evdenis / cvehound Goto Github PK

Check linux sources dump for known CVEs.

License: GNU General Public License v3.0

Python 24.82% SmPL 75.18%

linux kernel cve cve-scanning coccinelle

cvehound's Introduction

CVEhound

CVEhound is a tool for checking linux sources for known CVEs. The tool is based on coccinelle rules and grep patterns. The tool checks sources for vulnerable code patterns of known CVEs and missing fixes for them.

What: The tool tries to find "unfixed" code of known CVEs;
How: The tool uses coccinelle/grep rules with patterns that helps to detect known CVE bugs or their fixes. Thus, sources are checked either for a presence of "unfixed" code pieces (e.g. CVE-2020-12912), or for an absence of a fix (e.g. CVE-2020-26088);
Why: If you have a git log then it's easier to check what CVEs are fixed based on a git history. However, many vendors (samsung, huawei, various iot, routers manufacturers) publish kernel sources as archives without a development log. In most cases their kernels are based on LTS kernels, but versions are far from upstream. Linux version string from Makefile will only give you an information about what CVEs were fixed by kernel developers upto this version. It will not help you to understand what fixes were backported by a vendor itself. In this case it's possible to apply the tool and check "missing" CVE fixes.

CVEHound: Audit Kernel Sources for Missing CVE Fixes

Linux Security Summit 2021 Presentation (EN)

ZeroNights 2021 Presentation (RU)

Found issues in stable trees

CVE-2020-27825 fix missing backports for 5.4, 4.19, 4.14, 4.9, 4.4 kernels
CVE-2021-4149 fix missing backports to 4.19, 4.14, 4.9 kernels
CVE-2022-26490 fix missing backports
CVE-2023-1989 fix missing backports for 6.1, 5.15, 5.10, 5.4, 4.19, 4.14 kernels
Similar to CVE-2021-28660 fix in r8188eu driver
Similar to CVE-2021-28660 fix in rtl8723bs driver
Similar to CVE-2022-26490 fix in st-nci driver
Security regression CVE-2020-10781
See tests exceptions for more examples

Prerequisites

Python 3 (>=3.5)
pip (Python package manager)
grep with pcre support (-P flag)
coccinelle (>= 1.0.7)

Install prerequisites:

# Ubuntu, coccinelle uses libpython2.7 internally
# Seems like some ppas mark libpython dependency as optional
$ sudo add-apt-repository ppa:npalix/coccinelle
$ sudo apt install python3-pip coccinelle libpython2.7

# Fedora
$ sudo dnf install python3-pip coccinelle

# macOS
$ brew install coccinelle

Installation

To install the latest stable version just run the following command:

$ python3 -m pip install --user cvehound

For development purposes you may install cvehound in "editable" mode directly from the repository (clone it on your computer beforehand):

$ pip install -e .

To update the cve rules from github repository:

$ cvehound_update_rules

How to use

The simplest way to start using CVEhound is to run the following command:

$ cvehound --kernel ~/linux
Found: CVE-2020-27830
Found: CVE-2020-27152
Found: CVE-2020-29371
Found: CVE-2020-26088

where dir should point to linux kernel sources. CVEhound will check the sources for all cve patterns that you can find in cve dir. To check the sources for particular CVEs one can use:

$ cvehound --kernel ./linux --kernel-config --cve CVE-2020-27194 CVE-2020-29371
Checking: CVE-2020-27194
Found: CVE-2020-27194
MSG: bpf: Fix scalar32_min_max_or bounds tracking
CWE: Improper Restriction of Operations within the Bounds of a Memory Buffer
FIX DATE: 2020-10-08 09:02:53
https://www.linuxkernelcves.com/cves/CVE-2020-27194
Affected Files:
 - linux/kernel/bpf/verifier.c: CONFIG_BPF & CONFIG_BPF_SYSCALL
   linux/.config: affected
Config: ./linux/.config affected

