.github.com/SkewedZeppelin/ad292d9e7dd3cd873805d2587670717a Those are ubp-5.1 branches. Any other branches you want? Here is a patcher for Flohack74/android_kernel_huawei_angler/halium-7.1 https://gist.github.com/SkewedZeppelin/16de49aa8725b69141abce82a32f173c

[fredldotme]

Would this also work for kernel repos where, instead of merging individual commits, I applied the patch from kernel.org onto the kernel repo?

[SkewedZeppelin]

@fredldotme can you clarify/elaborate what you mean? If you mean incrementals, it has support for that but it makes no attempt to resolve conflicts.

[fredldotme]

If there is a way to tell the script(s) to ignore/revert conflicting patches then I might consider it for the 4.4 based suzu (Xperia X) kernel as a test-drive.
AFAICT it just generates a script which then tries to apply the necessary CVE patches. Shouldn't be too hard to add an || git reset --hard HEAD to it if fails.

[SkewedZeppelin]

to it if fails.

The program outputs a script which only contains patches that were checked to apply successfully. https://gist.github.com/SkewedZeppelin/e3b465bc9ed02f7127992e910580a9d3

[UniversalSuperBox]

Hey @SkewedZeppelin, I think this is really amazing work from what I've seen so far.

Could you walk me through how you use this software from start to finish? For example, is Kernel_CVE_Patch_List.txt collected manually then fed into the program with a link to a repository to create the CVE patcher script? How do you then run the CVE Patcher script? Is all of this automated in a way we can see?

I've been looking through the DOS build scripts and it appears that the CVE patchers in https://github.com/Divested-Mobile/DivestOS-Build/tree/master/Scripts/LineageOS-17.1/CVE_Patchers (for example) are generated by cve_checker, then committed to git. Is that the case? What am I missing here?

I'm pretty sure that this is an absolute must to implement if we can get it working.

[SkewedZeppelin]

@UniversalSuperBox I've just done a big refractor to make the tool easier to use outside of the DivestOS build scripts. I've also added some basic help/commands to the README. It should be enough to get you started. Any questions feel free to ask.

[SkewedZeppelin]

It has been over a year since this issue was opened.
I have updated this gist and the numbers are horrifying.
https://gist.github.com/SkewedZeppelin/ad292d9e7dd3cd873805d2587670717a

If your focus is on mainline devices like the Pinephone, then so be it.
But if people are daily driving these older devices, then something needs to be done.