[RFE] Automated Kernel CVE Patching #1566
Comments
|
I don´t think this will work on Android kernels, you will get a ton of conflicts each time. Google chose to diverge from mainline kernels a lot, then on top vendors did apply incomplete patches, or applied them wrongly, in the end even with simple patches one does already struggle with manual patching. I cannot imagine any automatic thing being able to sort all of this out. |
|
It very much does work because I've been using it in my DivestOS project for the past three years.
The program has explicit support for AOSP workspaces.
The patch database contains a vast amount of AOSP and Qualcomm specific patches in addition to mainline Linux ones.
|
|
Ok please demonstrate against this 2 kernel repos: https://github.com/ubports/android_kernel_oneplus_msm8974 and https://github.com/Flohack74/android_kernel_huawei_angler :) |
|
There are 4 UBPorts repos here including oneplus_msm8974.
https://gist.github.com/SkewedZeppelin/ad292d9e7dd3cd873805d2587670717a
Those are ubp-5.1 branches.
Any other branches you want?
Here is a patcher for Flohack74/android_kernel_huawei_angler/halium-7.1
https://gist.github.com/SkewedZeppelin/16de49aa8725b69141abce82a32f173c
|
|
Would this also work for kernel repos where, instead of merging individual commits, I applied the patch from kernel.org onto the kernel repo? |
|
@fredldotme
can you clarify/elaborate what you mean?
If you mean incrementals, it has support for that but it makes no attempt to resolve conflicts.
|
|
If there is a way to tell the script(s) to ignore/revert conflicting patches then I might consider it for the 4.4 based suzu (Xperia X) kernel as a test-drive. |
|
to it if fails.
The program outputs a script which only contains patches that were checked to apply successfully.
https://gist.github.com/SkewedZeppelin/e3b465bc9ed02f7127992e910580a9d3
|
|
Hey @SkewedZeppelin, I think this is really amazing work from what I've seen so far. Could you walk me through how you use this software from start to finish? For example, is Kernel_CVE_Patch_List.txt collected manually then fed into the program with a link to a repository to create the CVE patcher script? How do you then run the CVE Patcher script? Is all of this automated in a way we can see? I've been looking through the DOS build scripts and it appears that the CVE patchers in https://github.com/Divested-Mobile/DivestOS-Build/tree/master/Scripts/LineageOS-17.1/CVE_Patchers (for example) are generated by cve_checker, then committed to git. Is that the case? What am I missing here? I'm pretty sure that this is an absolute must to implement if we can get it working. |
|
@UniversalSuperBox
I've just done a big refractor to make the tool easier to use outside of the DivestOS build scripts.
I've also added some basic help/commands to the README.
It should be enough to get you started.
Any questions feel free to ask.
|
|
It has been over a year since this issue was opened. If your focus is on mainline devices like the Pinephone, then so be it. |
|
Hi @SkewedZeppelin, thanks for your feedback. I agree that something should be done to improve the security of devices that Ubuntu Touch ships on. I'm very happy that you were able to show us the output via a PR to one of our projects. I also know that I said a year ago that "this is a must to implement if we can get it working." However, after reading the changes that your script has made in HelloVolla/android_kernel_volla_mt6763#10, I see that this approach is very difficult to recommend as the default way we maintain our kernels. This is for a few reasons. You could toss in a complete remote code execution vulnerability through a combination of multiple patches in your repository, and no one would know. No one would see when reviewing each patch individually. In a +5000-2000 review, it'd be missed entirely. Not that I don't trust you, but I also don't want to have to. Also, combining all of the patches into a single commit makes it impossible to see why the change was made. It's also impossible to revert only a single patch if it causes a problem. The script should be bringing in commits so they have the same content (metadata and diff) as kernel.org. Additionally, most of the changes that the tool has made are outside of the code built by the defconfig for the phone. An ARM64 device does not need CVE patches from x86 or s390. These changes do not need to be merged into the kernel tree at all, and are only noise for the review process. The script should learn how to tell if a CVE likely applies to a device and decide whether to patch it based on that. There's another level of review, and that's the review that must be done to make sure the patches applied don't affect other patches in the kernel tree. Not just by conflicting, but by causing unexpected behavior. The script cannot learn how to determine this, it must be a manual review. If manual review fails on the whole set, it must be bisected or, more likely, reapplied patch-by-patch. It's also important to see if a CVE is exploitable and ensure that it is not exploitable after the patch is applied. This leads back to the manual check-review-test-merge-recheck process which is how long-term supported Linux distributions maintain their software with security fixes. For these reasons, I would not merge the output generated by this script today. Nor would I run the script myself. Correcting the patch metadata and ignoring useless patches is possible and might not be too hard of a problem. Doing the review is likely impossible for an automated system, and that's where most of the work in security patching comes from anyway. What I'm most afraid of is that we'll have a false sense of security, leading people to believe that we are safe from the given CVEs even if we are not. A false sense of security is worse than a true, known hole in my mind. What's worse, we will have spent a lot of time to create that false sense of security rather than actually fixing the underlying problems. There are a couple of ways to fix the underlying problems, too. One is even tractable. The first way forward is to "upstream" the downstream kernel (scare quotes used for a reason). This process involves taking kernel.org's latest release for the series and re-applying Mediatek and Volla's patches until it works correctly again. Then it is possible to continue rebasing the patchset on top of the latest LTS releases. For 4.4, those will continue for a while. This certainly isn't easy, but it's a mostly known quantity of work. The second is to mainline the device. Obviously this is not a tenable solution for most devices. It appears that you have noted all of these problems in your documentation for cve_checker. You rightly ask us, then, if the benefits outweigh the risks. Given the output I see today, I'm not sure they do. There is a very real risk that the automated tool creates more or worse security issues than it resolves, and it does not get rid of the real work in maintaining security fixes for downstream kernels. |
PR solely for demonstration purposes. I'd rather see the patches
The process to generate the repository on your own is documented in the program README.
