102 lines
2.6 KiB
Diff
102 lines
2.6 KiB
Diff
From a80d2aa1381b901ec0e1da547b607b66e7bd96a1 Mon Sep 17 00:00:00 2001
|
|
From: Radomir Vrbovsky <rvrbovsk@redhat.com>
|
|
Date: Tue, 9 Sep 2025 21:56:27 +0200
|
|
Subject: [PATCH] kpatch: List CVEs for loaded livepatch modules
|
|
|
|
JIRA: https://issues.redhat.com/browse/RHEL-103845
|
|
Upstream: RHEL-ONLY
|
|
|
|
Enhances the list subcommand to display the CVE identifiers addressed
|
|
by each installed patch module.
|
|
|
|
The CVEs are extracted directly from the RPM changelogs of the corresponding
|
|
modules, giving users clearer insight into the security issues mitigated
|
|
by livepatch updates.
|
|
|
|
V2:
|
|
* Remove temporary files in favor of associative arrays
|
|
* Use printf and sed for indentation instead of a loop
|
|
|
|
V3:
|
|
* Syntactic changes using ShellCheck
|
|
|
|
Signed-off-by: Radomir Vrbovsky <rvrbovsk@redhat.com>
|
|
---
|
|
kpatch/kpatch | 33 +++++++++++++++++++++++++++++++++
|
|
1 file changed, 33 insertions(+)
|
|
|
|
diff --git a/kpatch/kpatch b/kpatch/kpatch
|
|
index c16a108..f029b59 100755
|
|
--- a/kpatch/kpatch
|
|
+++ b/kpatch/kpatch
|
|
@@ -24,12 +24,15 @@
|
|
# displaying information about kernel patch modules installed on the system.
|
|
|
|
INSTALLDIR=/var/lib/kpatch
|
|
+RPMINSTALLDIR=/lib/kpatch
|
|
SCRIPTDIR="$(readlink -f "$(dirname "$(type -p "$0")")")"
|
|
VERSION="0.9.10"
|
|
POST_ENABLE_WAIT=15 # seconds
|
|
POST_SIGNAL_WAIT=60 # seconds
|
|
MODULE_REF_WAIT=15 # seconds
|
|
|
|
+declare -A CVE_LIST
|
|
+
|
|
# How many times to try loading the patch if activeness safety check fails.
|
|
MAX_LOAD_ATTEMPTS=5
|
|
# How long to wait before retry, in seconds.
|
|
@@ -446,6 +449,32 @@ get_module_version() {
|
|
MODVER="${MODVER/ */}"
|
|
}
|
|
|
|
+query_module_cves() {
|
|
+ local module=$1
|
|
+ local rpm_log
|
|
+ local cve_list
|
|
+
|
|
+ [[ -z "$module" ]] && return
|
|
+
|
|
+ rpm_log=$(rpm -q --changelog "$(rpm -q --whatprovides "$module")")
|
|
+ [[ -z "$rpm_log" ]] && return
|
|
+
|
|
+ cve_list=$(echo "$rpm_log" | grep -oP '.*{\K[^}]+' | grep -o 'CVE[0-9-]\+' | sort -n | uniq)
|
|
+
|
|
+ CVE_LIST[$MODNAME]=$cve_list
|
|
+}
|
|
+
|
|
+query_cves() {
|
|
+ for kdir in "$RPMINSTALLDIR"/*; do
|
|
+ [[ -e "$kdir" ]] || continue
|
|
+ for module in "$kdir"/*.ko; do
|
|
+ [[ -e "$module" ]] || continue
|
|
+ mod_name "$module"
|
|
+ query_module_cves "$module"
|
|
+ done
|
|
+ done
|
|
+}
|
|
+
|
|
unset MODULE
|
|
|
|
# Initialize the $SYSFS var. This only works if the core module has been
|
|
@@ -593,6 +622,7 @@ case "$1" in
|
|
|
|
"list")
|
|
[[ "$#" -ne 1 ]] && usage
|
|
+ query_cves
|
|
echo "Loaded patch modules:"
|
|
for module in "$SYSFS"/*; do
|
|
if [[ -e "$module" ]]; then
|
|
@@ -605,6 +635,9 @@ case "$1" in
|
|
|| state="disabled"
|
|
fi
|
|
echo "$modname [$state]"
|
|
+ if [[ -v "CVE_LIST[$MODNAME]" ]]; then
|
|
+ printf "%s\n" "${CVE_LIST[$MODNAME]}" | sed 's/^/\t/'
|
|
+ fi
|
|
fi
|
|
done
|
|
show_stalled_processes
|
|
--
|
|
2.48.1
|
|
|