diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-02-16 11:37:04 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-02-16 11:37:04 +0100 |
commit | 5e2c7ae49a3b342b3e4ea4f70e696989fcfaed38 (patch) | |
tree | e9f901ee7e4b70471b1896547121becd14ef8e1e | |
parent | c1d799aa536c047e333d639d388fed425fbd5fd3 (diff) | |
download | vulns-5e2c7ae49a3b342b3e4ea4f70e696989fcfaed38.tar.gz |
bippy: handle the git ranges properly and reference all commits
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rwxr-xr-x | scripts/bippy | 148 |
1 files changed, 120 insertions, 28 deletions
diff --git a/scripts/bippy b/scripts/bippy index 42982939..5d45fad5 100755 --- a/scripts/bippy +++ b/scripts/bippy @@ -236,6 +236,7 @@ if [[ "${GIT_SHA_FULL}" == "" ]] ; then echo "error: git id ${GIT_SHA} is not found in the tree at ${KERNEL_TREE}" exit 1 fi +GIT_SHA_SHORT=$(cd ${KERNEL_TREE} && git log -1 --abbrev=12 --format="%h" "${GIT_SHA_FULL}") # Get the subject line of our sha subject=$(cd ${KERNEL_TREE} && git show --no-patch --pretty=format:"%s" "${GIT_SHA_FULL}" 2> /dev/null) @@ -361,6 +362,7 @@ commit_text=$(cd ${KERNEL_TREE} && git show --no-patch --pretty=format:"%B" "${G fixes_lines=$(echo "${commit_text}" | grep -i "fixes:" | sed -e 's/^[ \t]*//' | cut -f 2 -d ':' | sed -e 's/^[ \t]*//' | cut -f 1 -d ' ') dbg "fixes_lines=${fixes_lines}" og_vuln="0" +og_git="1da177e4c3f4" # "Linux-2.6.12-rc2" if [[ "${fixes_lines}" != "" ]] ; then # figure out what kernels this commit fixes, (i.e. which are # vulnerable) and turn them into an array @@ -368,6 +370,7 @@ if [[ "${fixes_lines}" != "" ]] ; then for fix_line in ${fixes_lines}; do x=$(find_fix ${fix_line}) v+=${x} + og_git=${fix_line} # fixme, what about multiples? done #dbg "v=${v[@]} size=${#v[@]}" # now sort and uniq the list of versions @@ -398,9 +401,13 @@ if [[ "${fixes_lines}" != "" ]] ; then # "first" version as it must be the one. if [[ "${og_vuln}" == "0" ]] ; then og_vuln=${vuln_kernels[0]} + # og_git will be already set to the fixes + # commit, based on the loop up above, so no need + # to set it again. fi fi dbg "og_vuln=${og_vuln}" + dbg "og_git=${og_git}" fi # Find the fixed kernels where this release was done @@ -412,10 +419,39 @@ create_fix_pair() { local v=$1 local f=$2 - fixed_pairs+=("${v}:${f}") + local v_git=$3 + local f_git=$4 + fixed_pairs+=("${v}:${f}:${v_git}:${f_git}") + + dbg "pair=${v}:${f}:${v_git}:${f_git}" +} + +find_stable_git_id() +{ + #>&2 echo "find_stable_git_id: \"${1}\" \"${2}\"" + local og_git=${1} + local fixed_version=${2} + + local fixed_array=(${fixed_version//./ }) + local fixed_major=${fixed_array[0]} + local fixed_minor=${fixed_array[1]} + + local stable_git=$(cd ${KERNEL_TREE} && git log -1 --abbrev=12 --oneline --grep=${og_git} "v${fixed_major}.${fixed_minor}".."v${fixed_version}" | awk '{print $1}') + #>&2 echo "fine_stable_git_id: stable_git=${stable_git}" + + echo "${stable_git}" +} + +find_mainline_git_id() +{ + local fixed_version=${1} + local stable_git=$(cd ${KERNEL_TREE} && git log -1 --abbrev=12 --oneline "v${fixed_version}" | awk '{print $1}') + echo "${stable_git}" } # Do the crazy matching mess listed up above +fe="" +ve="" for fixed_entry in ${fixed_kernels[@]}; do create=0 @@ -452,7 +488,12 @@ for fixed_entry in ${fixed_kernels[@]}; do # If we do not know what the root