See first comment.
How do you propose to do this? That is an enormous undertaking requiring staffing and infrastructure.
I wouldn't either, see first comment.
More then a false sense of security than running completely insecure kernels?
This would be an excellent start, but what about the other devices you list on your promoted devices page?
4.4 is EOL come January, a while in my book is not 3 months. Unless you plan on rebasing onto the CIP 4.4 branch or have another source in mind.
This is simply not an option today. Yes there are some mainlined devices, but none of them are daily drivable.
Maybe that should be up to your users instead. -- At the very least I ask you to rebase your trees onto the newer LineageOS branches where available. They've been conservatively patched by hand. Lastly, here are two repos that have taken the approach in the first comment: https://github.com/lin18-microG/android_kernel_oneplus_msm8996/commits/lin-18.1-mse3, https://github.com/lin18-microG/android_kernel_sony_msm8974/commits/mse_v1 |
Precisely. What you are proposing is a band-aid over a buckshot wound inflicted with a 10-gauge shotgun fired from the hip at a range of 5 feet. What is really needed to fix the insecure device problem is not a band-aid. The primary work required to patch the kernel is not finding the patches, it's the testing to confirm the CVE is fixed and there weren't any regressions in the huge body of software running on top. I think that makes me more than a little defeatist. What you've created is a great repository of patches that could be required by a given kernel repository. That's invaluable in and of itself. But you haven't removed the requirement of applying all the patches, testing the result, and bisecting the lot if it breaks. Your argument seems to be that we should be doing that work, as a responsibility to the people who use Ubuntu Touch. In that case I agree, but I don't know who will actually do the work. We can work on making Ubuntu Touch exist and grow at all, or we can work on security patching what is becoming increasingly older until no one cares any more and it dies out. Doing both would be ideal (except the dying out part). That is not the reality we exist in. What we need is not a system that automatically adds more work to our plates, it's someone to help with the work. If you want to be the person who
Also a great idea. My next six months are pretty well scheduled, though, how about yours? Or anyone else reading this ._. |
|
eh, I just realized you can't even |
|
i am reading this, but it feels above my current skillset. i'll leave this comment (for now) to bump this issue up for the more skilled with available time to see it. there should be an structural way we can tackle this issue |
|
I think this will never work, tbh :) |
Have I not repeatedly proved it can work? And I've put a lot of work into the database the past year to minimize the number of diffs so that it can be git am'ed, see here these:
I kindly don't understand why anyone maintaining/using ancient kernels wants to ignore this program. edit:
|
If booting was the only worry, I'm sure we would have implemented this already, it is much much more than that. one example, if a kernel bug breaks call audio that has to be caught before someone fails to call am ambulance in an emergency. we cannot have some user critical function breaking under any circumstance ;) perhaps an example in order: the postmarketos are doing an outstanding job at mainlining android devices, they have over 200 of them already booting on mainline linux. However as wonderful of a job they have done, as of right now 4 years in the making, not one is ready as a daily driver device
I think that's the real issue, we currently aren't really maintaining atm because there is so much work involved and so little volunteers to do that work. there is even some talk now and then if support for certain devices should be dropped, even some of the devices you've listed ironically enough. But let's put this in perspective, there are a handful of developers (literally, you can count them on one hand) that are maintaining the entire graphics stack, the entire build infrastrucuture, all 400 repositories across github and gitlab, managing pull requests, triaging issues, debugging bugs in the operating system, upgrading from 15.04 (yes ubuntu touch is still based on 16.04) to 20.04, migrating all the repositories to one platform (gitlab) moderating all community groups, informing the community of progress on various fronts and much more. so i agree with florian
without a proper structural approach this simply won't work in the long terms speaking of which @Flohack74, I've been thinking the past few days that perhaps the majority of devices could be done by the maintainers as well......maybe |
It is tested working on 17 devices, and reported working by users on 38 devices.