Checking: CVE-2020-29371
Found: CVE-2020-29371
MSG: romfs: fix uninitialized memory leak in romfs_dev_read()
CWE: Use of Uninitialized Resource
FIX DATE: 2020-08-21 16:52:53
https://www.linuxkernelcves.com/cves/CVE-2020-29371
Affected Files:
 - linux/fs/romfs/storage.c: CONFIG_ROMFS_FS
   linux/.config: not affected
Config: ./linux/.config not affected

Other args:

--report - will produce json file with found CVEs Most of metainformation in generated report is taken from linuxkernelcves.com
--kernel-config or --kernel-config <file> - will infer the kernel configuration required to build the affected code (based on Kbuild/Makefiles, ifdefs are not checked) and check kernel .config file if there is one
--files, --cwe - will limit the scope of checked cves to the kernel files of interest or specific CWE classes
--exploit - check only for CVEs that are known to be exploitable (according to the FSTEC BDU database)

LICENSE

Python code is licensed under GPLv3. All rules in cvehound/cve folder are licensed under GPLv2.

Acknowledgements

I would like to thank the following projects and people behind them:

coccinelle for the program matching engine
linuxkernelcves.com for information about Linux CVEs
undertaker for mapping kernel configs to .c files
sympy for the symbolic logic solver

cvehound's People

Contributors

Stargazers

Watchers

Forkers

crackercat zenhumany fengjixuchui menv1s screwer xuehua312741499 pombredanne chinrw harshimogalapalli 0rphan 17451k ghettiguru 26597925 p0prxx stnert

cvehound's Issues

Test fails on CVE-2015-8961

With spatch version 1.0.8 works fine.
Seems like coccinelle 1.0.4 is the reason.

CVE-2017-1000407: doesn't detect ffb128c89b77b44da18ccf51844a8e750e2c427a commit

Looks like a coccinelle bug.

lscpu: failed to determine number of CPUs: /sys/devices/system/cpu/possible: No such file or directory

In restricted env without /sys (such as some CI-like build setups) lscpu outputs error

lscpu: failed to determine number of CPUs: /sys/devices/system/cpu/possible: No such file or directory

I think to continue running cvehound even with incorrect threads number is preferable (robust) than to detect this system configuration (which end-user may even not able to solve). Can you add fallback to this? For example:

diff --git a/cvehound/cpu.py b/cvehound/cpu.py
index db89c84..ffe32fb 100644
--- a/cvehound/cpu.py
+++ b/cvehound/cpu.py
@@ -8,11 +8,14 @@ def get_active_cores():
     return len(os.sched_getaffinity(0))

 def get_threads_per_core():
-    lscpu = (subprocess.run(['lscpu'],
-                stdout=PIPE, stderr=PIPE, check=True)
+    try:
+        lscpu = (subprocess.run(['lscpu'],
+            stdout=PIPE, stderr=PIPE, check=True)
             .stdout.decode('utf-8'))
-    line = next(line for line in lscpu.split('\n') if line.startswith('Thread(s)'))
-    return int(line.split(':')[1])
+        line = next(line for line in lscpu.split('\n') if line.startswith('Thread(s)'))
+        return int(line.split(':')[1])
+    except subprocess.CalledProcessError:
+        return 1


 class CPU():

Earliest version of Linux kernel that is supported?

I couldn't find anywhere which versions of the Linux kernel are supported. I tried with a 2.4 source tree and got this error:

$ cvehound -k=/tmp/src/EdiLinux/linux-2.4.18-adm/
Traceback (most recent call last):
  File "/nix/store/ibiwly61jv0gz5fjxfcv6y3absgwhiwp-cvehound-1.0.4/bin/.cvehound-wrapped", line 9, in <module>
    sys.exit(main())
  File "/nix/store/ibiwly61jv0gz5fjxfcv6y3absgwhiwp-cvehound-1.0.4/lib/python3.9/site-packages/cvehound/__main__.py", line 128, in main
    report['kernel'] = get_kernel_version(cmdargs.kernel)
  File "/nix/store/ibiwly61jv0gz5fjxfcv6y3absgwhiwp-cvehound-1.0.4/lib/python3.9/site-packages/cvehound/util.py", line 48, in get_kernel_version
    version['name'] = getparam()
  File "/nix/store/ibiwly61jv0gz5fjxfcv6y3absgwhiwp-cvehound-1.0.4/lib/python3.9/site-packages/cvehound/util.py", line 43, in getparam
    return line.split('=')[1].strip()
IndexError: list index out of range

(don't worry about the strange paths, I am deploying cvehound with Nix)

Is 2.4 too old to be scanned?

CVE-2021-28971 crash and wrong architecture

I have 4.14.193 arm64 kernel.

The CVE is x86 specific.

$ ~/.local/bin/cvehound --kernel my_kernel --config my_kernel_config --cve CVE-2021-28971
Found: CVE-2021-28971
MSG: perf/x86/intel: Fix a crash caused by zero PEBS status
CWE: Uncontrolled Resource Consumption
CVSS2: 4.9
CVSS3: 5.5
FIX DATE: 2021-03-16
https://www.linuxkernelcves.com/cves/CVE-2021-28971
Affected Files:
Traceback (most recent call last):
  File "/home/jere/.local/bin/cvehound", line 8, in <module>
    sys.exit(main())
  File "/home/jere/.local/lib/python3.9/site-packages/cvehound/__main__.py", line 147, in main
    result = hound.check_cve(cve, cmdargs.all_files)
  File "/home/jere/.local/lib/python3.9/site-packages/cvehound/__init__.py", line 231, in check_cve
    self._print_affected_files(config_result)
  File "/home/jere/.local/lib/python3.9/site-packages/cvehound/__init__.py", line 109, in _print_affected_files
    logging.info(' - ' + file + ': ' + logic + '\n   ' + self.config_file + ': ' + affected)
TypeError: can only concatenate str (not "bool") to str

Then I remove logic variable on line 109 above I'll get:

$ ~/.local/bin/cvehound --kernel my_kernel --config my_kernel_config --cve CVE-2021-28971 --report
Found: CVE-2021-28971
MSG: perf/x86/intel: Fix a crash caused by zero PEBS status
CWE: Uncontrolled Resource Consumption
CVSS2: 4.9
CVSS3: 5.5
FIX DATE: 2021-03-16
https://www.linuxkernelcves.com/cves/CVE-2021-28971
Affected Files:
 - arch/x86/events/intel/ds.c:
   my_kernel_config: affected
Config: my_kernel_config affected

Report saved to: report.json

report.json.txt

CI: add opam caching

speedup tests

keep .git in ram?
keep whole tree in ram?
mount tmpfs temp && mount --bind linux temp?

Add linux-stable to tests

Run tests on linux-stable repo.

Analyse Kbuild/Makefile files

Output affected CONFIG_* options and module names.

Coccinelle 1.04 && CVE-2019-20096

Coccinelle 1.08 works fine with CVE-2019-20096.
1.04 fails.

Update CVE-2014-8480

https://ubuntu.com/security/CVE-2014-8480
https://bugzilla.redhat.com/show_bug.cgi?id=1156615

CVE-2021-3411 accesses /proc/self/cmdline

The check for CVE-2021-3411 reads /proc/self/cmdline. Isn't the tool is designed to check sources dump and not real time system?

CVE-2020-27825

https://lkml.org/lkml/2021/1/21/769

Add rules for CVEs with exploits

According to the https://bdu.fstec.ru/vul following CVEs have public/private exploits:

Public exploits:

Private exploits:

Failed to check CVE

Hi,

I downloaded kernel source on Ubuntu 20.04.1 LTS with sudo apt install linux-source.
I then unpacked the linux-source.5.4.0.tar.bz2 to a folder and tried running cvehound but it's saying Failed to check CVE-####.
I suppose it doesn't mean it's fine, but it failed. How can I debug it?

making data directory for storing kernel_cves.json.gz configurable

Would it be possible to make the directory for storing kernel_cves.json.gz configurable?

