From 04d905b5ff7d3860f22d81362307c32107a25bd1 Mon Sep 17 00:00:00 2001
From: Radomir Vrbovsky <rvrbovsk@redhat.com>
Date: Thu, 11 Sep 2025 15:41:08 +0200
Subject: [PATCH] kpatch: List CVEs for loaded livepatch modules

JIRA: https://issues.redhat.com/browse/RHEL-103845
Upstream: RHEL-ONLY

Enhances the list subcommand to display the CVE identifiers addressed
by each installed patch module.

The CVEs are extracted directly from the RPM changelogs of the
corresponding
modules, giving users clearer insight into the security issues mitigated
by livepatch updates.

V2:
* Remove temporary files in favor of associative arrays
* Use printf and sed for indentation instead of a loop

V3:
* Syntactic changes using ShellCheck

Resolves: RHEL-103845
Signed-off-by: Radomir Vrbovsky <rvrbovsk@redhat.com>
---
 ...st-CVEs-for-loaded-livepatch-modules.patch | 101 ++++++++++++++++++
 kpatch.spec                                   |   8 +-
 2 files changed, 108 insertions(+), 1 deletion(-)
 create mode 100644 0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch

diff --git a/0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch b/0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch
new file mode 100644
index 0000000..e9d75a5
--- /dev/null
+++ b/0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch
@@ -0,0 +1,101 @@
+From a80d2aa1381b901ec0e1da547b607b66e7bd96a1 Mon Sep 17 00:00:00 2001
+From: Radomir Vrbovsky <rvrbovsk@redhat.com>
+Date: Tue, 9 Sep 2025 21:56:27 +0200
+Subject: [PATCH] kpatch: List CVEs for loaded livepatch modules
+
+JIRA: https://issues.redhat.com/browse/RHEL-103845
+Upstream: RHEL-ONLY
+
+Enhances the list subcommand to display the CVE identifiers addressed
+by each installed patch module.
+
+The CVEs are extracted directly from the RPM changelogs of the corresponding
+modules, giving users clearer insight into the security issues mitigated
+by livepatch updates.
+
+V2:
+* Remove temporary files in favor of associative arrays
+* Use printf and sed for indentation instead of a loop
+
+V3:
+* Syntactic changes using ShellCheck
+
+Signed-off-by: Radomir Vrbovsky <rvrbovsk@redhat.com>
+---
+ kpatch/kpatch | 33 +++++++++++++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+
+diff --git a/kpatch/kpatch b/kpatch/kpatch
+index c16a108..f029b59 100755
+--- a/kpatch/kpatch
++++ b/kpatch/kpatch
+@@ -24,12 +24,15 @@
+ # displaying information about kernel patch modules installed on the system.
+ 
+ INSTALLDIR=/var/lib/kpatch
++RPMINSTALLDIR=/lib/kpatch
+ SCRIPTDIR="$(readlink -f "$(dirname "$(type -p "$0")")")"
+ VERSION="0.9.10"
+ POST_ENABLE_WAIT=15	# seconds
+ POST_SIGNAL_WAIT=60	# seconds
+ MODULE_REF_WAIT=15	# seconds
+ 
++declare -A CVE_LIST
++
+ # How many times to try loading the patch if activeness safety check fails.
+ MAX_LOAD_ATTEMPTS=5
+ # How long to wait before retry, in seconds.
+@@ -446,6 +449,32 @@ get_module_version() {
+ 	MODVER="${MODVER/ */}"
+ }
+ 
++query_module_cves() {
++	local module=$1
++	local rpm_log
++	local cve_list
++
++	[[ -z "$module" ]] && return
++
++	rpm_log=$(rpm -q --changelog "$(rpm -q --whatprovides "$module")")
++	[[ -z "$rpm_log" ]] && return
++
++	cve_list=$(echo "$rpm_log" | grep -oP '.*{\K[^}]+' | grep -o 'CVE[0-9-]\+' | sort -n | uniq)
++
++	CVE_LIST[$MODNAME]=$cve_list
++}
++
++query_cves() {
++	for kdir in "$RPMINSTALLDIR"/*; do
++		[[ -e "$kdir" ]] || continue
++		for module in "$kdir"/*.ko; do
++			[[ -e "$module" ]] || continue
++			mod_name "$module"
++			query_module_cves "$module"
++		done
++	done
++}
++
+ unset MODULE
+ 
+ # Initialize the $SYSFS var.  This only works if the core module has been
+@@ -593,6 +622,7 @@ case "$1" in
+ 
+ "list")
+ 	[[ "$#" -ne 1 ]] && usage
++	query_cves
+ 	echo "Loaded patch modules:"
+ 	for module in "$SYSFS"/*; do
+ 		if [[ -e "$module" ]]; then
+@@ -605,6 +635,9 @@ case "$1" in
+ 							 || state="disabled"
+ 			fi
+ 			echo "$modname [$state]"
++			if [[ -v "CVE_LIST[$MODNAME]" ]]; then
++				printf "%s\n" "${CVE_LIST[$MODNAME]}" | sed 's/^/\t/'
++			fi
+ 		fi
+ 	done
+ 	show_stalled_processes
+-- 
+2.48.1
+
diff --git a/kpatch.spec b/kpatch.spec
index 36df4c7..fa7dac5 100644
--- a/kpatch.spec
+++ b/kpatch.spec
@@ -2,7 +2,7 @@
 
 Name:		kpatch
 Version:	0.9.10
-Release:	3%{?dist}
+Release:	10%{?dist}
 Summary:	Dynamic kernel patch manager
 
 Group:		System Environment/Kernel
@@ -15,6 +15,7 @@ Source1:	kpatch-dnf-v%{kpatch_dnf_ver}.tar.gz
 Patch0:		0001-contrib-disable-upstart-kpatch.conf-install.patch
 Patch1:		0002-kpatch-clarify-unload-unsupport.patch
 Patch2:		0003-do-not-rm-selinux-rpm-owned-directory.patch
+Patch3:		0004-kpatch-List-CVEs-for-loaded-livepatch-modules.patch
 
 # Upstream backports (inactive -- for future reference)
 #Patch100:	0100-xxx.patch
@@ -51,6 +52,7 @@ kpatch-patch packages updates.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 # Use this to apply upstream patches to kpatch
 #%patch100 -p1
 
@@ -92,6 +94,10 @@ echo "To enable automatic kpatch-patch subscription, run:"
 echo -e "\t$ dnf kpatch auto"
 
 %changelog
+* Thu Sep 11 2025 Rado Vrbovsky <rvrbovsk@redhat.com> 0.9.7-10
+- Rebase kpatch with upstream to v0.9.10 (RHEL-113130)
+- Provide a list of CVEs currently patched using live patches (RHEL-103845)
+
 * Fri Mar 07 2025 Rado Vrbovsky <rvrbovsk@redhat.com> 0.9.7-3
 - Rebase kpatch DNF plugin with upstream to 0.5 (RHEL-77113)