Flip this around! What happens when one of your user's ends up with malware exploiting one of these issues and ends up with an empty bank account or their documents and photos held hostage by ransomware?
But many of these actually cannot make calls. Three of your flagship devices aren't even patched against wide-spread, well-known, covered in the media issues like DirtyCow along with no encryption support (#178 ) yet still write on the home page:
Kindly if you want to keep shipping these awful kernels please close this and do a writeup informing your users on the dire situation. |
if you can reliably test and can get it tested, i would encourage you to document that if or when such PRs are submitted. If multiple users (ideally users that actually depend on the phone working as a phone) can attest it doesn't break anything there's nothing preventing us from merging such PRs, the main point is and always is, the few devs working on/with everything cannot and should not take on more work, we've already had someone (read mulitple people) burn out from all the stress and workload (including dalton, which you can see hasn't reacted)
this is fair and the reason i revived this issue, my main point is ideally we have fully functional phones that do not regress due to automated patching
that's my point, it was a reaction to you saying
Booting is just one milestone, in fact it is the very first milestone you have to reach when porting, the real work start after you got it booting
honestly that flagship page should be updated. word of mouth says the current flagships are the pixel 3a, the vollaphone and uh what else 🤔 i don't think i name 5 hmmmm i would point to devices.ubuntu-touch.io but out of the top 5 the mi a2 has no maintainer afaict, and the BQs may not even be supported for long (tho that isn't known yet, we still don't know if they will make the cut in the long term) and that list might need to be cut down to about 45 (As those are installable with the ubports installer the easiest and recommended entry point we have for new users)
the situation is much more dire than just outdated channels if we're honest, we're currently working on updating from a 6 year old base to a 2 year old base, this is including on devices with newer kernels, that work can be seen here: https://gitlab.com/groups/ubports/development/core/-/boards Long story short, if you are willing/able to submit pull requests against specific devices and enough users can attest on that pull request that the device is still fully functional, by all means please do. I'm sure those pull requests will be merged provided enough evidence that there are no regressions. If you have a telegram account i would also like to invite you to join us in our porting group @ubports_porting, to help us convince and motivate the various maintainers and porters of various devices to also look into fixing and securing their kernel (there 30+ porters....very rough estimate.......and much less maintainers) tldr; we need manpower, we ain't got enough and we're painfully aware of that but we ain't giving up. |
Description of the feature
I created/maintain a CVE patcher program and repository of Linux CVE patches.
It is primarily for use with my project DivestOS.
However it can with little changes be used with any similar projects.
This is more to start a discussion about possible implementation.
Questions/Feedback welcome.
Links:
Program (GPLv3): https://github.com/Divested-Mobile/cve_checker
Patches (GPLv2): https://github.com/Divested-Mobile/kernel_patches
Patch List (GPLv2): https://raw.githubusercontent.com/Divested-Mobile/kernel_patches/master/Kernel_CVE_Patch_List.txt
Known Patch Incompatibilities (GPLv3): https://github.com/Divested-Mobile/DivestOS-Build/blob/master/Scripts/Common/Fix_CVE_Patchers.sh
Illustrations
https://gist.github.com/SkewedZeppelin/ad292d9e7dd3cd873805d2587670717a
https://gitlab.com/divested-mobile/divestos-build/-/tree/master/Scripts/LineageOS-14.1/CVE_Patchers
https://gitlab.com/divested-mobile/divestos-build/-/tree/master/Scripts/LineageOS-15.1/CVE_Patchers
https://gitlab.com/divested-mobile/divestos-build/-/tree/master/Scripts/LineageOS-16.0/CVE_Patchers
https://gitlab.com/divested-mobile/divestos-build/-/tree/master/Scripts/LineageOS-17.1/CVE_Patchers
https://gitlab.com/divested-mobile/divestos-build/-/tree/master/Scripts/LineageOS-18.1/CVE_Patchers
https://gitlab.com/divested-mobile/divestos-build/-/tree/master/Scripts/LineageOS-19.1/CVE_Patchers
https://divestos.org/index.php?page=patch_levels#devices
Other Discussions:
The text was updated successfully, but these errors were encountered: