Patching the Linux kernel (Raspbian & CVE-2016-0728)Clermont-Fd, France
2022-03-11 // I proofread this article and removed dead links.
CVE-2016-0728 has been disclosed earlier this week and it is a serious security issue. The vulnerability affects most of the Linux kernel versions (3.8 and above). Although the exploit seems tricky to successfully use, it is still a flaw that has to be patched ASAP.
I use a few Raspberry Pis for a while now and they all run
Raspbian, a Debian-based distribution for Raspberry
Pi. I tried to
apt-get update && apt-get (dist-)upgrade one of them but
nothing new was available, i.e. no patched version available.
At the time of writing, there was only this single unanswered issue on the Raspberry Pi kernel GitHub repository. I looked into the Kernel source code and the code seemed vulnerable to me (according to the patch and what I understood from the report).
I wanted to run a patched kernel version therefore I decided to compile the Linux kernel. You will find the different steps I followed to build, install and run a patched Linux kernel below:
bcpackage is needed (
apt-get install bc), then the kernel sources have to be cloned:
$ git clone --depth=1 https://github.com/raspberrypi/linux
Longest git checkout ever!
In order to compile a new kernel version, we have to slighty update its name. I edited the
EXTRAVERSIONvariable in the
$ head Makefile -n 4 VERSION = 4 PATCHLEVEL = 1 SUBLEVEL = 15 EXTRAVERSION = +will
Now let’s fetch the patch for this vulnerability, and apply it:
$ curl https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/patch/?id=23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 | patch -p1
So far so good. Before compiling the kernel, we have to instruct which kernel we wish to build, then we can build the related configuration:
$ export KERNEL=kernel7 $ make bcm2709_defconfig
Time to compile the kernel and its modules:
$ make -j4 zImage modules dtbs
I started to write this blog post while it was still compiling… At some point, compilation successfully ended. Let’s install this brand new kernel:
$ sudo make modules_install $ sudo cp arch/arm/boot/dts/*.dtb /boot/ $ sudo cp arch/arm/boot/dts/overlays/*.dtb* /boot/overlays/ $ sudo cp arch/arm/boot/dts/overlays/README /boot/overlays/ $ sudo scripts/mkknlimg arch/arm/boot/zImage /boot/$KERNEL.img
And now, time to try it for real (fingers crossed):
$ uname -a Linux raspberrypi 4.1.15-v7+ #831 SMP Tue Jan 19 18:39:46 GMT 2016 armv7l GNU/Linux
$ sudo reboot
$ uname -a Linux raspberrypi 4.1.15+will-v7+ #1 SMP Thu Jan 21 02:09:58 CET 2016 armv7l GNU/Linux
Achievement unlocked \o/
Feel free to fork and edit this post if you find a typo, thank you so much! This post is licensed under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.
No comments here. You can get in touch with me on Mastodon or send me an email if you prefer.