AttributeError: 'str' object has no attribute 'removesuffix'

Hi, getting some errors:

solt@Holodeck:~$ python3 -V
Python 3.8.5
solt@Holodeck:~$ cvehound --dir ~/workspace/linux-source-5.4.0 --verbose
Traceback (most recent call last):
  File "/home/solt/.local/bin/cvehound", line 8, in <module>
    sys.exit(main())
  File "/home/solt/.local/lib/python3.8/site-packages/cvehound/__init__.py", line 142, in main
    known_cves = get_all_cves()
  File "/home/solt/.local/lib/python3.8/site-packages/cvehound/__init__.py", line 124, in get_all_cves
    return [cve.removesuffix('.cocci').removesuffix('.grep')
  File "/home/solt/.local/lib/python3.8/site-packages/cvehound/__init__.py", line 124, in <listcomp>
    return [cve.removesuffix('.cocci').removesuffix('.grep')
AttributeError: 'str' object has no attribute 'removesuffix'```

9 CVE bugs in Linux-next.

It's an interesting project, but I'm wondering why there are still 9 CVE bugs in Linux-next.

I use coccinelle rules in /cve directly.

Thanks

Seedup tests/test_05_between_fixes_fix.py

Filter out tags that doesn't modify files of interest.

Output more info about found CVEs

Take data from https://github.com/nluedtke/linux_kernel_cves/blob/master/data/kernel_cves.json and output more info about detected CVEs in sources.

CVE-2014-0101 fails CI tests

CVE-2014-0101 works locally, but CI tests fail.

Fix CVE-2015-4700 with --all-files

Add CVEs described in commit messages

These are commits with direct reference to CVE identifiers and Fixes tags. These commits are easy targets to make rules based on them.

CVE-2016-9793 fails on latest coccinelle

FAILED tests/test_03_on_fix.py::test_on_fix[CVE-2016-9793] - AssertionError: CVE-2016-9793 fails to detect fix~ commit
FAILED tests/test_04_on_fixes.py::test_on_fixes[CVE-2016-9793] - AssertionError: fails to detect on fixes tag

Test multiple coccinelle versions

--exploit shows KeyError: 'CVE-2022-0185'

torvalds (master *)$ cvehound -k . -e
Traceback (most recent call last):
  File "/usr/bin/cvehound", line 33, in <module>
    sys.exit(load_entry_point('cvehound==1.0.8', 'console_scripts', 'cvehound')())
  File "/usr/lib/python3/site-packages/cvehound/__main__.py", line 141, in main
    if cmdargs.exploit and not hound.get_cve_exploit(cve):
  File "/usr/lib/python3/site-packages/cvehound/__init__.py", line 284, in get_cve_exploit
    return self.metadata[cve]['exploit']
KeyError: 'CVE-2022-0185'

About getting the latest rules

Hi! Is it necessary to install from the source code to obtain the complete and latest CVE data? If so, whether to consider separating the regular rules from the program, so that the rules can be obtained from the cloud without updating the program.

suggestion: split spatch output for easier postprocessing of results

Currently the results of cvehound do not include the name of the files in which issues were found separately although that information is included in the spatch output, for example:

"spatch_output": "/tmp/linux-3.10.36/arch/x86/mm/mmap.c:38:20-40: ERROR: CVE-2015-1593\n/tmp/linux-3.10.36/fs/binfmt_elf.c:559:18-19: ERROR: CVE-2015-1593"

It would be nice if the affected files and line ranges could be added to the output separately so people don't have to write their own postprocessing code.

Which license is this project using?

According to LICENSE it is GPLv3.

According to setup.py it is GPLv2.

Finally, is it supposed to be GPLv{2,3} only, or also any later version?

fix CVE-2021-0342

fix CVE-2020-0466 detection

Test 05 fails.