mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-01-13 03:20:50 +00:00
Code Issues Projects Releases Wiki Activity
Files
mut
meta-security/scripts/cvert-kernel
Andrii Bordunov via Openembedded-core 0fc645a946 cvert-kernel - generate CVE report for the Linux kernel 
NVD entries for the Linux kernel are almost always outdated.
For example, https://nvd.nist.gov/vuln/detail/CVE-2018-1065
is shown as matched for "versions up to (including) 4.15.7",
however the patch 57ebd808a97d has been back ported for 4.14.

By default, it checks NVD Resource entries for the patch
URLs and looks for the commits in the local GIT tree.

Additionaly ("--resource") it checks other resources, that
may have up-to-date CVE data. You can combine resources and
decide which one you want to be based on.

Signed-off-by: grygorii tertychnyi <gtertych@cisco.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
2019-05-26 21:58:33 -07:00

380 lines
13 KiB
Python
Executable File
Raw Permalink Blame History

#!/usr/bin/env python3
#
# Copyright (c) 2018 by Cisco Systems, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
""" Generate CVE report for the given Linux kernel GIT branch
"""
import re
import sys
import argparse
import textwrap
import subprocess
import logging
import logging.config
import cvert
def report_kernel():
"""Generate Linux kernel CVE report"""
parser = argparse.ArgumentParser(
formatter_class=argparse.RawDescriptionHelpFormatter,
description=textwrap.dedent("""
Generate CVE report for the Linux kernel.
Inspect Linux kernel GIT tree and find all CVE patches commits.
"""),
epilog=textwrap.dedent("""
@ run examples:
# Download (update) NVD feeds in "nvdfeed" directory
# and prepare the report for the "kernel-sources" directory
%% %(prog)s --feed-dir nvdfeed --output report-kernel.txt kernel-sources
# Use existed NVD feeds in "nvdfeed" directory
# and prepare the report for the "kernel-sources" directory
%% %(prog)s --offline --feed-dir nvdfeed --output report-kernel.txt kernel-sources
# (faster) Restore CVE dump from "cvedump" (must exist)
# and prepare the report for the "kernel-sources" directory
%% %(prog)s --restore cvedump --output report-kernel.txt kernel-sources
# Restore CVE dump from "cvedump" (must exist)
# and prepare the extended report for the "kernel-sources" directory
%% %(prog)s --restore cvedump --show-description --show-reference --output report-kernel.txt kernel-sources
@ report example output (NVD resource):
# 2018-10-10 15:41:52,213 %% CVERT %% INFO %% kernel version: 4.9.132
. patched | 3.3 | CVE-2017-17807 | nvd: KEYS: add missing permission check for request_key() destination
unpatched | 3.3 | CVE-2017-17864 |
unpatched | 4.4 | CVE-2016-9604 |
unpatched | 4.4 | CVE-2017-12153 |
unpatched | 4.4 | CVE-2017-14051 |
. patched | 4.6 | CVE-2017-8924 | nvd: USB: serial: io_ti: fix information leak in completion handler
unpatched | 4.7 | CVE-2017-17449 |
. patched | 4.7 | CVE-2017-18203 | nvd: dm: fix race between dm_get_from_kobject() and __dm_destroy()
. patched | 4.7 | CVE-2017-18224 | nvd: ocfs2: ip_alloc_sem should be taken in ocfs2_get_block()
. patched | 4.7 | CVE-2018-1065 | nvd: netfilter: add back stackpointer size checks
...
@ report example output (NVD+LKC resource):
# 2018-10-10 15:46:05,902 %% CVERT %% INFO %% kernel version: 4.9.132
. patched | 3.3 | CVE-2017-17807 | nvd: KEYS: add missing permission check for request_key() destination
unpatched | 3.3 | CVE-2017-17864 |
. patched | 4.4 | CVE-2016-9604 | lkc: a5c6e0a76817a3751f58d761aaff7c0b0c4001ff
. patched | 4.4 | CVE-2017-12153 | lkc: c820441a7a52e3626aede8df94069a50a9e4efdb
. patched | 4.4 | CVE-2017-14051 | lkc: 2a913aecc4f746ce15eb1bec98b134aff4190ae2
. patched | 4.6 | CVE-2017-8924 | nvd: USB: serial: io_ti: fix information leak in completion handler
. patched | 4.7 | CVE-2017-17449 | lkc: 0b18782288a2f1c2a25e85d2553c15ea83bb5802
. patched | 4.7 | CVE-2017-18203 | nvd: dm: fix race between dm_get_from_kobject() and __dm_destroy()
. patched | 4.7 | CVE-2017-18224 | nvd: ocfs2: ip_alloc_sem should be taken in ocfs2_get_block()
. patched | 4.7 | CVE-2018-1065 | nvd: netfilter: add back stackpointer size checks
...
"""))
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument("-f", "--feed-dir", help="feeds directory")
group.add_argument("-d", "--restore", help="load CVE data structures from file",
metavar="FILENAME")
parser.add_argument("--offline", help="do not update from NVD site",
action="store_true")
parser.add_argument("-o", "--output", help="save report to the file")
parser.add_argument("-k", "--kernel-ver", help='overwrite kernel version, '
'default is "make kernelversion"',
metavar="VERSION")
parser.add_argument("--show-description", help='show "Description" in the report',
action="store_true")
parser.add_argument("--show-reference", help='show "Reference" in the report',
action="store_true")
parser.add_argument("-r", "--resource", help='resources: e.g.: "--resource nvd lkc"',
nargs="+", default=["nvd"])
parser.add_argument("--patched", help="patched CVE IDs",
nargs="+", default=[])
parser.add_argument("--debug", help="print debug messages",
action="store_true")
parser.add_argument("kernel_dir", help="kernel GIT directory",
metavar="kernel-dir")
args = parser.parse_args()
logging.config.dictConfig(cvert.logconfig(args.debug))
kernel_dir = args.kernel_dir
if args.restore:
cve_struct = cvert.load_cve(args.restore)
elif args.feed_dir:
cve_struct = cvert.update_feeds(args.feed_dir, args.offline)
if not cve_struct and args.offline:
parser.error("No CVEs found. Try to turn off offline mode or use other file to restore.")
if args.output:
output = open(args.output, "w")
else:
output = sys.stdout
if args.kernel_ver:
kernel_ver = args.kernel_ver
else:
kernel_ver = get_version(kernel_dir)
logging.info("kernel version: %s", kernel_ver)
if "lkc" in args.resource:
lkc_ctx = prepare_lkc()
commits = get_commits(kernel_dir)
report = cvert.generate_report({"linux_kernel": {kernel_ver: list(args.patched)}}, cve_struct)
for cve in report:
cve["comment"] = ""
if "nvd" in args.resource and cve["status"] == "unpatched":
process_nvd(cve, kernel_dir, commits)
if "lkc" in args.resource and cve["status"] == "unpatched":
process_lkc(cve, kernel_dir, commits, lkc_ctx)
print_report(report,
show_description=args.show_description,
show_reference=args.show_reference,
output=output)
if args.output:
output.close()
def process_nvd(cve, kernel_dir, commits):
"""Process NVD references.
Sometimes NVD "Reference" contains a link to the commit in the GIT
upstream mainline.
First, look if we have that commit ID in the current local GIT
branch. It happens if you created local branch after CVE has been
fixed in mainline.
Otherwise, don't give up, and try to find the same headline
commit. It works if local GIT tree has up-to-date mainline branch
fetched.
That is all we can do having only mainline commit ID.
"""
for url in cve["reference"]:
iden = get_iden(url)
if iden and iden in commits["iden"]:
mark_patched(cve, "nvd: {0}".format(iden.decode()))
return
head = get_headline(kernel_dir, iden)
if head and head in commits["head"]:
mark_patched(cve, "nvd: {0}".format(head.decode()))
return
def process_lkc(cve, kernel_dir, commits, ctx):
"""Process Linux Kernel CVEs approach
[https://github.com/nluedtke/linux_kernel_cves]
"kernel" context contains mainline "fixes" commit ID. So, check
with that first.
"stream" context contains backported "cmd_id" for other upstream
