I am working on a project that includes building an old kernel version of linux. This is fine, but I still need to patch the kernel of all previously found security vulnerabilities based on CVEs. I have the CVEs and have extracted the names of the vulnerable files mentioned in them, along with the kernel versions it affects.
So far, I have found about 150 potential vulnerabilities that could affect my build, but obviously some of them affect files relevant to graphics drivers that I don't use. So far, I have just gone through the list manually, checking if the files are included by using make menuconfig, and cating Kconfig in relevant folders. This has worked alright so far, but these methods don't show the actual file names (e.g. ipc/sem.c) so it takes more work than necessary.
Ideally, I would like to somehow print a list of all the files that will be included in my build, and then just write a script to check if vulnerable files are included.
How can I find the names of ever source file (e.g. ipc/sem.c) that will be included in my build?
Do the build, then list the .o files. I think every .c or .S file that takes part in the build is compiled into a .o file with a corresponding name. This won't tell you if a security issue required a fix in a header file that's included in the build.
make vmlinux modules
find -name '*.o' -exec sh -c '
for f; do for x in c S; do [ -e "${f%.o}.$x" ] && echo "${f%.o}.$x"; done; done
' _ {} +
A more precise method is to put the sources on a filesystem where access times are stored, and do the build. Files whose access time is not updated by the build were not used in this build.
touch start.stamp
make vmlinux modules
find -type f -anewer start.stamp
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments