I am working on a project that includes building an old kernel version of linux. This is fine, but I still need to patch the kernel of all previously found security vulnerabilities based on CVEs. I have the CVEs and have extracted the names of the vulnerable files mentioned in them, along with the kernel versions it affects.
So far, I have found about 150 potential vulnerabilities that could affect my build, but obviously some of them affect files relevant to graphics drivers that I don't use. So far, I have just gone through the list manually, checking if the files are included by using make menuconfig
, and cating Kconfig
in relevant folders. This has worked alright so far, but these methods don't show the actual file names (e.g. ipc/sem.c) so it takes more work than necessary.
Ideally, I would like to somehow print a list of all the files that will be included in my build, and then just write a script to check if vulnerable files are included.
How can I find the names of ever source file (e.g. ipc/sem.c) that will be included in my build?
Best Answer
Do the build, then list the
.o
files. I think every.c
or.S
file that takes part in the build is compiled into a.o
file with a corresponding name. This won't tell you if a security issue required a fix in a header file that's included in the build.A more precise method is to put the sources on a filesystem where access times are stored, and do the build. Files whose access time is not updated by the build were not used in this build.