release is, then just create the pair if [[ "${og_vuln}" == "0" ]] ; then - create_fix_pair ${og_vuln} ${fixed_entry} + if [[ "${fixed_entry_mainline}" == "1" ]]; then + create_fix_pair ${og_vuln} ${fixed_entry} ${og_git} ${GIT_SHA_SHORT} + else + fe=$(find_stable_git_id ${GIT_SHA_FULL} ${fixed_entry}) + create_fix_pair ${og_vuln} ${fixed_entry} ${og_git} ${fe} + fi create=1 continue fi @@ -468,7 +509,12 @@ for fixed_entry in ${fixed_kernels[@]}; do version_is_mainline "${vuln_entry}" vuln_entry_mainline=$? if [[ "${vuln_entry_mainline}" == "1" ]] ; then - create_fix_pair ${vuln_entry} ${fixed_entry} + if [[ "${fixed_entry_mainline}" == "1" ]]; then + create_fix_pair ${vuln_entry} ${fixed_entry} ${og_git} ${GIT_SHA_SHORT} + else + fe=$(find_stable_git_id ${GIT_SHA_FULL} ${fixed_entry}) + create_fix_pair ${vuln_entry} ${fixed_entry} ${og_git} ${fe} + fi create=1 break fi @@ -476,7 +522,19 @@ for fixed_entry in ${fixed_kernels[@]}; do version_match ${vuln_entry} ${fixed_entry} match=$? if [[ "${match}" == "1" ]] ; then - create_fix_pair ${vuln_entry} ${fixed_entry} + if [[ "${fixed_entry_mainline}" == "1" ]]; then + create_fix_pair ${vuln_entry} ${fixed_entry} ${og_git} ${GIT_SHA_SHORT} + else + ve=$(find_stable_git_id ${og_git} ${vuln_entry}) + if [[ "${ve}" == "" ]] ; then + ve=${og_git} + fi + fe=$(find_stable_git_id ${GIT_SHA_FULL} ${fixed_entry}) + if [[ "${fe}" == "" ]] ; then + fe=${GIT_SHA_SHORT} + fi + create_fix_pair ${vuln_entry} ${fixed_entry} "${ve}" "${fe}" + fi create=1 break fi @@ -484,26 +542,33 @@ for fixed_entry in ${fixed_kernels[@]}; do # If we haven't created anything yet, this must be it if [[ ${create} == 0 ]] ; then - create_fix_pair ${og_vuln} ${fixed_entry} + create_fix_pair ${og_vuln} ${fixed_entry} ${og_git} "${GIT_SHA_SHORT}" fi done dbg "We have found ${#fixed_pairs[@]} vulnerable:fixed kernel pairs" if [[ "${#fixed_pairs[@]}" == "0" ]] ; then - echo "No vulnerable and then fixed pairs of kernels were found for commit ${GIT_SHA_FULL}" + echo "No vulnerable and then fixed pairs of kernels were found for commit ${GIT_SHA_SHORT}" exit 1 fi -for entry in ${fixed_pairs[@]}; do - dbg "${entry}" +for entry in "${fixed_pairs[@]}"; do + dbg " ${entry}" done # Generate the "vulnerable" kernel json and mbox information vuln_array_json="" vuln_array_mbox=() +url_array=() +url_string_json="" +git_array_json=() for entry in "${fixed_pairs[@]}"; do x=(${entry//:/ }) vuln=${x[0]} fix=${x[1]} + vuln_git=${x[2]} + fix_git=${x[3]} + + # create the json array for the version numbers vuln_array_json+="versions[]=$(jo -- \ -s version="${vuln}" \ -s lessThan="${fix}" \ @@ -511,20 +576,38 @@ for entry in "${fixed_pairs[@]}"; do -s versionType="custom" \ ) " + # create the json array for the git ids + git_array_json+="versions[]=$(jo -- \ + -s version="${vuln_git}" \ + -s lessThan="${fix_git}" \ + -s status="affected" \ + -s versionType="git" \ + ) " + # If this issue has always been there, just say when it was # fixed, otherwise try to give a hint when it was introduced. # The json file just wants 0 for "always been there", so no need # to check it for the array. if [[ "${vuln}" == "0" ]] ; then - vuln_array_mbox+=("Fixed in ${fix}") + vuln_array_mbox+=("Fixed in ${fix} with commit ${fix_git}") else - vuln_array_mbox+=("Issue introduced in ${vuln} and fixed in ${fix}") + vuln_array_mbox+=("Issue introduced in ${vuln} with commit ${vuln_git} and fixed in ${fix} with commit ${fix_git}") fi + + # Add the git sha of the fix to the url array so we can print + # them later + url_array+=("https://git.kernel.org/stable/linux/c/${fix_git}") + url_string_json+="references[]=$(jo -- -s url="https://git.kernel.org/stable/linux/c/${fix_git}") " + done dbg "vuln_array_json=${vuln_array_json}" +dbg "git_array_json=${git_array_json}" for entry in "${vuln_array_mbox[@]}"; do dbg "vuln_array_mbox=${entry}" done +for entry in "${url_string_json[@]}"; do + dbg "url_string_json=${entry}" +done # Strip off all of the signed-off-by stuff out of the commit text. # We have a long list of "tags" to drop in the file, "tags", so compose @@ -549,12 +632,19 @@ rm "${sed_file}" # Maybe in the future we can also link to the fixes in the individual branches, # but as we ask that people take the whole release, to point at individual # commits might just cause more problems than it is worth. -URL="https://git.kernel.org/stable/linux/c/${GIT_SHA_FULL}" +URL="https://git.kernel.org/stable/linux/c/${GIT_SHA_SHORT}" ######################### # Compose the json knowing what we now know, using the 'jo' tool ######################### if [[ "${JSON_FILE}" != "" ]] ; then + # NOTE, be VERY careful about the quoting around the bash + # variables when using 'jo', it isn't obvious, for some places + # we need the variables to be expanded without the "", and + # the shellcheck tool will complain, and test the heck out of + # any changes you make here, it seems to work as-is, so watch + # out, here lies many dragons. Comments have been added where + # needed and able to be used. x_generator=$(jo -- engine="${SCRIPT}-${SCRIPT_VERSION}") @@ -575,33 +665,32 @@ if [[ "${JSON_FILE}" != "" ]] ; then orgId="${ORGID}" \ ) - r=$(jo -- \ - url="${URL}" \ - ) - - references=$(jo -a -- "${r}") - - versions=$(jo -- \ - -s lessThan="6.7" \ - -s status="affected" \ - -s version="0" \ - -s versionType="custom" \ - ) +# versions=$(jo -- \ +# -s lessThan="6.7" \ +# -s status="affected" \ +# -s version="0" \ +# -s versionType="custom" \ +# ) + # We want vuln_array_json to be expanded without quotes + # shellcheck disable=SC2086 a=$(jo -- \ product="Linux" \ vendor="Linux" \ defaultStatus="affected" \ ${vuln_array_json} \ + ${git_array_json} \ ) affected=$(jo -a -- "${a}") + # We want url_string_json to be expanded without quotes + # shellcheck disable=SC2086 cna=$(jo -- \ providerMetadata="${providerMetadata}" \ descriptions="${descriptions}" \ affected="${affected}" \ - references="${references}" \ + ${url_string_json} \ title="${subject}" \ x_generator="${x_generator}" \ ) @@ -647,7 +736,7 @@ Affected versions EOF for line in "${vuln_array_mbox[@]}"; do - echo " ${line}" >> ${MBOX_FILE} + echo " ${line}" >> "${MBOX_FILE}" done cat << EOF >> "${MBOX_FILE}" @@ -671,10 +760,13 @@ stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to -the latest release is impossible, the individual change to resolve this -issue can be found at: - ${URL} +the latest release is impossible, the individual changes to resolve this +issue can be found at these commits: EOF + for url in "${url_array[@]}"; do + echo " ${url}" >> "${MBOX_FILE}" + done + dbg "mbox file written to ${MBOX_FILE}" fi # end mbox creation |