A tool for downloading, checking, and applying (CVE) patches to a (kernel) repository.
- Patches applied may not be relevant to a device's architecture or hardware
- Patches can make issues worse, or create new issues
- Backported patches do not receive much review
- Patches may not completely mitigate the issue they intend to
- There are many security patches that do not receive CVEs
- Linux has many known security issues that go unresolved for years
- This is not a long-term solution
- We need more rigorous support lifecycles from upstreams
- This project is solely made to attempt to improve the security and by extension the lifespan of unsupported devices
- This project was considered viable by end of 2017 and has been in use since then for DivestOS.
- The corresponding CVE database is likely one of the largest with support for older kernels.
- It is currently used for improving the security of the 160+ devices supported by DivestOS, and is tested booting on 65+ of them.
- It is often near impossible to provide viable mainline support for many vendor altered kernel trees. We believe this project at the very least improves their situation. To ignore this is to be a defeatist. Not everyone can afford the latest shiny thing.
- Production examples: 20.0, 19.1, 18.1, 17.1, 16.0, 15.1, 14.1
- AGPL-3.0-or-later
- Thanks to @z3ntu for Gradle build support
- David Koelle for AlphanumComparator (MIT), http://www.davekoelle.com/alphanum.html
- Clone this repo, cd into it, and compile the tool: gradle jar
- Put the resulting jar into your .bashrc: $DOS_BINARY_PATCHER
- Clone the patches repo, put it into your .bashrc: $DOS_PATCHES_LINUX_CVES
- This is a manual process. CVEs are sourced from the sources listed at the top of Kernel_CVE_Patch_List.txt
- Run: ./CIP.sh $PATH_TO_CIP_REPO
- Run: git diff CIP.txt
- Manually import the new patches into Kernel_CVE_Patch_List.txt
- Open kernel.org in a browser
- Run: cd 0001-LinuxIncrementals/4.4
- Run: java -jar $DOS_BINARY_PATCHER linuxIncrDownload 4.x 4.4. 238 > download.sh
- Run: git diff download.sh
- Manually run the commands shown in the diff to download the new ones
- Open kernel.org in a browser
- Run: cd 0001-LinuxIncrementals/4.4
- Run: java -jar $DOS_BINARY_PATCHER linuxIncrGen 4.4 238 > generate.sh
- Run: cd $somewhereElse && git clone https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git && git fetch
- Run: export incrPath="$PATH_TO/0001-LinuxIncrementals"
- Run: sh $PATH_TO/generate.sh
- If updating an existing patchset, rm -rf it first
- Run: java -jar patcher.jar download $DOS_PATCHES_LINUX_CVES/Kernel_CVE_Patch_List.txt
- This will take 1-2 hours
- You will likely be rate-limited
- Some patches will be missing as the links may no longer be valid
- There are a handful of patches that have been added by hand (eg. compressed, or manually backported)
- Pointing $DOS_PATCHER_INCLUSIVE_KERNEL to a (CIP) combined kernel repo will generate patches locally when possible
- Key: $outputDir is where script will be saved, $repoPath is the kernel to be checked, $repoName is vanity name of kernel
- To patch a kernel directly: java -jar $DOS_BINARY_PATCHER patch direct $DOS_PATCHES_LINUX_CVES $outputDir/ $repoPath/:repoName...
- To patch a kernel in an AOSP workspace: java -jar $DOS_BINARY_PATCHER patch workspace $workspace/ $DOS_PATCHES_LINUX_CVES $outputDir/ $repoName...
- This part is entirely up to you
- They are intended to be run during build time
- The results of them shouldn't be committed to a tree due to the automated nature
- During compile-time there is an obvious chance it will fail
- Take the error
- Run: cd $DOS_PATCHES_LINUX_CVES
- Run: rg -l $snippet_of_error
- Check to see if any of those patches were applied
- Then look at each applied patch to narrow it down
- Once you find it, you'll want to mark that somewhere. DivestOS has a Fix_CVE_Patchers.sh for tracking/disabling them
- Generally if it compiles, it boots. However there are patches that can compile and absolutely break boot, see: CVE-2017-13218/4.4/0027.patch
Version | Default | Loose | Extreme | Reverse |
---|---|---|---|---|
3.0 | 3.0 | 3.4 | 3.10, 3.18, 4.4 | x |
3.4 | 3.4 | 3.10 | 3.18, 4.4 | x |
3.10 | 3.10 | 3.18 | 4.4 | 3.4 |
3.18 | 3.18 | 4.4 | 4.9 | x |
4.4 | 4.4 | 4.9 | x | x |
4.9 | 4.9 | 4.14 | 4.19 | x |
4.14 | 4.14 | 4.19 | x | x |
- https://gitlab.com/cip-project/cip-kernel/cip-kernel-sec
- https://raw.githubusercontent.com/ossf/wg-securing-critical-projects/main/presentations/The_state_of_the_Linux_kernel_security.pdf
- https://www.youtube.com/watch?v=F_Kza6fdkSU
- https://github.com/android-linux-stable
- https://github.com/raymanfx/android-cve-checker
- https://github.com/tdm/vuln-patcher
- AsteroidOS/asteroid#165
- hashbang/os#43
- mobile-nixos/mobile-nixos#383
- ubports/ubuntu-touch#1566
- https://gitlab.com/calyxos/calyxos/-/issues/205
- https://gitlab.com/LineageOS/issues/devrel/-/issues/235
- https://gitlab.com/postmarketOS/pmbootstrap/-/issues/1746
- AsteroidOS/meta-bass-hybris#16
- AsteroidOS/meta-sawfish-hybris#2
- Geofferey/omni_kernel_oneplus_sm8150#1
- GrapheneOS-Archive/kernel_google_marlin#1
- HelloVolla/android_kernel_volla_mt6763#10
- HelloVolla/android_kernel_volla_mt6763#8
- mobile-nixos/mobile-nixos#384
- the-modem-distro/quectel_eg25_kernel#7
- voron00/android_kernel_lge_mako#1
- Bettehem/android_kernel_oneplus_msm8996#1