branches. Check accordingly.
If no commit ID found in local current branch, than look for the
same headline commits. Rarely backported commit has different
headline, so look at the "cmt_msg" first.
"""
iden_candidats = []
try:
iden = ctx["kernel"][cve["CVE"]]["fixes"].encode()
except KeyError:
logging.debug("%s: commit ID not found", cve["CVE"])
iden = None
if iden:
iden_candidats.append(iden)
if iden in commits["iden"]:
mark_patched(cve, "lkc: {0}".format(iden.decode()))
return
if cve["CVE"] in ctx["stream"]:
for kver in ctx["stream"][cve["CVE"]]:
try:
iden = ctx["stream"][cve["CVE"]][kver]["cmt_id"].encode()
except KeyError:
logging.debug("%s: commit ID not found", cve["CVE"])
iden = None
if iden:
iden_candidats.append(iden)
if iden in commits["iden"]:
mark_patched(cve, "lkc: {0}".format(iden.decode()))
return
try:
head = ctx["kernel"][cve["CVE"]]["cmt_msg"].encode()
except KeyError:
logging.debug("%s: commit message header not found", cve["CVE"])
head = None
if head and head in commits["head"]:
mark_patched(cve, "lkc: {0}".format(head.decode()))
return
# last chance
for iden in iden_candidats:
head = get_headline(kernel_dir, iden)
if head and head in commits["head"]:
mark_patched(cve, "lkc: {0}".format(head.decode()))
return
def prepare_lkc():
"""Prepare LKC context."""
import urllib.request
import json
ctx = {}
url_base = "https://github.com/nluedtke/linux_kernel_cves/raw/master"
with urllib.request.urlopen(url_base + "/kernel_cves.json") as url:
ctx["kernel"] = json.loads(url.read().decode())
with urllib.request.urlopen(url_base + "/stream_fixes.json") as url:
ctx["stream"] = json.loads(url.read().decode())
return ctx
def mark_patched(cve, comment=""):
"""Put a "patched" mark for the CVE."""
cve["status"] = "patched"
cve["comment"] = comment
def get_version(kernel_dir):
"""Return kernel version."""
return subprocess.check_output(
["make", "kernelversion"],
cwd=kernel_dir,
stderr=subprocess.DEVNULL
).decode().rstrip()
def get_commits(kernel_dir):
"""Return GIT commits dict."""
commits = {"iden": [], "head": []}
for gitlog in subprocess.check_output(["git", "log", "--format=%H %s"],
cwd=kernel_dir,
stderr=subprocess.DEVNULL
).splitlines():
oneline = gitlog.split(maxsplit=1)
if len(oneline) > 1:
commits["head"].append(oneline[1])
else:
commits["head"].append(b"")
commits["iden"].append(oneline[0])
return commits
def get_iden(url):
"""Return kernel commit ID from URL."""
commit_re = [
r"^http://git\.kernel\.org/cgit/linux/kernel/git/torvalds/linux\.git/commit/\?id=(.+)$",
r"^https?://github\.com/torvalds/linux/commit/(.+)$"
]
for regexp in commit_re:
matched = re.match(regexp, url)
if matched:
return matched.group(1)
return None
def get_headline(kernel_dir, iden):
"""Return commit headline."""
if not iden:
return None
try:
head = subprocess.check_output(["git", "show",
"--no-patch",
"--format=%s",
iden],
cwd=kernel_dir,
stderr=subprocess.DEVNULL
).rstrip()
except subprocess.CalledProcessError:
logging.debug("%s: commit ID not found", iden)
head = None
return head
def print_report(report, width=70, show_description=False, show_reference=False, output=sys.stdout):
"""Output kernel report."""
for cve in report:
print("{0:>9s} | {1:>4s} | {2:18s} | {3}".format(cve["status"], cve["CVSS"],
cve["CVE"], cve["comment"]),
file=output)
if show_description:
print("{0:>9s} + {1}".format(" ", "Description"), file=output)
for lin in textwrap.wrap(cve["description"], width=width):
print("{0:>9s} {1}".format(" ", lin), file=output)
if show_reference:
print("{0:>9s} + {1}".format(" ", "Reference"), file=output)
for url in cve["reference"]:
print("{0:>9s} {1}".format(" ", url), file=output)
if __name__ == "__main__":
report_kernel()
Reference in New Issue View Git Blame Copy Permalink