This content has been written a long time ago. As such, it might not reflect my current thoughts anymore. I keep this page online because it might still contain valid information.

Patching Linux Kernel (Raspbian & CVE-2016-0728)

CVE-2016-0728 has been disclosed earlier this week and it is a security issue that affects most of the Linux kernel versions (3.8 and upper). While the bundled exploit seems tricky to successfully use, it is still a flaw that has to be fixed.

I play with some Raspberry Pi for a while now and they all run raspbian, a Debian-based distribution for Raspberry Pi. I tried to apt-get update && apt-get upgrade one of them but nothing new was available, i.e. no patched version available. At the time of writing, there was only a single unanswered issue on the Raspberry Pi kernel GitHub repository. I jumped into the source code and the code seemed vulnerable to me, at least according to the patch and what I understood from the report.

I wanted to run a patched kernel version, so I looked into kernel compilation. You will find the different steps I followed to build, install and run a patched Linux kernel thereafter:

  1. First, the bc package is needed (apt-get install bc), then linux kernel sources have to be cloned:

     git clone --depth=1 https://github.com/raspberrypi/linux
    

    Longest git checkout ever!

  2. In order to compile a new kernel version, we have to slighty update its name. I edited the EXTRAVERSION variable in the Makefile:

     head Makefile -n 4
    

     VERSION = 4
     PATCHLEVEL = 1
     SUBLEVEL = 15
     EXTRAVERSION = +will
    
  3. Now let’s fetch the patch for this vulnerability, and apply it:

     curl https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 | patch -p1
    
  4. So far so good. Before compiling the kernel, we have to instruct which kernel we wish to build, then we can build the related configuration:

     export KERNEL=kernel7
     make bcm2709_defconfig
    
  5. Time to compile the kernel and its modules:

     make -j4 zImage modules dtbs
    
  6. It was taking ages, so I started to write this blog post… At some point, compilation successfully ended. Let’s install this brand new kernel:

     sudo make modules_install
     sudo cp arch/arm/boot/dts/*.dtb /boot/
     sudo cp arch/arm/boot/dts/overlays/*.dtb* /boot/overlays/
     sudo cp arch/arm/boot/dts/overlays/README /boot/overlays/
     sudo scripts/mkknlimg arch/arm/boot/zImage /boot/$KERNEL.img
    
  7. And now, time to try it for real (fingers crossed):

     uname -a
     Linux raspberrypi 4.1.15-v7+ #831 SMP Tue Jan 19 18:39:46 GMT 2016 armv7l GNU/Linux
    

     sudo reboot
    

     uname -a
     Linux raspberrypi 4.1.15+will-v7+ #1 SMP Thu Jan 21 02:09:58 CET 2016 armv7l GNU/Linux
    

Achievement unlocked \o/

Feel free to fork and edit this post if you found a typo, thank you so much! This post is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Comments

No comments here. You can reply on Twitter or send me an email if you prefer.